Build Your Data Practice and Platform

  • Buy Link or Shortcode: {j2store}347|cart{/j2store}
  • member rating overall impact (scale of 10): N/A
  • member rating average dollars saved: N/A
  • member rating average days saved: N/A
  • Parent Category Name: Data Management
  • Parent Category Link: /data-management

The complex nature of data investment leads to de-scoping and delivery of data services that do not meet business needs or give value to the business. Subject matter experts are hired to resolve the problem, but their success is impacted by absent architecture, technology, and organizational alignment.

Our Advice

Critical Insight

Walking through a book of architecture building plans with a personal guide is cheaper and faster than employing an architect to build and design your home.

Impact and Result

Info-Tech's approach provides a proven methodology that includes the following:

  • Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives.
  • Comprehensive data practice designed based on the required business and data capabilities.
  • Data platform design based on Info-Tech data architecture reference patterns and prioritized data initiatives and capabilities.

Build Your Data Practice and Platform Research & Tools

Besides the small introduction, subscribers and consulting clients within this management domain have access to:

1. Build Your Data Practice and Platform Storyboard – A step-by-step document that leverages road-tested patterns and frameworks to properly build your data practice and pattern in continuous alignment with the business landscape.

Info-Tech's approach provides a proven methodology that includes following:   

  • Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives.
  • Comprehensive data practices designed based on the required business and data capabilities.
    • Build Your Data Practice and Platform Storyboard

    2. Data Practice and Platform Models – Leveraging best-of-breed frameworks to help you build a clear, concise, and compelling data practice and platform.

    Data practice & platform pre-build pattern templates based on Info-Tech data reference patterns and data platform design best practices.

    • Data Practice and Platform Models

    Infographic

    Workshop: Build Your Data Practice and Platform

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish Business Context and Value

    The Purpose

    Establish business context and value.

    Key Benefits Achieved

    Business context and strategic driver.

    Activities

    1.1 Understand/confirm the organization's strategic goals

    1.2 Classify the strategic goals and map to business drivers

    1.3 Identify the business capabilities that the strategy focuses on

    1.4 Identify the business processes realizing the strategy

    Outputs

    Business context and strategic drivers

    Prioritized business capabilities and processes

    Data culture survey results analysis

    2 Identify Your Top Initiatives

    The Purpose

    Identify your top initiatives.

    Key Benefits Achieved

    High-value business-aligned data initiative.

    Activities

    2.1 Highlight data-related outcomes/goals to realize to fulfill the business goal

    2.2 Map business data initiatives to the business strategic goals

    2.3 Prioritize data initiatives

    Outputs

    High-value, business-aligned data initiatives

    3 Analyze Data Challenges

    The Purpose

    Analyze data challenges.

    Key Benefits Achieved

    Clear understanding of the data challenges.

    Activities

    3.1 Map data challenges to Info-Tech data challenges

    3.2 Review Info-Tech data capabilities based on prioritized initiatives

    3.3 Discuss data platform and practice next steps

    Outputs

    List of data challenges preventing data maturation with the organization

    4 Map Data Capability

    The Purpose

    Map data capability.

    Key Benefits Achieved

    Prioritized data capability.

    Activities

    4.1 Map data challenges to Info-Tech data challenges

    4.2 Review Info-Tech data capabilities based on prioritized initiatives

    4.3 Discuss data platform and practice next steps

    Outputs

    Required data capabilities

    Data platform and practice – plan

    Initialized data management RACI 

    Further reading

    Build Your Data Practice and Platform

    Construct a scalable data foundation

    Analyst Perspective

    Build a data practice and platform that delivers value to your organization.

    The build or optimization of your data practice and data platform must be predicated on a thorough understanding of the organization’s goals, objectives, and priorities and the business capabilities and process they are meant to support and enable.

    Formalizing your practice or constructing your platform just for the sake of doing so often results in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.

    Leverage Info-Tech’s approach and incorporate our pre-built models and patterns to effectively navigate that crucial and often difficult phase upfront of comprehensively defining business data needs so you can ultimately realize faster time-to-delivery of your overall data practice and platform.

    Photo of Rajesh Parab, Director, Research & Advisory, Data & Analytics Practice, Info-Tech Research Group.

    Rajesh Parab
    Director, Research & Advisory, Data & Analytics Practice
    Info-Tech Research Group

    Photo of Crystal Singh, Director, Research & Advisory, Data & Analytics Practice, Info-Tech Research Group.

    Crystal Singh
    Director, Research & Advisory, Data & Analytics Practice
    Info-Tech Research Group

    Attempting to Solve Data Problems?

    Situation
    • Lack of data centric leadership results in downstream issues such as integration, quality, and accessibility.
    • The complex nature of the data and lack of understanding leads to de-scoping delivery of data services that does not meet business needs or add value.
    • Poorly designed practice and siloed platforms result in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.
    Complication
    • Data problem: When the data problem is diagnosed, the organization adopts a tactical approach.
    • Confirmation bias: Subject matter experts (SME) are hired to resolve the poorly defined problem, but the success of the SME is impacted by lack of architecture, technology, and organizational alignment.
    • Still no value: The selected tactical approach does not provide a solid foundation or solve your data problem.
    • Strategy for sake of strategy: Implementing a strategic approach for the sake of being strategic but this becomes overwhelming.
    • Fall back to tactical and operational: The data services are now potentially exposed and vulnerable, which strains business continuity and increases data debt.
    • Increased complexity and risk: Data silos, poor understanding, and high complexity results in an unmanageable data environment.
    Resolution
    • Requirements: Define and align your data requirement to business.
    • Capabilities: Discover data, identify data capabilities, and map your requirements.
    • Practices: Design and select fit-for-purpose data practices.
    • Platform: Optimize your data platform investments though sound architecture.

    Info-Tech Insight

    The true value of data comes from defining intentional relationships between the business and the data through a well thought out data platform and practice.

    Situation – Perpetual Data Problem

    Diagram of a head with gears around it and speech bubbles with notes titled 'Data Problem'. The surrounding gears, clockwise from bottom left, say 'Accessibility', 'Trust', 'Data Breach', 'Ambiguity', 'Ownership', 'Duplication', 'System Failure', and 'Manual Manipulation'. The speech bubbles notes, clockwise from bottom left, say 'Value-Add: How do I translate business needs to data capabilities?', 'Practice Organization: How do I organize resources and roles assignment challenges?', 'Platform: How do I organize data flows with no conceptual view of the environment?', and 'Break Down Silos: How do I break down silos?'
    I can’t access the data.
    I don’t trust the data in the report.
    It takes too long to get to the data for decision making
    • Lack of data-centric leadership results in downstream issues: integration, quality, accessibility
    • The organization’s data is too complex to manage without a cohesive plan.
    • The complex nature of the data and a lack of understanding leads to de-scoping delivery of data services that does not meet business needs or add value.
    • Poorly designed practice and siloed platforms result in an initiative that is lengthy, costly, fizzles out, does not deliver business value, and ends up being considered a failure.

    Complication – Data Initiative Fizzles Out

    • Data problem: When the data problem is diagnosed the organization adopts a tactical approach.
    • Confirmation bias: Subject matter experts (SME) are hired to resolve the poorly defined problem, but the success of the SME is impacted by lack of architecture, technology, and organizational alignment.
    • Still no value: the selected tactical approach does not provide a solid foundation or solve your data problem.
    • Strategy for sake of strategy: Implementing a strategic approach for sake of being strategic but this becomes overwhelming.
    • Fall back to tactical and operational: The data services are now potentially exposed and vulnerable, which strains business continuity and increases data debt.
    • Increased complexity and risk: Data silos, poor understanding, and high complexity result in an unmanageable data environment.
    Flowchart beginning with 'Data Symptom Exhibited' and 'Data Problem Diagnosed', then splitting into two paths 'Solve Data Problem as a point solution' or 'Attempt Strategic approach without culture, capacity, and business leadership'. Each approach ends with 'Data too complex, and initiative fizzles out...' and cycles back to the beginning.
    Use the road-tested patterns and frameworks in our blueprint to break the perpetual data solution cycle. Focus on the value that a data and analytics platform will bring rather than focusing on the data problems alone.

    Build Your Data Practice and Platform

    Bring Your Data Strategy to Life

    Logo for Info-Tech.
    Logo for #iTRG.
    CONVENTIONAL WISDOM

    Attempting to Solve Your Data Problems

    DATA SYMPTOM EXHIBITED

    Mismatch report, data quality issue, or similar symptom of a data problem.

    DATA PROBLEM DIAGNOSED

    Data expert identifies it as a data problem.

    COMPLEX STRATEGIC APPROACH ATTEMPTED

    Recognized need to attempt it strategically, but don't have capacity or culture to execute.

    Cycle diagram titled 'Data Problems' with numbers connected to surrounding steps, and a break after Step 3 where one can 'BREAK THE CYCLE'. In the middle are a list of data problems: 'Accessibility’, ‘Data Breach', 'Manual Manipulation', 'System Failure', 'Ambiguity', 'Duplication', 'Ownership', and 'Trust'.
    SOLUTION FAILS

    The tactical solution fails to solve the root cause of the data problem, and the data symptoms persist.

    TACTICAL SOLUTION FALLBACK

    A quick and dirty solution is attempted in order to fix the data problem.

    THE COMPLEX APPROACH FIZZLES OUT

    Attempted strategic approach takes too long, fizzles out.

    BREAK THE CYCLE

    Solving Your Data Problems

    1. DEFINE YOUR DATA REQUIREMENTS Incorporate a Business to Data Approach by utilizing Info-Tech's business capability templates for identifying data needs. BUSINESS-ALIGNED DATA REQUIREMENTS
    2. CONDUCT YOUR DATA DISCOVERY Understand the data behind your business problem. Identify the required data capabilities and domains as required by your business processes. RECOMMENDED DATA CAPABILITIES
    3. DESIGN YOUR DATA PRACTICES Build your custom data practices based on the predefined reusable models. CUSTOMIZED DATA PRACTICE
    4. ARCHITECT YOUR DATA PLATFORM Build your custom data platform based on the redefined reusable architecture patterns. CUSTOMIZED DATA PLATFORM
    CONTINUOUS PHASE: ROADMAP, SPONSORSHIP FEEDBACK AND DELIVERY

    Develop a roadmap to establish the practice and implement the architecture as designed. Ensure continuous alignment of the practice and architecture with the business landscape.

    Phase-by-Phase Approach to Build Your Data Practice and Platform

    Flowchart detailing the path to take through the four phases of this blueprint beginning with the 'Inputs' and 'People' involved and incorporating 'Deliverables' along the way. Phase-by-Phase Approach
    • Phase 1: Step 1 – Define Your Data Requirement
    • Phase 1: Step 2 – Conduct Your Data Discovery
    • Phase 2 – Design Your Data Practice
    • Phase 3 – Architect Your Data Platform

    Measure value when building your data practice and platform

    Sample Data Management Metrics

    Lists of data management metrics in different categories.

    • Refine the metrics for the overall Data Management practice and every initiative therein.
    • Refine the metrics at each platform and practice component to show business value against implementation effort.

    Understand and Build Data Culture

    See your Info-Tech Account Representative for more details on our Data Culture Diagnostic

    Only 14.29% of Transportation and Logistics respondents agree BI and Analytics Process and Technology are sufficient What is a diagnostic?

    Our diagnostics are the simplest way to collect the data you need, turn it into actionable insights, and communicate with stakeholders across the organization.

    52.54% of respondents from the healthcare industry are unaware of their organization’s data security policy
    Ask the Right Questions

    Use our low-effort surveys to get the data you need from stakeholders across the organization.

    Use Our Diagnostic Engine

    Our diagnostic engine does all the heavy lifting and analysis, turning your data into usable information.

    Communicate & Take Action

    Wow your executives with the incredible insights you've uncovered. Then, get to action: make IT better.

    On average only 40% agree that they have the reporting when needed


    (Source: Info-Tech’s Data Culture Diagnostic, 53 Organizations, 3138 Responses)

    35% of respondents feel that a governance body is in place looking at strategic data

    Build a Data-Driven Strategy Using Info-Tech Diagnostic Programs

    Make informed IT decisions by starting your diagnostic program today. Your account manager is waiting to help you.
    Sample of Info-Tech's 'Data Culture Scorecard'.

    Use Our Predefined Data and Analytics Patterns to Build Your DnA Landscape

    Walking through a book of architecture building plans with a personal guide is cheaper and faster than employing an architect to build and design your home

    Two books titled 'The Everything Homebuilding Book' and 'Architecture 101'. An open book with a finger pointing to a diagram.

    The first step is to align business strategy with data strategy and then start building your data practice and data platform

    Flowchart starting with business strategy focuses, then to data strategy focuses, and eventually to 'Data Metrics'.

    Insights

    The true value of data comes from defining intentional relationships between the business and the data through a well-thought-out data platform and practice.

    • Phase 1
      • Some organizations are low maturity so using the traditional Capability Maturity Model Integration (CMMI) would not make sense. A great alternative is to leverage existing models and methodologies to get going off the bat.
      • The Data Strategy is an input into the platform and practice. This is considered the Why; Data Practice and Platform is the How.
    • Phase 2
      • Info-Tech’s approach is business-goal driven and it leverages patterns, which enable the implementation of critical and foundational components and subsequently facilitates the evolution and development of the practice over time.
      • Systems should not be designed in isolation. Cross-functional collaboration throughout the design is critical to ensure all types of issues are revealed early. Otherwise, crucial tests are omitted, deployments fail, and end-users are dissatisfied.
    • Phase 3
      • Build your conceptual data architecture based on well-thought-out formulated patterns that align with your organization’s needs and environment.
      • Functional needs often take precedence over quality architecture. Quality must be baked into design, execution, and decision-making practices to ensure the right trade-offs are made.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Info-Tech’s Methodology for Building Your Data Practice and Platform

    Phase 1 –
    Define Your Data Requirements and Conduct Your Data Discovery
    Phase 2 –
    Design Your Data Practices
    Phase 3 –
    Architect Your Data Platform
    Phase Steps
    1. Identify your top initiatives
    2. Map your data initiatives to data capabilities
    1. Understand the practices value statement
    2. Review the Info-Tech practice pattern
    3. Initiate your practice design and setup
    1. Identify your data component
    2. Refine your data platform architecture
    3. Design your data platform
    4. Identify your new components and capabilities
    5. Initiative platform build and rollout
    Phase Outcomes Business-aligned data initiatives and capabilities that address data challenges and realize business strategic objectives Comprehensive data practice design based on the required business and data capabilities Data platform design based on Info-Tech data architecture reference pattern and prioritized data initiatives and capabilities

    Data Platform and Practice Implementation Plan

    Example timeline for data platform and practice implementation plan with 'Fiscal Years' across the top, and below they're broken down into quarters. Along the left side 'Phase 1: Step 1...', 'Phase 1: Step 2...', 'Phase 2...' and 'Phase 3'. Tasks are mapped onto the timeline in each phase with a short explanation.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Info-Tech’s Workshop support for Build Your Data Practice and Platform. 'Build Your Data Practice and Platform' slide from earlier.
    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Workshop 1

    Data Needs and Discovery

    Workshop 2

    Data Practice Design

    Workshop 3

    Data Platform Design

    Workshop 1:
    Data Needs and Discovery

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4
    Establish Business Context and Value
    Identify Your Top Initiatives
    Analyze Data Challenges
    Map Data Capability
    Activities

    1.1 Understand/confirm your organization’s strategic goals

    1.2 Classify the strategic goals and map to business drivers

    1.3 Identify the business capabilities that the strategy focus is on

    1.4 Identify the business processes realizing the strategy

    2.1 Highlight data-related outcomes /goals to realize to fulfill the business goal

    2.2 Map business data initiatives to the business strategic goals

    2.3 Prioritize Data initiatives

    3.1 Understand data management capabilities and framework

    3.2 Classify business data requirements using Info-Tech’s classification approach

    3.3 Highlight data challenges in your current environment

    4.1 Map data challenges to Info-Tech data challenges

    4.2 Review Info-Tech data capabilities based on prioritized initiative

    4.3 Discuss Data Platform and Practice Next Steps

    Deliverables
    • Business context and strategic drivers
    • Prioritized business capabilities and processes
    • Data Culture Survey results analysis
    • High-value business-aligned data initiative
    • List of data challenges preventing data maturation with the organization
    • Required data capabilities
    • Data platform and practice – plan
    • Initialized data management RACI
    Participants Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect Business stakeholder, Business leader Business Subject Matter Expert, Data IT sponsor (CIO), Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect

    Workshop 2:
    Data Practice Design

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1 Day 2 Day 3 Day 4
    Plan Your Data Practices
    Design Your Data Practices 1
    Design Your Data Practices 2
    Design Your Data Practices 3
    Activities

    Prerequisite: Business context, business data requirement, and data capabilities

    1.1 Understand data practice framework

    1.2 Define your practice implementation approach

    1.3 Review and update data management RACI

    2.1 Understand Info-Tech data practice patterns for each prioritized practice

    2.2 Define your practice setup for each prioritized practice

    2.3 Highlight critical processes for each practice

    3.1 Understand Info-Tech data practice patterns for each prioritized practice

    3.2 Define your practice setup for each prioritized practice

    3.3 Highlight critical processes for each practice

    4.1 Understand Info-Tech data practice patterns for each prioritized practice

    4.2 Define your practice setup for each prioritized practice

    4.3 Highlight critical processes for each practice

    4.4 Discuss data platform and practice next steps

    Deliverables
    • Data practice implementation approach
    • Data management RACI
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data practice setup pattern for your organization
    • Data practice process pattern for your organization
    • Data platform and practice – plan
    Participants Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect Data experts, Business Subject Matter Expert, Head of Data, Data Architect

    Workshop 3:
    Data Platform Design

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889
    Day 1Day 2Day 3Day 4
    Data Platform Overview
    Update Data Platform Reference Architecture
    Design Your Data Platform
    Design Your Data Practices 4
    Activities

    Prerequisite: Business context, business data requirement, and data capabilities

    1.1 Understand data platform framework and data capabilities

    1.2 Understand key data architecture principles and best practices

    1.3 Shortlist data platform patterns

    2.1 Map and identify data capabilities to data platform components

    2.2 Build data platform architecture using Info-Tech data platform reference architecture

    2.3 Highlight critical processes for each practice

    3.1 Design your target data platform using Info-Tech’s data platform template

    3.2 Identify new capabilities and components in your platform design

    4.1 Identify new capabilities and component in your platform design

    4.2 Discuss data platform initiatives

    Deliverables
    • Shortlisted data platform patterns
    • Data platform reference architecture for your organization
    • Data platform design for your organization
    • Data platform plan
    ParticipantsData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data ArchitectData experts, Business Subject Matter Expert, Head of Data, Data Architect

    Build Your Data Practice and Platform

    Phase 1

    Phase 1: Step 1 – Define Your Data Requirements
    Phase 1: Step 2 – Conduct Your Data Discovery

    Phase 1

    1.1 Define Your Data Requirements
    1.2 Conduct Your Data Discovery

    Phase 2 Phase 3

    Phase 1: Step 1 – Define Your Data Requirements will walk you through the following activities:

    • Confirm the organizational strategic goals, business drivers, business capabilities, and processes driving the Data Practice and Platform effort.
    • Identify the data related outcomes, goals, and ideal environment needed to fulfill the business goals.

    This phase involves the following participants:

    A blend of business leaders and business SMEs together with the Data Strategy team.

    Phase 1: Step 2 – Conduct Your Data Discovery will walk you through the following activities:

    • Identify and highlight the data challenges faced in achieving the desired outcome.
    • Map the data challenges to the data capabilities required to realize the desired data outcome.

    This phase involves the following participants:

    Key personnel from IT/Data team: (Data Architect, Data Engineers, Head of Head of Reporting and Analytics)

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Buy Link or Shortcode: {j2store}386|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Secure Cloud & Network Architecture
    • Parent Category Link: /secure-cloud-network-architecture
    • Security remains a large impediment to realizing cloud benefits. Numerous concerns still exist around the ability for data privacy, confidentiality, and integrity to be maintained in a cloud environment.
    • Even if adoption is agreed upon, it becomes hard to evaluate vendors that have strong security offerings and even harder to utilize security controls that are internally deployed in the cloud environment.

    Our Advice

    Critical Insight

    • The cloud can be secure despite unique security threats.
    • Securing a cloud environment is a balancing act of who is responsible for meeting specific security requirements.
    • Most security challenges and concerns can be minimized through our structured process (CAGI) of selecting a trusted cloud security provider (CSP) partner.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • Determine your balancing act between yourself and your CSP; through contractual and configuration requirements, determine what security requirements your CSP can meet and cover the rest through internal deployment.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should prioritize security in the cloud, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine your cloud risk profile

    Determine your organization’s rationale for cloud adoption and what that means for your security obligations.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 1: Determine Your Cloud Risk Profile
    • Secure Cloud Usage Policy

    2. Identify your cloud security requirements

    Use the Cloud Security CAGI Tool to perform four unique assessments that will be used to identify secure cloud vendors.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 2: Identify Your Cloud Security Requirements
    • Cloud Security CAGI Tool

    3. Evaluate vendors from a security perspective

    Learn how to assess and communicate with cloud vendors with security in mind.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 3: Evaluate Vendors From a Security Perspective
    • IaaS and PaaS Service Level Agreement Template
    • SaaS Service Level Agreement Template
    • Cloud Security Communication Deck

    4. Implement your secure cloud program

    Turn your security requirements into specific tasks and develop your implementation roadmap.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 4: Implement Your Secure Cloud Program
    • Cloud Security Roadmap Tool

    5. Build a cloud security governance program

    Build the organizational structure of your cloud security governance program.

    • Ensure Cloud Security in IaaS, PaaS, and SaaS Environments – Phase 5: Build a Cloud Security Governance Program
    • Cloud Security Governance Program Template
    [infographic]

    Enterprise Storage Solution Considerations

    • Buy Link or Shortcode: {j2store}507|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Enterprise storage technology and options are challenging to understand.
    • There are so many options. How do you decide what the best solution is for your storage challenge??
    • Where do you start when trying to solve your enterprise storage challenge?

    Our Advice

    Critical Insight

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Impact and Result

    Look to existing use cases based on actual Info-Tech analyst calls to help in your decision-making process.

    Enterprise Storage Solution Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Storage Solution Considerations – Narrow your focus with the right product type and realize efficiencies.

    Explore the building blocks of enterprise storage so you can select the best solution, narrow your focus with the correct product type, explore the features that should be considered when evaluating enterprise storage offerings, and examine use cases based on actual Info-Tech analyst calls to find a storage solution for your situation.

    • Enterprise Storage Solution Considerations Storyboard

    2. Modernize Enterprise Storage Workbook – Understand your data requirements.

    The first step in solving your enterprise storage challenge is identifying your data sources, data volumes, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions. This tool can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.

    • Modernize Enterprise Storage Workbook
    [infographic]

    Further reading

    Enterprise Storage Solution Considerations

    Narrow your focus with the right product type and realize efficiencies.

    Analyst Perspective

    The vendor landscape is continually evolving, as are the solutions they offer. The options and features are increasing and appealing.

    The image contains a picture of P.J. Ryan.

    To say that the current enterprise storage landscape looks interesting would be an understatement. The solutions offered by vendors continue to grow and evolve. Flash and NVMe are increasing the speed of storage media and reducing latency. Software-defined storage is finding the most efficient use of media to store data where it is best served while managing a variety of vendor storage and older storage area networks and network-attached storage devices.

    Storage as a service is taking on a new meaning with creative solutions that let you keep the storage appliance on premises or in a colocated data center while administration, management, and support are performed by the vendor for a nominal monthly fee.

    We cannot discuss enterprise storage without mentioning the cloud. Bring a thermometer because you must understand the difference between hot, warm, and cold storage when discussing the cloud options. Very hot and very cold may also come into play.

    Storage hardware can assume a higher total cost of ownership with support options that replace the controllers on a regular basis. The options with this type of service are also varied, but the concept of not having to replace all disks and chassis nor go through a data migration is very appealing to many companies.

    The cloud is growing in popularity when it comes to enterprise storage, but on-premises solutions are still in demand, and whether you choose cloud or on premises, you can be guaranteed an array of features and options to add stability, security, and efficiency to your enterprise storage.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Info-Tech Insight

    The vendor landscape is continually evolving, as are the solutions they offer.

    Storage providers are getting acquired by bigger players, “outside the box” thinking is disrupting the storage support marketplace, “as a service” storage offerings are evolving, and what is a data lake and do I need one? The traditional storage vendors are not alone in the market, and the solutions they offer are no longer traditional either. Explore the landscape and understand your options before you make any enterprise storage solution purchases.

    Understand the building blocks of storage so you can select the best solution.

    There are multiple storage formats for data, along with multiple hardware form factors and disk types to hold those various data formats. Software plays a significant role in many of these storage solutions, and cloud offerings take advantage of all the various formats, form factors, and disks. The challenge is matching your data type with the correct storage format and solution.

    Look to existing use cases to help in your decision-making process.

    Explore previous experiences from others by reading use cases to determine what the best solution is for your challenge. You’re probably not the first to encounter the challenge you’re facing. Another organization may have previously reached out for assistance and found a viable solution that may be just what you also need.

    Enterprise storage has evolved, with more options than ever

    Data is growing, data security will always be a concern, and vendors are providing more and more options for enterprise storage.

    “By 2025, it’s estimated that 463 exabytes of data will be created each day globally – that’s the equivalent of 212,765,957 DVDs per day!” (Visual Capitalist)

    “Modern criminal groups target not only endpoints and servers, but also central storage systems and their backup infrastructure.” (Continuity Software)

    Cloud or on premises? Maybe a hybrid approach with both cloud and on premises is best for you. Do you want to remove the headaches of storage administration, management, and support with a fully managed storage-as-a-service solution? Would you like to upgrade your controllers every three or four years without a major service interruption? The options are increasing and appealing.

    High-Level Considerations

    1. Understand Your Data

    Understand how much data you have and where it is located. This will be crucial when evaluating enterprise storage solutions.

    2. Plan for Growth

    Your enterprise storage considerations should include your data needs now and in the future.

    3. Understand the Mechanics

    Take the time to understand the various data storage formats, disk types, and associated technology, as well as the cloud-based and on-premises options. This will help you select the right tool for your needs.

    Storage formats, disk drives, and technology

    Common data storage formats, technology, and drive types are outlined below. Understanding how data is stored as well as the core building blocks for larger systems will help you decide which solution is best for your storage needs.

    Format

    What it is

    Disk Drives and Technology

    File Storage

    File storage is hierarchical storage that uses files, folders, subfolders, and directories. You enter a specific filename and path to access the file, such as P:\users\johndoe\strategy\cloud.doc. If you ever saved a file on a server, you used file storage. File storage is usually managed by some type of file manager, such as File Explorer in Windows. Network-attached storage (NAS) devices use file storage.

    Hard Disk Drives (HDD)

    HDD use a platter of spinning disks to magnetically store data. The disks are thick enough to make them rigid and are referred to as hard disks.

    HDD is older technology but is still in demand and offered by vendors.

    Object Storage

    Object storage is when data is broken into distinct units, called objects. These objects are stored in a flat, non-hierarchical structure in a single location or repository. Each object is identified by its associated ID and metadata. Objects are accessed by an application programming interface (API).

    Flash

    Flash storage uses flash memory chips to store data. The flash memory chips are written with electricity and contain no moving parts. Flash storage is very fast, which is how the technology got its name (“Flash vs. SSD Storage,” Enterprise Storage Forum, 2018).

    Block Storage

    Block storage is when data is divided up into fixed-size blocks and stored with a unique identifier. Blocks can be stored in different environments, such as Windows or Linux. Storage area networks (SANs) use block storage.

    Solid-State Drive (SSD)

    SSD is a storage mechanism that also does not use any moving parts. Most SSD drives use flash storage, but other options are available for SSD.

    Nonvolatile Memory Express (NVMe)

    NVMe is a communications standard developed specially for SSDs by a consortium of vendors including Intel, Samsung, SanDisk, Dell, and Seagate. It operates across the PCIe bus (hence the “Express” in the name), which allows the drives to act more like the fast memory that they are rather than the hard disks they imitate (PCWorld).

    Narrow your focus with the right product type

    On-premises enterprise storage solutions fit into a few distinct product types.

    Network-Attached Storage

    Storage Area Network

    Software-Defined Storage

    Hyperconverged Infrastructure

    NAS refers to a storage device that is connected directly to your network. Any user or device with access to your network can access the available storage provided by the NAS. NAS storage is easily scalable and can add data redundancy through RAID technology. NAS uses the file storage format.

    NAS storage may or may not be the first choice in terms of enterprise storage, but it does have a solid market appeal as an on-premises primary backup storage solution.

    A SAN is a dedicated network of pooled storage devices. The dedicated network, separate from the regular network, provides high speed and scalability without concern for the regular network traffic. SANs use block storage format and can be divided into logical units that can be shared between servers or segregated from other servers. SANs can be accessed by multiple servers and systems at the same time. SANs are scalable and offer high availability and redundancy through RAID technology.

    SANs can use a variety of disk types and sizes and are quite common among on-premises storage solutions.

    “Software-defined storage (SDS) is a storage architecture that separates storage software from its hardware. Unlike traditional network-attached storage (NAS) or storage area network (SAN) systems, SDS is generally designed to perform on any industry-standard or x86 system, removing the software’s dependence on proprietary hardware.” (RedHat)

    SDS uses software-based policies and rules to grow and protect storage attached to applications.

    SDS allows you to use server-based storage products to add management, protection, and better usage.

    Hyperconverged storage uses virtualization and software-defined storage to combine the storage, compute, and network resources along with a hypervisor into one appliance.

    Hyperconverged storage can scale out by adding more nodes or appliances, but scaling up, or adding more resources to each appliance, can have limitations. There is flexibility as hyperconverged storage can work with most network and compute manufacturers.

    Cloud storage

    • Cloud storage is online storage offered by a cloud provider. Cloud storage is available almost anywhere and is set up with high availability features such as data duplication, redundancy, backup, and power failure protection.
    • Cloud storage is very scalable and typically is offered as object storage, block storage, or file storage. Cloud storage vendors may have their own naming scheme for object, block, or file storage.
    • Cloud-hosted data is marketed according to the frequency of access and length of time in storage. There are typically three main levels of storage: hot, warm, or cold. Vendors may have their own naming convention for hot, warm, and cold storage. Some may also add more layers such as very hot or very cold.
      • Hot storage is for data that is frequently accessed and modified. It is available on demand and is the most costly of the storage levels.
      • Cold storage is for data that will sit for a long period of time and not need to be accessed. Cold storage is usually only available after several hours or days. Cold storage is very low cost and, in some cases, even free, but retrieval or restoration for the free services can be costly.
      • Warm storage sits in between hot and cold storage. It is for data that is infrequently needed. The cost of warm storage is also in between hot and cold storage costs, and access times are measured in terms of minutes or hours.
      • It is not uncommon for data to start in hot storage and, as it ages, move to warm and eventually cold storage.

    “Enterprise cloud storage offers nearly unlimited scalability. Enterprises can add storage quickly and easily as it is needed, eliminating the risk and cost of over-provisioning.”

    – Spectrum Enterprise

    “Hot data will operate on fresh data. Cold data will operate on less frequent data and [is] used mainly for reporting and planning. Warm data is a balance between the two.”

    – TechBlost

    Enterprise storage features

    The features listed below, while not intended to cover all features offered by all vendors, should be considered and could act as a baseline for discussions with storage providers when evaluating enterprise storage offerings.

    • Scalability
      • What are the options to expand, and how easy or difficult it is to expand capacity in the future?
    • Security
      • Does the solution offer data encryption options as well as ransomware protections?
    • Integration options
      • Can the solution support seamless connectivity with other solutions and applications, such as cloud-based storage or backup software?
    • Storage reduction
      • Does the solution offer space-reduction options such as deduplication or data compression?
    • Replication
      • Does the solution offer replication options such as device to device on premises, device to device when geographically separated, device to cloud, or a combination of these scenarios?
    • Performance
      • “Enterprise storage systems have two main ‘speed’ measurements: throughput and IOPS. Throughput is the data transfer rate to and from storage media, measured in bytes per second; IOPS measures the number of reads and writes – input/output (I/O) operations – per second.” (Computer Weekly)
    • Protocol support
      • Does the solution support object-based, block-based, and file-based storage protocols?
    • Storage Efficiency
      • How efficient is the solution? Can they prove it?
      • Storage efficiencies must be available and baselined.
    • Management platform
      • A management/reporting platform should be a component included in the system.
    • Multi-parity
      • Does the solution offer multi-level block “parity” for RAID 6 protection equivalency, which would allow for the simultaneous failure of two disks?
    • Proactive support
      • Features such as call home, dial in, or remote support must be available on the system.
    • Financial considerations
      • The cost is always a concern, but are there subscription-based or “as-a-service” options?
      • Internally, is it better for this expenditure to be a capital expenditure or an ongoing operating expense?

    What’s new in enterprise storage

    • Data warehouses are not a new concept, but the data storage evolution and growth of data means that data lakes and data lakehouses are growing in popularity.
      • “A data lake is a centralized repository that allows you to store all your structured and unstructured data at any scale. You can store your data as-is, without having to first structure the data” (Amazon Web Services).
      • Analytics with a data lake is possible, but manipulation of the data is hindered due to the nature of the data. A data lakehouse adds data management and analytics to a data lake, similar to the data warehouse functionality added to databases.
    • Options for on-premises hardware support is changing.
      • Pure Storage was the first to shake up the SAN support model with its Evergreen support option. Evergreen//Forever support allows for storage controller upgrades without having to migrate data or replace your disks or chassis (Pure Storage).
      • In response to the Pure Storage Evergreen offering, Dell, HPE, NetApp, and others have come out with similar programs that offer controller upgrades while maintaining the data, disks, and chassis.
    • “As a service” is available as a hybrid solution.
      • Storage as a service (STaaS) originally referred to hosted, fully cloud-based offerings without the need for any on-premises hardware.
      • The latest STaaS offerings provide on-premises or colocated hardware with pay-as-you-go subscription pricing for data consumption. Administration, management, and support are included. The vendor will supply support and manage everything on your behalf.
      • Most of the major storage vendors offer a variation of storage as a service.

    “Because data lakes mostly consist of raw unprocessed data, a data scientist with specialized expertise is typically needed to manipulate and translate the data.”

    – DevIQ

    “A Lakehouse is also a type of centralized data repository, integrated from heterogeneous sources. As can be expected from its name, It shares features with both datawarehouses and data lakes.”

    – Cesare

    “Storage as a service (STaaS) eliminates Capex, simplifies management and offers extensive flexibility.”

    – TechTarget

    Major vendors

    The current vendor landscape for enterprise storage solutions represents a range of industry veterans and the brands they’ve aggregated along the way, as well as some relative newcomers who have come to the forefront within the past ten years.

    Vendors like Dell EMC and HPE are longstanding veterans of storage appliances with established offerings and a back catalogue of acquisitions fueling their growth. Others such as Pure Storage offer creative solutions like all-flash arrays, which are becoming more and more appealing as flash storage becomes more commoditized.

    Cloud-based vendors have become popular options in recent years. Cloud storage provides many options and has attracted many other vendors to provide a cloud option in addition to their on-premises solutions. Some software and hardware vendors also partner with cloud vendors to offer a complete solution that includes storage.

    Info-Tech Insight

    Explore your current vendor’s solutions as a starting point, then use that understanding as a reference point to dive into other players in the market

    Key Players

    • Amazon
    • Cisco
    • Dell EMC
    • Google
    • Hewlett Packard Enterprise
    • Hitachi Vantara
    • IBM
    • Microsoft
    • NetApp
    • Nutanix
    • Pure Storage

    Enterprise Storage Use Cases

    Block, object, or file storage? NAS, SAN, SDS, or HCI? Cloud or on prem? Hot, warm, or cold?
    Which one do you choose?
    The following use cases based on actual Info-Tech analyst calls may help you decide.

    1. Offsite backup solution
    2. Infrastructure consolidation
    3. DR/BCP datacenter duplication
    4. Expansion of existing storage
    5. Complete backup solution
    6. Existing storage solution going out of support soon
    7. Video storage
    8. Classify and offload storage

    Offsite backup solution

    “Offsite” may make you think of geographical separation or even cloud-based storage, but what is the best option and why?

    Use Case: How a manufacturing company dealt with retired applications

    • A leading manufacturing company had to preserve older applications no longer in use.
    • The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies, and although the data they held had been migrated to a replacement solution, executives felt they should hold on to these applications for a period of time, just in case.
    • A modern archiving solution was considered, but a research advisor from Info-Tech Research joined a call with the manufacturing company and helped the client realize that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment.
    • The data could be exported from the legacy application into a nonsequential database, compressed, and stored in cloud-based cold storage for less than $5 per terabyte per month. The manufacturing company staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.
    • Cold storage is inexpensive until you start retrieving that data frequently. The manufacturing company knew they did not have a requirement to retrieve the application and data for a very long time, so cloud-based cold storage was ideal.

    “Data retrieval from cold storage is harder and slower than it is from hot storage. … Because of the longer retrieval time, online cold storage plans are often much cheaper. … The downside is that you’d incur additional costs when retrieving the data.”

    – Ben Stockton, Cloudwards

    Infrastructure consolidation

    Hyperconverged infrastructure combines storage, virtual infrastructure, and associated management into one piece of equipment.

    Use Case: How one company dealt with equipment and storage needs

    • One Info-Tech client had recently started in the role of IT director and realized he had inherited aging infrastructure along with a serious data challenge. The storage appliances were old and out of support. The appliances were performing inadequately, and the client was in need of more data due to ongoing growth, but he also realized that the virtual environment was running on very old servers that were no longer supported. The IT director reached out to Info-Tech to find solutions to the virtualization challenge, but the storage problem also came up throughout the course of the conversation with an analyst.
    • The analyst quickly realized that the IT director was an ideal candidate for a hyperconverged infrastructure (HCI) storage solution, which would also provide the necessary virtual environment.
    • The analyst explained the benefits of having a single appliance that would provide virtualization needs as well as storage needs. The built-in management features would ease the burden of administration, and the software-defined nature of the HCI would allow for the migration of data as well as future expansion options.
    • Hyperconverged infrastructure is offered by many vendors under a variety of names. Most are similar but some may have a better interface or other features. The expansion process is simple, and HCI is a good fit for many organizations looking to consolidate virtual infrastructure and storage.

    “HCI environments use a hypervisor, usually running on a server that uses direct-attached storage (DAS), to create a data center pool of systems and resources.”

    – Samuel Greengard, Datamation

    Datacenter duplication

    SAN providers offer a varied range of options for their products, and those options are constantly evolving.

    Use Case: Independent school district provides better data access using SAN technology

    • An independent school district was expanding by adding a second data center in a new school. This new data center would be approximately 20 miles away from the original data center used by the district. The intent was not to replace the original data center but to use both centers to store data and provide services concurrently. The district’s ideal scenario would be that users would not know or care which data center they were reaching, and there would be no difference in the service received from each data center. The school district reached out to Info-Tech when planning discussions reached the topic of data duplication and replication software.
    • An Info-Tech analyst joined a call with the school district and guided the conversation toward the existing environment to understand what options might be available. The analyst quickly discovered that all the district’s servers were virtual, and all associated data was stored on a single SAN.
    • The analyst informed the school district staff about SAN options, including SAN-to-SAN replication. If the school district had a sufficient link between the two data centers, SAN-to-SAN replication would work for them and provide the two identical copies of data at two locations.
    • The analyst continued to offer explanations of other features that some vendors offer with their SANs, such as the ability to turn on or off deduplication and compression, as well as disk options such as flash or NVMe.
    • The school district was moving to the request for proposal (RFP) stage but hoped to have SAN-to-SAN replication implemented before the next academic year started.

    “SAN-to-SAN replication is a low-cost, highly efficient way to manage mounting quantities of stored data.”

    – Secure Infrastructure & Services

    Expansion of existing storage

    That old storage area network may still have some useful life left in it.

    Use Case: Municipality solves data storage aging and growth challenge

    • A municipality in the United States reached out to Info-Tech for guidance on its storage challenge. The municipality had accumulated multiple SANs from different vendors over the years. These SANs were running out of storage, and more data storage was needed. The municipality’s data was growing at a rapid pace, thanks to municipal growth and expansion of services. The IT team was also concerned with modernizing their storage and not hindering their long-term growth by making the wrong purchase decision for their current storage needs.
    • An analyst from Info-Tech discussed several options with the municipality but in the end advised that software-defined storage may be the best solution.
    • Software-defined storage (SDS) would allow the municipality to gain better visibility into existing storage while making more efficient use of existing and new storage. SDS could take over the management of the existing storage from multiple vendors and add additional storage as required. SDS would also be able to integrate cloud-based storage if that was the direction taken by the municipality in the future.
    • The municipality moved forward with an SDS solution and added some additional storage capacity. They used some of their existing SANs but retired the more troublesome ones. The SDS system managed all the storage instances and data management. The administration of the storage environment was easier for the storage admins, and long-term savings were achieved through better storage management.

    “Often enterprises have added storage on an ad hoc basis as they needed it for various applications. That can result in a mishmash of heterogenous storage hardware from a wide variety of vendors. SDS offers the ability to unify management of these different storage devices, allowing IT to be more efficient.”

    – Cynthia Harvey, Enterprise Storage Forum (“What Is Software Defined Storage?”, 2018)

    Complete backup solution

    Many backup software solutions can provide backups to multiple locations, making two-location backups simple.

    Use Case: How an oil refinery modernized its backup solution

    • A large oil refinery needed a better solution for the storage of backups. The refinery was replacing its backup software solution but also wanted to improve the backup storage situation and move away from tape-based storage. All other infrastructure was reasonably modern and not in need of replacement at this time.
    • A research analyst from Info-Tech helped the client realize that the solution was a modified backup. The general guidance for backups is have a least one copy offsite, so the cloud was the obvious focal point. The analyst also explained that it would be beneficial to have a recent copy of the backup available on site for common restoration requests in addition to having the offsite copy for disaster recovery (DR) purposes.
    • The refinery staff conducted a data analysis to determine how much data was being backed up on a daily basis. The solution proposed by the analyst included network-attached storage (NAS) with adequate storage to hold 30 days' worth of on-premises data. The backup software would also simultaneously copy each backup to a cloud-based storage repository. The backup software was smart enough to only back up and transfer data that had changed since the previous backup, so transfer time and capacity was not a factor.
    • The NAS would allow for the restoration of any local, on-premises data while the cloud storage would provide a safe location offsite for backup data. It could also serve as the backup location for other cloud-based services that required a backup.

    “Data protection demands that enterprises have multiple methods of keeping data safe and replicating it in case of disaster or loss.”

    – Drew Robb, Enterprise Storage Forum, 2021

    Storage going out of support

    SAN solutions have come a long way with improvements in how data is stored and what is used to store the data.

    Use Case: How one organization replaced its old storage with a similar solution

    • A government organization was looking for a solution for its aging storage area network appliances. The SANs were old and would be no longer supported by the manufacturer within four months. The SANs had slower spinning disks and their individual capacity was at its limit through the addition of extra shelves and disks over the years.
    • The organization reached out to Info-Tech for guidance. An analyst arranged a call with them, and they discussed the storage situation in detail, including desired benefits from a storage solution and growth requirements. They also discussed cloud storage, but the government organization was not in a position to move its data to the cloud for a variety of reasons.
    • Although the individual SANs were at their storage capacity limit, the total amount of data was well within the limits of many modern on-premises storage solutions. SSD and flash or NVMe storage can store large amounts of data in small footprints and form factors.
    • The analyst reviewed several vendors with the client and discussed some advantages and disadvantages of each. They explored the features offered as well as scalability options.
    • SANs have been around for a long time but the features and capabilities that come with them has evolved. They are still a very viable solution for many organizations in a variety of scenarios.

    “A rapidly growing portion of SAN deployments leverages all-flash storage to gain its high performance, consistent low latency, and lower total cost when compared to spinning disk.”

    – NetApp

    Video storage

    Cloud storage would not be sufficient if you were using a dial up connection, just as on-premises storage solutions would not suffice if they were using floppy disks.

    Use Case: Body cams and public cameras in municipalities are driving storage growth

    • Municipal law enforcement agencies are wearing body cameras more frequently, for their own protection as well as for the protection of the public. Camera footage can be useful in legal situations as well. Municipalities are also installing more and more public cameras for the purposes of public safety. The recorded video footage from these cameras can result in large data files, which in turn drive data storage requirements.
    • Info-Tech analysts are joining calls about video data storage with increasing frequency. The concerns are repetitive, and the guidance is similar on most of these calls.
    • The “object” storage format is ideal for video and media data. Most cloud-based storage solutions use object storage, but it is also available with on-premises solutions such as NAS or SAN. The challenges clients are expressing are typically related to inadequate bandwidth for cloud-based storage or other storage formats instead of “object” storage. Cloud-based storage can also grow beyond the budgeted numbers, causing an increase in the monthly cloud cost. Older, slower on-premises hardware sometimes reveals itself as the latency culprit.
    • Object storage is well suited for the unstructured data that is video footage. It uses metadata to tag the video file for future retrieval and is easily expandable, which also makes it cost effective.
    • Video data stored in a cloud-based repository will work fine as long as the bandwidth is adequate. On-premises storage of video data is also quite adequate on the right storage format, with fast disks and a reasonably up-to-date network infrastructure.

    “The captured video is stored for days, weeks, months and sometimes years and consumes a lot of space. Data storage plays a new and important role in these systems. Object storage is ideal to store the video data.”

    – Object-Storage.Info

    Classify and offload primary storage

    Some software products have storage options available as a result of agreements with other storage vendors. Several backup and archive software products fall into this category.

    Use Case: Enterprise storage can help reduce data sprawl

    • A large engineering firm was trying to manage its data sprawl. The team sampled a small percentage of their data and quickly realized that when they applied their findings on the 1% of data to their entire data estate, the sheer volume of personal files, older files, and unclassified data was going to be a challenge.
    • They found a solution in archiving software. The archiving software would tag data based on several factors. The software would move older files away from primary storage to an alternate storage platform but still leave a stub of the moved file in place and maintain limited access to those files. This would reduce primary storage requirements and allow the firm to eliminate multiple file servers
    • The engineering firm reached out to Info-Tech and participated in an analyst call. During that call, they laid out their plans, and the analyst made them aware of cloud storage. The positive and negative aspects of cloud storage were discussed, and the firm fully understood that the colder the storage tier, the slower the recovery. The firm's stance was if the files had not been accessed in the past six months, waiting a day or two for retrieval would not be a concern, and the firm was content with cold storage in the cloud.
    • The firm had not purchased the archiving software at the time of the analyst call, and the analyst also explained to them that the archiving software may have an existing agreement with a cloud provider for storage options, which could be more cost effective than purchasing cloud storage separately.
    • Cold cloud-based storage was the preferred solution for this firm, but this use case also highlights the option that some software products carry regarding storage. Several backup and archive products have a cloud storage option that should be investigated, as they may be cost-effective options.

    “Cold storage is perfect for archiving your data. Online backup providers offer low-cost, off-site data backups at the expense of fast speeds and easy access, even though data retrieval often comes at an added cost. If you need to keep your data long-term, but don’t need to access it often, this is the kind of storage you need.”

    – Ben Stockton, Cloudwards

    Understand your data requirements

    Activity

    The first step in solving your enterprise storage challenge is identifying your data sources or drivers, data volume size, and growth rates. This information will give you insight into what data sources could be stored on premises or in the cloud, how much storage you will require for the coming five to ten years, and what to consider when exploring enterprise storage solutions.

    • Info-Tech’s Modernize Enterprise Storage Workbook can be a valuable asset for determining your current storage drivers and future storage needs, structuring a plan for future storage purchases, and determining timelines and total cost of ownership.
    • An example of the Storage Capacity Calculator tab from that workbook is displayed on the right. Using the Storage Capacity Requirements Calculator requires minimal steps.
    1. Enter the current date and planning timeline (horizon) in months
    2. Identify the top sources of data within the business – the current data drivers. Areas of focus could include business applications, file shares, backup, and archives.
    3. For each of these data drivers, include your best estimate of:
    • Current data volume
    • Growth rate
  • Identify the top future data drivers, such as new applications or initiatives that will result from current business plans and priorities, and record the following details:
    • Initial data volumes
    • Projected growth rates
    • Planned implementation date
  • The spreadsheet will automatically calculate the data volume at the planning horizon based on the growth rate.
  • Download the Modernize Enterprise Storage Workbook and take the first step toward understanding your data requirements.

    The image contains a screenshot of the Modernize Enterprise Storage Workbook.

    Download the Modernize Enterprise Storage Workbook

    Related Info-Tech Research

    Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Modernize Enterprise Storage Workbook

    This workbook will complement the discussions and activities found in the Modernize Enterprise Storage blueprint. Use this workbook in conjunction with the blueprint to develop a strategy for storage modernization.

    Bibliography

    Bakkianathan, Raghunathan. “What is the difference between Hot Warm and Cold data storage?” TechBlost, n.d.. Accessed 14 July 2022.
    Cesare. “Data warehouse vs Data lake vs Lakehouse… and DeltaLake?“ Medium, 14 June 2021. Accessed 26 July 2022.
    Davison, Shawn and Ryan Sappenfield. “Data Lake Vs Lakehouse Vs Data Mesh: The Evolution of Data Transformation.” DevIQ, May 2022. Accessed 23 July 2022.
    Desjardins, Jeff. “Infographic: How Much Data is Generated Each Day?” Visual Capitalist, 15 April 2019. Accessed 26 July 2022.
    Greengard, Samuel. “Top 10 Hyperconverged Infrastructure (HCI) Solutions.” Datamation, 22 December 2020. Accessed 23 July 2022.
    Harvey, Cynthia. “Flash vs. SSD Storage: Is there a Difference?” Enterprise Storage Forum, 10 July 2018. Accessed 23 July 2022.
    Harvey, Cynthia. “What Is Software Defined Storage? Features & Benefits.” Enterprise Storage Forum, 22 February 2018. Accessed 23 July 2022.
    Hecht, Gil. “4 Predictions for storage and backup security in 2022.” Continuity Software, 09 January 2022. Accessed 22 July 2022.
    Jacobi, Jonl. “NVMe SSDs: Everything you need to know about this insanely fast storage.” PCWorld, 10 March 2019. Accessed 22 July 2022
    Pritchard, Stephen. “Briefing: Cloud storage performance metrics.” Computer Weekly, 16 July 2021. Accessed 23 July 2022
    Robb, Drew. “Best Enterprise Backup Software & Solutions 2022.” Enterprise Storage Forum, 09 April 2021. Accessed 23 July 2022.
    Sheldon, Robert. “On-premises STaaS shifts storage buying to Opex model.” TechTarget, 10 August 2020. Accessed 22 July 2022.
    “Simplify Your Storage Ownership, Forever.” PureStorage. Accessed 20 July 2022.
    Stockton, Ben. “Hot Storage vs Cold Storage in 2022: Instant Access vs Long-Term Archives.” Cloudwards, 29 September 2021. Accessed 22 July 2022.
    “The Cost Savings of SAN-to-SAN Replication.” Secure Infrastructure and Services, 31 March 2016. Accessed 16 July 2022.
    “Video Surveillance.” Object-Storage.Info, 18 December 2019. Accessed 25 July 2022.
    “What is a Data Lake?” Amazon Web Services, n.d. Accessed 17 July 2022.
    “What is enterprise cloud storage?” Spectrum Enterprise, n.d. Accessed 28 July 2022.
    “What is SAN (Storage Area Network).” NetApp, n.d. Accessed 25 July 2022.
    “What is software-defined storage?” RedHat, 08 March 2018. Accessed 16 July 2022.

    Build, Optimize, and Present a Risk-Based Security Budget

    • Buy Link or Shortcode: {j2store}371|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Year after year, CISOs need to develop a comprehensive security budget that is able to mitigate against threats.
    • This budget will have to be defended against many other stakeholders to ensure there is proper funding.
    • Security budgets are unlike other departmental budgets. Increases or decreases in the budget can drastically affect the organizational risk level.
    • CISOs struggle with the ability to assess the effectiveness of their security controls and where to allocate money.

    Our Advice

    Critical Insight

    • CISOs can demonstrate the value of security when they correlate mitigations to business operations and attribute future budgetary needs to business evolution.
    • To identify the critical areas and issues that must be reflected in your security budget, develop a comprehensive corporate risk analysis and mitigation effectiveness model, which will illustrate where the moving targets are in your security posture.

    Impact and Result

    • Info-Tech’s methodology moves you away from the traditional budgeting approach to building a budget that is designed to be as dynamic as the business growth model.
    • Collect your organization's requirements and build different budget options to describe how increases and decreases can affect the risk level.
    • Discuss the different budgets with the business to determine what level of funding is needed for the desired level of security.
    • Gain approval of your budget early by preshopping and presenting the budget to individual stakeholders prior to the final budget approval process.

    Build, Optimize, and Present a Risk-Based Security Budget Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build, optimize, and present a risk-based security budget, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Review requirements for the budget

    Collect and review the required information for your security budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 1: Review Requirements for the Budget

    2. Build the budget

    Take your requirements and build a risk-based security budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 2: Build the Budget
    • Security Budgeting Tool

    3. Present the budget

    Gain approval from business stakeholders by presenting the budget.

    • Build, Optimize, and Present a Risk-Based Security Budget – Phase 3: Present the Budget
    • Preshopping Security Budget Presentation Template
    • Final Security Budget Presentation Template
    [infographic]

    Workshop: Build, Optimize, and Present a Risk-Based Security Budget

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Review Requirements for the Budget

    The Purpose

    Understand your organization’s security requirements.

    Collect and review the requirements.

    Key Benefits Achieved

    Requirements are gathered and understood, and they will provide priorities for the security budget.

    Activities

    1.1 Define the scope and boundaries of the security budget.

    1.2 Review the security strategy.

    1.3 Review other requirements as needed, such as the mitigation effectiveness assessment or risk tolerance level.

    Outputs

    Defined scope and boundaries of the security budget

    2 Build the Budget

    The Purpose

    Map business capabilities to security controls.

    Create a budget that represents how risk can affect the organization.

    Key Benefits Achieved

    Finalized security budget that presents three different options to account for risk and mitigations.

    Activities

    2.1 Identify major business capabilities.

    2.2 Map capabilities to IT systems and security controls.

    2.3 Categorize security controls by bare minimum, standard practice, and ideal.

    2.4 Input all security controls.

    2.5 Input all other expenses related to security.

    2.6 Review the different budget options.

    2.7 Optimize the budget through defense-in-depth options.

    2.8 Finalize the budget.

    Outputs

    Identified major business capabilities, mapped to the IT systems and controls

    Completed security budget providing three different options based on risk associated

    Optimized security budget

    3 Present the Budget

    The Purpose

    Prepare a presentation to speak with stakeholders early and build support prior to budget approvals.

    Present a pilot presentation and incorporate any feedback.

    Prepare for the final budget presentation.

    Key Benefits Achieved

    Final presentations in which to present the completed budget and gain stakeholder feedback.

    Activities

    3.1 Begin developing a communication strategy.

    3.2 Build the preshopping report.

    3.3 Practice the presentation.

    3.4 Conduct preshopping discussions with stakeholders.

    3.5 Collect initial feedback and incorporate into the budget.

    3.6 Prepare for the final budget presentation.

    Outputs

    Preshopping Report

    Final Budget Presentation

    Cut Cost Through Effective IT Category Planning

    • Buy Link or Shortcode: {j2store}213|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • IT departments typically approach sourcing a new vendor or negotiating a contract renewal as an ad hoc event.
    • There is a lack of understanding on how category planning governance can save money.
    • IT vendor “go to market” or sourcing activities are typically not planned and are a reaction to internal client demands or vendor contract expiration.

    Our Advice

    Critical Insight

    • Lack of knowledge of the benefits and features of category management, including the perception that the sourcing process takes too long, are two of the most common challenges that prevent IT from category planning.
    • Other challenges include the traditional view of contract renegotiation and vendor acquisition as a transactional event vs. an ongoing strategic process.
    • Finally, allocating resources and time to collect the data, vendor information, and marketing analysis prevents us from creating category plans.

    Impact and Result

    • An IT category plan establishes a consistent and proactive methodology or process to sourcing activities such as request for information (RFI), request for proposals, (RFPs), and direct negotiations with a specific vendor or“targeted negotiations” such as renewals.
    • The goal of an IT category plan is to leverage a strategic approach to vendor selection while identify cost optimizing opportunities that are aligned with IT strategy and budget objectives.

    Cut Cost Through Effective IT Category Planning Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should create an IT category plan to reduce your IT cost, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create an IT category plan

    Use our three-step approach of Organize, Design, and Execute an IT Category Plan to get the most out of your IT budget while proactively planning your vendor negotiations.

    • IT Category Plan
    • IT Category Plan Metrics
    • IT Category Plan Review Presentation
    [infographic]

    The Accessibility Business Case for IT

    • Buy Link or Shortcode: {j2store}519|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Laws requiring digital accessibility are changing and differ by location.
    • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone, but getting buy-in is difficult.
    • You may not know where your gaps in understanding are because conventional thinking is driven by compliance and risk mitigation.

    Our Advice

    Critical Insight

    • The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
    • Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
    • Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion (WAI, 2018).

    Impact and Result

    • Take away the overwhelm that many feel when they hear “accessibility” and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    The Accessibility Business Case for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. The Accessibility Business Case for IT – Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.

    A step-by-step approach to walk you through understanding your current state related to accessibility maturity, identifying your desired future state, and building your business case to seek buy-in. This storyboard will help you figure out what’s right for your organization and build the accessibility business case for IT.

    • The Accessibility Business Case for IT – Phases 1-3

    2. Accessibility Business Case Template – A clear, concise, and compelling business case template to communicate the criticality of accessibility.

    The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits, challenges, and risks of inaction.

    • Accessibility Business Case Template

    3. Accessibility Maturity Assessment – A structured tool to help you identify your current accessibility maturity level and identify opportunities to ensure progress.

    This tool uses a capability maturity model framework to evaluate your current state of accessibility. Maturity level is assessed on three interconnected aspects (people, process, and technology) across six dimensions proven to impact accessibility. Complete the assessment to get recommendations based on where you’re at.

    • Accessibility Maturity Assessment

    Infographic

    Further reading

    The Accessibility Business Case for IT

    Accessibility goes beyond compliance

    Analyst Perspective

    Avoid tech debt related to accessibility barriers

    Accessibility is important for individuals, businesses, and society. Diverse populations need diverse access, and it’s essential to provide access and opportunity to everyone, including people with diverse abilities. In fact, access to information and communications technologies (ICT) is a basic human right according to the United Nations.

    The benefits of ICT accessibility go beyond compliance. Many innovations that we use in everyday life, such as voice activation, began as accessibility initiatives and ended up creating a better lived experience for everyone. Accessibility can improve user experience and satisfaction, and it can enhance your brand, drive innovation, and extend your market reach (WAI, 2022).

    Although your organization might be required by law to ensure accessibility, understanding your users’ needs and incorporating them into your processes early will determine success beyond just compliance.

    Heather Leier-Murray, Senior Research Analyst, People and Leadership

    Heather Leier-Murray
    Senior Research Analyst, People and Leadership
    Info-Tech Research Group

    Executive Summary

    Your Challenge Common Obstacles Info-Tech’s Approach

    Global IT and business leaders are challenged to make digital products and services accessible because inaccessibility comes with increasing risk to brand reputation, legal ramifications, and constrained market reach.

    • Laws requiring digital accessibility are changing and differ by location.
    • You need to make sure your digital assets, products, and services (internal and external) are accessible to everyone.
    • The cost of inaction is rising.

    Understanding where to start, where accessibility lives, and if or when you’re done can be overwhelmingly difficult.

    • Executive leadership buy-in is difficult to get.
    • Conventional thinking is driven by compliance and risk mitigation.
    • You don’t know where your gaps in understanding are.

    Conventional approaches to accessibility often fail because users are expected to do the hard work. You have to be doing 80% of the hard work.1

    Use Info-Tech’s research and resources to do what’s right for your organization. This framework takes away the overwhelm that many feel when they hear “accessibility” and makes the steps for your organization approachable.

    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    1. Harvard Business Review, 2021

    Info-Tech Insight
    The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Build a business case for accessibility.
    • Ensure that digital assets, products, and services are accessible to everyone, internally and externally.
    • Support staff and build skills to support the organization with accessibility and accommodation.
    • Get assistance figuring out where to start on the road to accessibility compliance and beyond.

    The cost of inaction related to accessibility is rising. Preparing for accessibility earlier helps prevent tech debt; the longer you wait to address your accessibility obligations, the more costly it gets.

    More than 3,500 digital accessibility lawsuits were filed in the US in 2020, up more than 50% from 2018.

    Source: UsableNet. Inc.

    Common obstacles

    These barriers make accessibility difficult to address for many organizations:

    • You don’t know where your gaps in understanding are. Recognizing the importance of accessibility and how it fits into the bigger picture is key to developing buy-in.
    • Too often organizations focus on mitigating risk by being compliance driven. Shifting focus to the user experience, internally and externally, will realize better results.
    • Conventional approaches to accessibility often fail because the expectation is for users to do the hard work. One in five people have a permanent disability, but it’s likely everyone will be faced with some sort of disability at some point in their lives.1 Your organization has to be doing at least 80% of the hard work.2
    • Other types of compliance reside clearly with one area of the organization. Accessibility, however, has many homes: IT, user experience (UX), customer experience (CX), and even HR.

    1. Smashing Magazine

    2. Harvard Business Review, 2021

    90% of companies claim to prioritize diversity.

    Source: Harvard Business Review, 2020

    Only 4% of those that claim to prioritize diversity consider disability in those initiatives.

    Source: Harvard Business Review, 2020

    The four principles of accessibility

    WCAG (Web Content Accessibility Guidelines) identifies four principles of accessibility. WCAG is the most referenced standard in website accessibility lawsuits.

    The four principles of accessibility

    Source: eSSENTIAL Accessibility, 2022

    Why organizations address accessibility

    Top three reasons:

    61% 62% 78%
    To comply with laws To provide the best UX To include people with disabilities

    Source: Level Access

    Still, most businesses aren’t meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

    Source: Institute for Disability Research, Policy, and Practice

    How organizations prioritize digital accessibility

    43% rated it as a top priority.

    36% rated it as important.

    Fewer than 5% rated as either low priority or not even on the radar.

    More than 65% agreed or strongly agreed it’s a higher priority than last year.

    Source: Angel Business Communications

    Organizations expect consumers to do more online

    The pandemic led to many businesses going digital and more people doing things online.

    Chart of activities performed more often compared to before COVID-19

    Chart of activities performed for the first time during COVID-19

    Source: Statistics Canada

    Disability is part of being human

    Merriam-Webster defines disability as a “physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person’s ability to engage in certain tasks or actions or participate in typical daily activities and interactions.”1

    The World Health Organization (WHO) points out that a crucial part of the definition of disability is that it’s not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.2

    The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.2

    Many people acquire disabilities as they age yet may not identify as “a person with a disability.”3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. 4

    “Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out.”
    – Paudie Healy, CEO, Universal Access

    1. Merriam-Webster
    2. World Health Organization
    3. Digital Leaders, as cited in WAI, 2018
    4. Disabled World, as cited in WAI, 2018

    Untapped talent resource

    Common myths about people with disabilities:

    • They can’t work.
    • They need more time off or are absent more often.
    • Only basic, unskilled work is appropriate for them.
    • Their productivity is lower than that of coworkers.
    • They cost more to recruit, train, and employ.
    • They decrease others’ productivity.
    • They’re not eligible for governmental financial incentives (e.g. apprentices).
    • They don’t fit in.

    These assumptions prevent organizations from hiring valuable people into the workforce and retaining them.

    Source: Forbes

    50% to 70% of people with disabilities are unemployed in industrialized countries. In the US alone, 61 million adults have a disability.

    Source: United Nations, as cited in Forbes

    Thought Model

    Info-Tech’s methodology for the accessibility business case for IT

    1. Understand Current State 2. Plan for Buy-in 3. Prepare Your Business Case
    Phase Steps
    1. Understand standards and legislation
    2. Build awareness
    3. Understand current accessibility maturity level Define desired future state
    1. Define desired future state
    2. Define goals and objectives
    3. Document roles and responsibilities
    1. Customize and populate the Accessibility Business Case Template and gain approval
    2. Validate post-approval steps and establish timelines
    Phase Outcomes
    • Accessibility maturity assessment
    • Accessibility drivers determined
    • Goals defined
    • Objectives identified
    • Roles and responsibilities documented
    • Business case drafted
    • Approval to move forward with implementing your accessibility program
    • Next steps and timelines

    Insight Summary

    Insight 1 The longer you put off accessibility, the more tech debt you accumulate and the more you risk losing access to new and existing markets. The longer you wait to adopt standards and best practices, the more interest you’ll accumulate on accessibility barriers and costs for remediation.
    Insight 2 Implementing accessibility feels counterintuitive to IT departments. IT always wants to optimize and move forward, but with accessibility you may stay at one level for what feels like an uncomfortably long period. Don’t worry; building consistency and shifting culture takes time.
    Insight 3 Accessibility goes beyond compliance, which should be an outcome, not the objective. With 1 billion people worldwide with some form of disability, nearly everyone likely has a connection to disability, whether it be in themselves, family, or colleagues. The market of people with disabilities has a spending power of more than $6 trillion.1

    1. WAI, 2018

    Blueprint deliverables

    This blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    Accessibility Business Case Template

    The business case for accessibility is strong. Use this template to communicate to senior leaders the benefits and challenges of accessibility and the risks of inaction.

    Accessibility Maturity Assessment

    Use this assessment to understand your current accessibility maturity.

    Blueprint benefits

    Business Benefits IT Benefits
    • Don’t lose out on a 6-trillion-dollar market.
    • Don’t miss opportunities to work with organizations because you’re not accessible.
    • Enable and empower current employees with disabilities.
    • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
    • Decrease the risk of legal action being brought upon the organization.
    • Understand accessibility and know your role in it for your organization and your team members.
    • Be prepared and able to provide the user experience you want.
    • Decrease tech debt – start early to ensure accessibility for everyone.
    • Access an untapped labor market.
    • Mitigate IT retention challenges.

    Measure the value of this blueprint

    Improve stakeholder satisfaction and engagement

    • Tracking measures to understand the value of this blueprint is a critical part of the process.
    • Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.
    • Remember, accessibility is not a one-and-done project – just because measures are positive does not mean your work is done.

    In phase 2 of this blueprint, we will help you establish current-state and target-state metrics for your organization.

    Suggested Metrics
    Overall end-customer satisfaction
    Monies saved through cost optimization efforts
    Employee engagement
    Monies save through application rationalization and standardization

    For more metrics ideas, see the Info-Tech IT Metrics Library.

    Executive Brief Case Study

    INDUSTRY
    Technology

    SOURCE
    W3C Web Accessibility Initiative (WAI), 2018

    Google

    Investing in accessibility
    With an innovative edge, Google invests in accessibility with the objective of making life easier for everyone. Google has created a broad array of accessibility innovations in its products and services so that people with disabilities get as much out of them as anyone else.

    Part of Google’s core mission, accessibility means more to Google than implementing fixes. It is viewed positively by the organization and drives it to be more innovative to make information available to everyone. Google approaches accessibility problems not as barriers but as ways to innovate and discover breakthroughs that will become mainstream in the future.

    Results
    Among Google’s innovations are contrast minimums, auto-complete, voice-control, AI advances, and machine learning auto-captioning. All of these were created for accessibility purposes but have positively impacted the user experience in general for Google.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit Guided Implementation Workshop Consulting
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 4 to 6 calls over the course of 2 to 4 months.

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Discuss motivation for the initiative and foundational knowledge requirements.

    Call #2: Discuss next steps to assess current accessibility maturity.

    Call #3: Discuss stakeholder engagement and future-state analysis.

    Call #4: Discuss defining goals and objectives, along with roles and responsibilities.

    Call #5: Review draft business case presentation.

    Call #6: Discuss post-approval steps and timelines.

    Phase 1

    Understand Your Current State

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Identifying and understanding accessibility and compliance requirements and the ramifications of noncompliance.
    • Defining accessibility, disability, and disability inclusion and building awareness of these with senior leaders.
    • Completing the Accessibility Maturity Assessment to help you understand your current state.

    Step 1.1

    Understand standards and legislation

    Activities

    1.1.1 Make a list of the legislation you need to comply with

    1.1.2 Seek legal and/or professional services’ input on compliance

    1.1.3 Detail the risks of inaction for your organization

    Understand Your Current State

    Outcomes of this step
    You will gain foundational understanding of the breadth of the regulation requirements for your organization. You will have reviewed and understand what is applicable to your organization.

    The regulatory landscape is evolving

    Canada

    • Canadian Human Rights Act
    • Policy on Communications and Federal Identity
    • Canadian Charter of Rights and Freedoms
    • Accessibility for Ontarians with Disabilities Act
    • Accessible Canada Act of 2019 (ACA)

    Europe

    • UK Equality Act 2010
    • EU Web and Mobile Accessibility Directive (2016)
    • EN 301 549 European Standard – Accessibility requirements for public procurement of ICT products and services

    United States

    • Section 508 of the US Rehabilitation Act of 1973
    • Americans with Disabilities Act of 1990 (ADA)
    • Section 255 of the Telecommunications Act of 1996
    • Air Carrier Access Act of 1986
    • 21st Century Communications and Video Accessibility Act of 2010 (CVAA)

    New Zealand

    • Human Rights Act 1993
    • Online Practice Guidelines for Government

    Australia

    • Disability Discrimination Act 1992 (DDA)

    Regulatory systems are moving toward an international standard.

    1.1.1 Make a list of the legislation you need to comply with

    1. Download the Accessibility Business Case Template.
    2. Conduct research and investigate what legislation and standards are applicable to your organization.
    3. a) Start by looking at your local legislation.
      b) Then consider any other regions you conduct business in.
      c) Also account for the various industries you are in.
    4. While researching, build a list of legislation requirements. Document these in your Accessibility Business Case Template as part of the Project Context section.
    Input Output
    • Research
    • Websites
    • Articles
    • List of legislation that applies to the organization related to accessibility
    Materials Participants
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    1.1.2 Seek professional advice on compliance

    1. Have general counsel review your list of regulations and standards related to accessibility or seek legal and/or professional support to review your list.
    2. Review or research further the implications of any suggestions from legal counsel.
    3. Make any updates to the Legal Landscape slide in the Accessibility Business Case Template.
    Input Output
    • Compiled list of applicable legislation and standards
    • Confirmed list of regulations that are applicable to your organization related to accessibility
    Materials Participants
    • Accessibility Business Case Template
    • Project leader/initiator
    • General counsel/professional services

    Download the Accessibility Business Case Template

    Ramifications of noncompliance

    Go beyond financial consequences

    Beyond the costs resulting from a claim, noncompliance can damage your organization in several ways.

    Financial Impact

    ADA Warning Shot: A complaint often indicates pending legal action to come. Addressing issues on a reactive, ad hoc basis can be quite expensive. It can cost almost $10,000 to address a single complaint, and chances are if you have one complaint, you have many.

    Lawsuit Costs: In the US, 265,000 demand letters were sent in 2020 under the ADA for inaccessible websites. On average, a demand letter could cost the company $25,000 (conservatively). These are low-end numbers; another estimate is that a small, quickly settled digital accessibility lawsuit could cost upwards of $350,000 for the defendant.

    Non-Financial Impact

    Reputational Impact: Claims brought upon a company can bring negative publicity with them. In contrast, having a clear commitment to accessibility demonstrates inclusion and can enhance brand image and reputation. Stakeholder expectations are changing, and consumers, investors, and employees alike want to support businesses with a purpose.

    Technology Resource Strains: Costly workarounds and ad hoc accommodation processes take away from efficiency and effectiveness. Updates and redesigns for accessibility and best practices will reduce costs associated with maintenance and service, including overall stakeholder satisfaction improvements.

    Access to Talent: 2022 saw a record high number of job openings, over 11.4 million in the US alone. Ongoing labor shortages require eliminating bias and keeping an open mind about who is qualified.

    Source: May Hopewell

    In the last four years, 83% of the retail 500 have been sued. Since 2018, 417 of the top 500 have received ADA-based digital lawsuits.

    Source: UsableNet

    1.1.3 Detail the risks of inaction for your organization

    1. Using the information that you’ve gathered through your research and legal/professional advice, detail the risks of inaction for your organization.
    2. a) Consider legal risks, consumer risks, brand risks, and employee risks. (Remember, risks aren’t just monetary.)
    3. Document the risks in your Accessibility Business Case Template.
    InputOutput
    • List of applicable legislation and standards
    • Information about risks
    • Identified accessibility maturity level
    MaterialsParticipants
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Step 1.2

    Build awareness of accessibility and disability inclusion

    Activities

    1.2.1 Identify gaps in understanding

    1.2.2 Brainstorm how to reframe accessibility positively

    Understand Your Current State

    Outcomes of this step
    You’ll have a better understanding of accessibility so that you can effectively implement and promote it.

    Where to look for understanding

    First-hand experience of how people with disabilities interact with your organization is often eye-opening. It will help you understand the benefits and value of accessibility.

    Where to look for understanding

    • Talk with people you know with disabilities that are willing to share.*
    • Find role-specific training that’s appropriate.
    • Research. Articles and videos are easy to find.
    • Set up assistive technology trials.
    • Seek out first-hand experience from people with disabilities and how they work and use digital assets.

    Source: WAI, 2016

    * Remember, people with disabilities aren't obligated to discuss or explain their disabilities and may not be comfortable sharing. If you're asking for their time, be respectful, only ask if appropriate, and accept a "no" answer if the person doesn't wish to assist.

    1.2.1 Identify gaps in understanding

    Find out what accessibility is and why it is important. Learn the basics.

    1. Using the information that you’ve gathered through your research and legal counsel, conduct further research to understand the importance of accessibility.
    2. Answer these questions:
    3. a) What is accessibility? Why is it important?
      b) From the legislation and standards identified in step 1.1, what gaps exist?
      c) What is the definition of disability?
      d) How does your organization currently address accessibility?
      e) What are your risks?
      f) Do you have any current employees who have disabilities?
    4. Review the previous slide for suggestions on where to find more information to answer the above questions.
    5. Document any changes to the risks in your Accessibility Business Case Template.
    InputOutput
    • Articles
    • Interviews
    • Websites
    • Greater understanding of the lived experience of people with disabilities
    MaterialsParticipants
    • Articles
    • Websites
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Reframe accessibility as a benefit, not a burden

    A clear understanding of accessibility and the related standards and regulations can turn accessibility from something big and scary to an achievable part of the business.

    The benefits of accessibility are:

    Market Reach Minimized Legal Risks Innovation Retention
    Over 1 billion people with a spending power of $6 trillion make up the global market of people with disabilities.1 Accessibility improves the experience for all users. In addition, many organizations require you to provide proof you meet accessibility standards during the RFP process. Accessibility regulations are changing, and claims are rising. Costs associated with legal proceedings can be more than just financial. Many countries have laws you need to follow. People with disabilities bring diversity of thought, have different lived experiences, and benefit inclusivity, which helps drive engagement. Plus accessibility features often solve unanticipated problems. Employing and supporting people with disabilities can reduce turnover and improve retention, reliability, company image, employee loyalty, ability awareness, and more.

    Source 1: WAI, 2018

    1.2.2 Brainstorm ways to reframe accessibility positively

    1. Using the information that you’ve gathered through your research, brainstorm additional positives of accessibility for your organization.
    2. Clearly identify the problem you want to solve (e.g., reframing accessibility positively in your organization).
    3. Collect any tools you want to use to during brainstorming (e.g., whiteboard, markers, sticky notes)
    4. Write down all the ideas that come to mind.
    5. Review all the points and group them into themes.
    6. Update the Accessibility Business Case Template with your findings.
    InputOutput
    • Research you have gathered
    • List of ways to positively reframe accessibility for your organization
    MaterialsParticipants
    • Sticky notes, whiteboard, pens, paper, markers.
    • Accessibility Business Case Template
    • Project leader/initiator

    Download the Accessibility Business Case Template

    Make it part of the conversation

    A first step to disability and accessibility awareness is to talk about it. When it is talked about as freely as other things are in the workplace, this can create a more welcoming workplace.

    Accessibility goes beyond physical access and includes technological access and support as well as our attitudes.

    Accessibility is making sure everyone (disabled or abled) can access the workplace equally.

    Adjustments in the workplace are necessary to create an accessible and welcoming environment. Understanding the three dimensions of accessibility in the workplace is a good place to start.

    Source: May Hopewell

    Three dimensions of accessibility in the workplace

    Three dimensions of accessibility in the workplace

    Case Study

    INDUSTRY
    Professional Services

    SOURCE
    Accenture

    Accenture takes an inclusive approach to increase accessibility.

    Accessibility is more than tools

    Employee experience was the focus of embarking on the accessibility journey, ensuring inclusivity was built in and every employee was able to use the tools they needed and could achieve their goals.

    "We are removing barriers in technology to make all of our employees, regardless of their ability, more productive.”
    — Melissa Summers, Managing Director – Global IT, Corporate Technology, Accenture

    Accessibility is inclusive

    The journey began with formalizing a Global IT Accessibility practice and defining an accessibility program charter. This provided direction and underpinned the strategy used to create a virtual Accessibility Center of Excellence and map out a multiyear plan of initiatives.

    The team then identified all the technologies they wanted to enhance by prioritizing ones that were high use and high impact. Involving disability champions gave insight into focus areas.

    Accessibility is innovation

    Working with partners like Microsoft and over 100 employees, Accenture continues toward the goal of 75% accessibility for all its global high-traffic internal platforms.

    Achievements thus far include:

    • 100% of new Accenture video and broadcast content is automatically captioned.
    • Accenture received a perfect Disability Equality Index (US) score of 100 out of 100 for 2017, 2018, and 2019.

    Step 1.3

    Understand your current accessibility maturity level

    Activities

    1.3.1 Complete the Accessibility Maturity Assessment

    Understand Your Current State

    Outcomes of this step
    Completed Accessibility Maturity Assessment to inform planning for and building your business case in Phases 2 and 3.

    Know where you are to know where to go

    Consider accessibility improvements from three interconnected aspects to determine current maturity level

    Accessibility Maturity

    People

    • Consider employee, customer, and user experience.

    Process

    • Review processes to ensure accessibility is considered early.

    Technology

    • Whether it’s new or existing, technology is an important tool to increase accessibility.

    Accessibility maturity levels

    INITIAL DEVELOPING DEFINED MANAGED OPTIMIZE
    At this level, accessibility processes are mostly undocumented, if they exist. Accessibility is most likely happening on a reactive, ad hoc basis. No one understands who is responsible for accessibility or what their role is. At this stage the organization is driven by the need for compliance. At the developing level, the organization is taking steps to increase accessibility but still has a lot of opportunity for improvements. The organization is defining and refining processes and is working toward building a library of assistive tools. At this level, processes related to accessibility are repeatable. However, there’s a tendency to resort to old habits under stress. The organization has tools in place to facilitate accommodation requests and technology is compatible with assistive technologies. Accessibility initiatives are driven by the desire to make the user experience better. The managed level is defined by its effective accessibility controls, processes, and metrics. The organization can mostly anticipate preferences of customers, employees, and users. The roles and responsibilities are defined, and disability is included as part of the organization’s diversity, equity, and inclusion (DEI) initiatives. This level is not the goal for all organizations. At this level there is a shift in the organization’s culture to a feeling of belonging. The organization also demonstrates ongoing process improvements. Everyone can experience a seamless interaction with the organization. The focus is on continuous improvement and using feedback to inform future initiatives.

    Determine your level of maturity

    Use Info-Tech’s Accessibility Maturity Assessment

    • On the accessibility questionnaire, tab 2, choose how much the statements apply to your organization. Answer the questions based on your knowledge of your current state organizationally.
    • Once you’ve answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.
    • Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the “Optimize” maturity level.

    1.3.1 Complete the Accessibility Maturity Assessment

    1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
    2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization’s approach.
    3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
    4. Document your accessibility maturity results in your Accessibility Business Case Template.
    Input Output
    • Assess your current state of accessibility by choosing all the statements that apply to your organization
    • Identified accessibility maturity level
    Materials Participants
    • Accessibility Maturity Assessment
    • Accessibility Business Case Template
    • Project leader/sponsor
    • IT leadership team

    Download the Accessibility Business Case Template

    Phase 2

    Plan for Senior Leader Buy-In

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Defining your desired future state.
    • Determining your accessibility program goals and objectives.
    • Clarifying and documenting roles and responsibilities related to accessibility in IT.

    This phase involves the following participants:

    • Project lead/sponsor
    • IT leadership team
    • Senior leaders/decision makers

    Step 2.1

    Define the desired future state of accessibility

    Activities

    2.1.1 Identify key stakeholders

    2.1.2 Hold a key stakeholder focus group

    2.1.3 Conduct a future-state analysis

    Outcomes of this step
    Following this step, you will have identified your aspirational maturity level and what your accessibility future state looks like for your organization.

    Plan for Senior Leader Buy-In

    Cheat sheet: Identify stakeholders

    Ask stakeholders, “Who else should I be talking to?” to discover additional stakeholders and ensure you don’t miss anyone.

    Identify stakeholders through the following questions:
    • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who is negatively impacted by the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
    Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.
    • Executives
    • Peers
    • Direct reports
    • Partners
    • Customers
    • Subcontractors
    • Subcontractors
    • Contractors
    • Lobby groups
    • Regulatory agencies

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map helps teams categorize their stakeholders by their level of influence and ownership.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – Players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

    Stakeholder prioritization map

    Define strategies for engaging stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of the Mediators and Players are met.

    Type Quadrant Actions
    Players High influence, high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence, low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest Keep Informed
    Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence, low interest Monitor
    They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    2.1.1 Identify key stakeholders

    Collect this information by:

    1. List direct stakeholders for your area. Include stakeholders across the organization (both IT and business units) and externally.
    2. Create a stakeholder map to capture your stakeholders’ interest in and influence on digital accessibility.
    3. Shortlist stakeholders to invite as focus group participants in activity 2.1.2.
      • Aim for a combination of Players, Mediators, and Noisemakers.
    Input Output
    • List of stakeholders
    • Stakeholder requirements
    • A stakeholder map
    • List of stakeholders to include in the focus group in step 2.1.2
    Materials Participants
    • Sticky notes, pens, whiteboard, markers (optional)
    • Project leader/sponsor

    Hold a focus group to initiate planning

    Involve key stakeholders to determine the organizational drivers of accessibility, identify target maturity and key performance indicators (KPIs), and ultimately build the project charter.

    Building the project charter as a group will help you to clarify your key messages and secure buy-in from critical stakeholders up-front, which is key.

    Executing the business case for accessibility requires significant involvement from your IT leadership team. The challenge is that accessibility can be overwhelming because of inherent bias. Members of your IT leadership team will also need to participate in knowledge transfer, so get them involved up-front. The focus group will help stakeholders feel more engaged in the project, which is pivotal for success.

    You may feel like a full project charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important regardless. No matter your current climate, some level of socializing the value of and plans for accessibility will be necessary.

    Meeting Agenda

    1. Short introduction
      Led by: Project Sponsor
      • Why the initiative is being considered.
    2. Make the case for the project
      Led by: Project Manager
      • Current state: What does the initiative address?
      • Future state: What is our target state of maturity?
    3. Success criteria
      Led by: Project Manager
      • How will success be measured?
    4. Define the project team
      Led by: Project Manager
      • Description of planned approach.
      • Stakeholder assessment.
      • What is required of the sponsor and stakeholders?
    5. Determine next steps
      Led by: Project Manager

    2.1.2 Hold a stakeholder focus group

    Identify the pain points you want to resolve and some of the benefits that you’d like to see from a program. By doing so, you’ll get a holistic view of what you need to achieve and what your drivers are.

    1. Ask the working group participants (as a whole or in smaller groups) to discuss pain points created by inaccessibility.
      • Challenges related to stakeholders.
      • Challenges created by process issues.
      • Difficulties improving accessibility practices.
    2. Discuss opportunities to be gained from improving these practices.
    3. Have participants write these down on sticky notes and place them on a whiteboard or flip chart.
    4. Review all the points as a group. Group challenges and benefits into themes.
    5. Have the group prioritize the risks and benefits in terms of what the solution must have, should have, could have, and won’t have.
    Input Output
    • Reasons for the project
    • Stakeholder requirements
    • Pain points and risks
    • A prioritized list of risks and benefits of the solution
    Materials Participants
    • Agenda (see previous slide)
    • Sticky notes, pens, whiteboard, markers (optional)
    • IT leadership
    • Other key stakeholders

    While defining future state, consider your drivers

    The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

    • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack’s Future Forum. The survey asked more than 10,000 workers in six countries about their organizations’ approach to DEI.2

    Even though 90% of companies claim to prioritize diversity,1 over 30% are focused on compliance.2

    1. Harvard Business Review, 2020
    2. Harvard Business Review, 2022

    31.6% of companies remain in the Compliant stage, where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement.

    Source: Harvard Business Review, 2022

    Align the benefits of program drivers to organizational goals or outcomes

    Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

    Drivers Compliance Experience Incorporation
    Maturity level Initial Developing Defined Managed Optimized
    Description Any accessibility initiative is to comply with the minimum legislated requirement. Desire to avoid/decrease legal risk. Accessibility initiatives are focused on improving the experience of everyone from the start. Most organizations will be experience driven. Desire to increase accessibility and engagement. Accessibility is a seamless part of the whole organization and initiatives are focused on impacting social issues.
    Advantages Compliance is a good starting place for accessibility. It will reduce legal risk. Being people focused from the start of processes enables the organization to reduce tech debt, provide the best user experience, and realize other benefits of accessibility. There is a sense of belonging in the organization. The entire organization experiences the benefits of accessibility.
    Disadvantages Accessibility is about more than just compliance. Being compliance driven won’t give you the full benefits of accessibility. This can mean a culture change for the organization, which can take a long time. IT is used to moving quickly – it might feel counterintuitive to slow down and take time. It takes much longer to reach the associated level of maturity. Not possible for all organizations.

    Info-Tech Accessibility Maturity Framework

    Info-Tech Accessibility Maturity Framework

    After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you’ll optimize by continuously improving.

    Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

    At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

    Info-Tech Insight
    IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to digital accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

    Accessibility maturity levels

    Driver Description Benefits
    Initial Compliance
    • Accessibility processes are mostly undocumented.
    • Accessibility happens mostly on a reactive or ad hoc basis.
    • No one is aware of who is responsible for accessibility or what role they play.
    • Heavily focused on complying with regulations and standards to decrease legal risk.
    • The organization is aware of the need for accessibility.
    • Legal risk is decreased.
    Developing Experience
    • The organization is starting to take steps to increase accessibility beyond compliance.
    • Lots of opportunity for improvement.
    • Defining and refining processes.
    • Working toward building a library of assistive tools.
    • Awareness of the need for accessibility is growing.
    • Process review for accessibility increases process efficiency through avoiding rework.
    Defined Experience
    • Accessibility processes are repeatable.
    • There is a tendency to resort to old habits under stress.
    • Tools are in place to facilitate accommodation.
    • Employees know accommodations are available to them.
    • Accessibility is becoming part of daily work.
    Managed Experience
    • Defined by effective accessibility controls, processes, and metrics.
    • Mostly anticipating preferences.
    • Roles and responsibilities are defined.
    • Disability is included as part of DEI.
    • Employees understand their role in accessibility.
    • Engagement is positively impacted.
    • Attraction and retention are positively impacted.
    Optimized Incorporation
    • Not the goal for every organization.
    • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
    • Ongoing continuous improvement.
    • Seamless interactions with the organization for everyone.
    • Using feedback to inform future initiatives.
    • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
    • Better equipped for success.

    2.1.3 Conduct future-state analysis

    Identify your target state of maturity

    1. Provide the group with your maturity assessment results to review as well as the slides on the maturity levels, framework, and drivers.
    2. Compare the benefits listed on the Accessibility maturity levels slide to those that you named in the previous exercise and determine which maturity level best describes your target state.
    3. Discuss as a group and agree on one desired maturity level to reach.
    4. Review the other levels of maturity and determine what is in and out of scope for the project (higher-level benefits would be considered out of scope).
    5. Document your target state of maturity in your Accessibility Business Case Template.
    Input Output
    • Accessibility maturity levels chart on previous slide
    • Maturity level assessment results
    • Target maturity level documented
    Materials Participants
    • Paper and pens
    • Handouts of maturity levels
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    Case Study

    Accessibility as a differentiator

    INDUSTRY
    Financial

    SOURCE
    WAI-Engage

    Accessibility inside and out

    As a financial provider, Barclays embarked on the accessibility journey to engage customers and employees with the goal of equal access for all. One key statement that provided focus was “Essential for some, easier for all. ”

    “It's about helping everyone to work, bank and live their lives regardless of their age, situation, abilities or circumstances.”

    Embedding into experiences

    “The Barclays Accessibility team [supports] digital teams to embed accessibility into our services and culture through effective governance, partnering, training and tools. Establishing an enterprise-wide accessibility strategy, standards and programmes coupled with senior sponsorship helps support our publicly stated ambition of becoming the most accessible and inclusive FTSE company.”

    – Paul Smyth, Head of Digital Accessibility, Barclays

    It’s a circle, not a roadmap

    • Barclays continues the journey through partnerships with disability charities and accessibility experts and through regularly engaging with customers and colleagues with disabilities directly.
    • More accessible, inclusive products and services engage and attract more people with disabilities. This translates to a more diverse workforce that identifies opportunities for innovation. This leads to being attractive to diverse talent, and the circle continues.
    • Barclays’ mobile banking app was first to be accredited by accessibility consultants AbilityNet.

    Step 2.2

    Define your accessibility program goals and objectives

    Activities

    2.2.1 Create a list of goals and objectives

    2.2.2 Finalize key metrics

    Plan for Senior Leader Buy-In

    Outcomes of this step
    You will have clear measurable goals and objectives to respond to identified accessibility issues and organizational goals.

    What does a good goal look like?

    Use the SMART framework to build effective goals.

    S Specific: Is the goal clear, concrete, and well defined?
    M Measurable: How will you know when the goal is met?
    A Achievable: Is the goal possible to achieve in a reasonable time?
    R Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?
    T Time-based: Have you specified a time frame in which you aim to achieve the goal?

    SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

    2.2.1 Create a list of goals and objectives

    Use the outcomes from activity 2.1.2.

    1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives in your Accessibility Business Case Template.
    InputOutput
    • Outcomes of activity 2.1.2
    • Organizational and departmental goals
    • Goals and objectives added to your Accessibility Business Case Template
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    2.2.1 Create a list of goals and objectives

    Use the outcomes from activity 2.1.2.

    1. Using the prioritized list of what your solution must have, should have, could have, and won’t have from activity 2.1.2, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives in your Accessibility Business Case Template.

    Establish Baseline Metrics

    Baseline metrics will be improved through:

    1. Progressing through the accessibility maturity model.
    2. Addressing accessibility earlier in processes to avoid tech debt and rework late in projects or releases.
    3. Making accessibility part of the procurement process as a scoring consideration and vendor choice.
    4. Ensuring compliance with regulations and standards.
    Metric Current Goal
    Overall end-customer satisfaction 90 120
    Monies saved through cost optimization efforts
    Employee engagement
    Monies save through application rationalization and standardization

    For more metrics ideas, see the Info-Tech IT Metrics Library.

    2.2.2 Finalize key metrics

    Finalize key metrics the organization will use to measure accessibility success

    1. Brainstorm how you would measure the success of each goal based on the benefits, challenges, and risks you previously identified.
    2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
    3. Document your key metrics in the Accessibility Business Case Template.
    InputOutput
    • Accessibility challenges and benefits
    • Goals from activity 2.2.1
    • Three to five key metrics to track
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team
    • Project lead/sponsor

    Download the Accessibility Business Case Template

    Step 2.3

    Document accessibility program roles and responsibilities

    Activities

    2.3.1 Populate a RACI chart

    Plan for Senior Leader Buy-In

    Outcomes of this step
    At the end of this step, you will have a completed RACI chart documenting the roles and responsibilities related to accessibility for your accessibility business case.

    2.3.1 Populate a RACI

    Populate a RACI chart to identify who should be responsible, accountable, consulted, and informed for each key activity.

    Define who is responsible, accountable, consulted, and informed for the project team:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key project steps along the left-hand side.
    2. For each initiative, identify each team member’s role. Are they:
      Responsible: The one responsible for getting the job done.
      Accountable: Only one person can be accountable for each task.
      Consulted: Are involved by providing knowledge.
      Informed: Receive information about execution and quality.
    3. As you proceed, continue to add tasks and assign responsibility to the RACI chart in the appendix of the Accessibility Business Case Template.
    InputOutput
    • Stakeholder list
    • Key project steps
    • Project RACI chart
    MaterialsParticipants
    • Whiteboard
    • Accessibility Business Case Template
    • IT leadership team

    Download the Accessibility Business Case Template

    Phase 3

    Prepare your business case and get approval

    Phase 1
    1.1 Understand standards and legislation
    1.2 Build awareness
    1.3 Understand maturity level

    Phase 2
    2.1 Define desired future state
    2.2 Define goals and objectives
    2.3 Document roles and responsibilities

    Phase 3
    3.1 Prepare business case template for presentation and approval
    3.2 Validate post-approval steps and establish timelines

    The Accessibility Business Case for IT

    This phase will walk you through the following activities:

    • Compiling the work and learning you’ve done so far into a business case presentation.

    This phase involves the following participants:

    • Project lead/sponsor
    • Senior leaders/approval authority

    There is a business case for accessibility

    • When planning for initiatives, a business case is a necessary tool. Although it can feel like an administrative exercise, it helps create a compelling argument to senior leaders about the benefits and necessity of building an accessibility program.
    • No matter the industry, you need to justify how the budget and effort you require for the initiative support organizational goals. However, senior leaders of different industries might be motivated by different reasons. For example, government is strongly motivated by legal and equity aspects, commercial companies may be attracted to the increase in innovation or market reach, and educational and nonprofit companies are likely motivated by brand enhancement.
    • The organizational focus and goals will guide your business case for accessibility. Highlight the most relevant benefits to your operational landscape and the risk of inaction.

    Source: WAI, 2018

    “Many organizations are waking up to the fact that embracing accessibility leads to multiple benefits – reducing legal risks, strengthening brand presence, improving customer experience and colleague productivity.”
    – Paul Smyth, Head of Digital Accessibility, Barclays
    Source: WAI, 2018

    Step 3.1

    Customize and populate the Accessibility Business Case Template

    Activities

    3.1.1 Prepare your business case template for presentation and approval

    Build Your Business Case

    Outcomes of this step
    Following this step, you will have a customized business case presentation that you can present to senior leaders.

    Use Info-Tech’s template to communicate with stakeholders

    Obtain approval for your accessibility program by customizing Info-Tech’s Accessibility Business Case Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project context
    • Project scope and objectives
    • Knowledge transfer roadmap
    • Next steps

    Info-Tech Insight
    The support of senior leaders is critical to the success of your accessibility program development. Remind them of the benefits and impact and the risks associated with inaction.

    Download the Accessibility Business Case Template

    3.1.1 Prepare a presentation for senior leaders to gain approval

    Now that you understand your current and desired accessibility maturity, the next step is to get sign-off to begin planning your initiatives.

    Know your audience:

    1. Consider who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Management’s time is tight, and they will lose interest if you drag out the delivery. Impact them hard and fast with the challenges, benefits, and risks of inaction.
    3. Contain the presentation to no more than an hour. Depending on your audience, the actual presentation delivery could be quite short. You want to ensure adequate time for questions and answers.
    4. Schedule a meeting with the key decision makers who will need to approve the initiatives (IT leadership team, executive team, the board, etc.) and present your business case.
    InputOutput
    • Activity results
    • Accessibility Maturity Assessment results
    • A completed presentation to communicate your accessibility business case
    MaterialsParticipants
    • Accessibility Business Case Template
    • IT leadership team
    • Project sponsor
    • Project stakeholders
    • Senior leaders

    Download the Accessibility Business Case Template

    Step 3.2

    Validate post-approval steps and establish timelines

    Activities

    3.2.1 Prepare for implementation: Complete the implementation prep to-do list and assign proposed timelines

    Build Your Business Case

    Outcomes of this step
    This step will help you gain leadership’s approval to move forward with building and implementing the accessibility program.

    Prepare to implement your program

    Complete the to-do list to ensure you are ready to move your accessibility program forward.

    To Do Proposed Timeline
    Reach out to your change management team for assistance.
    Discuss your plan with HR.
    Build a project team.
    Incorporate any necessary changes from senior leaders into your business case.
    [insert your own addition here]
    [insert your own addition here]
    [insert your own addition here]
    [insert your own addition here]

    3.2.1 Prep for implementation (action planning)

    Use the implementation prep to-do list to make sure you have gathered relevant information and completed critical steps to be ready for success.

    Use the list on the previous slide to make sure you are set up for implementation success and that you’re ready to move your accessibility program forward.

    1. Assign proposed timelines to each of the items.
    2. Work through the list, collecting or completing each item.
    3. As you proceed, keep your identified drivers, current state, desired future state, goals, and objectives in mind.
    Input Output
    • Accessibility Maturity Assessment
    • Business case presentation and any feedback from senior leaders
    • Goals, objectives, identified drivers, and desired future state
    • High-level action plan
    Materials Participants
    • Previous slide containing the checklist
    • Project lead

    Related Info-Tech Research

    Implement and Mature Your User Experience Design Practice

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.

    Modernize Your Corporate Website to Drive Business Value

    • Users are demanding more valuable web functionalities and improved access to your website services.
    • The criteria of user acceptance and satisfaction involves more than an aesthetically pleasing user interface (UI). It also includes how emotionally attached the user is to the website and how it accommodates user behaviors.

    IT Diversity & Inclusion Tactics

    • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
    • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

    Fix Your IT Culture

    • Go beyond value statements to create a culture that enables the departmental strategy.
    • There is confusion about how to translate culture from an abstract concept to something that is measurable, actionable, and process driven.
    • Organizations lack clarity about who is accountable and responsible for culture, with groups often pointing fingers at each other.

    Works cited

    “2021 State of Digital Accessibility.” Level Access, n.d. Accessed 10 Aug. 2022

    ”2022 Midyear Report: ADA Digital Accessibility Lawsuits.” UsableNet, 2022. Accessed 9 Nov. 2022

    “Barclay’s Bank Case Study.” WAI-Engage, 12 Sept. 2018. Accessed 7 Nov. 2022.

    Bilodeau, Howard, et al. “StatCan COVID-19 Data to Insights for a Better Canada.” Statistics Canada, 24 June 2021. Accessed 10 Aug. 2022.

    Casey, Caroline. “Do Your D&I Efforts Include People With Disabilities?” Harvard Business Review, 19 March 2020. Accessed 28 July 2022.

    Digitalisation World. “Organisations failing to meet digital accessibility standards.” Angel Business Communications, 19 May 2022. Accessed Oct. 2022.

    “disability.” Merriam-Webster.com Dictionary, Merriam-Webster, https://www.merriam-webster.com/dictionary/disability. Accessed 10 Aug. 2022.

    “Disability.” World Health Organization, 2022. Accessed 10 Aug 2022.

    “Driving the Accessibility Advantage at Accenture.” Accenture, 2022. Accessed 7 Oct. 2022.

    eSSENTIAL Accessibility. The Must-Have WCAG 2.1 Checklist. 2022

    Hopewell, May. Accessibility in the Workplace. 2022.

    “Initiate.” W3C Web Accessibility Initiative (WAI), 31 March 2016. Accessed 18 Aug. 2022.

    Kalcevich, Kate, and Mike Gifford. “How to Bake Layers of Accessibility Testing Into Your Process.” Smashing Magazine, 26 April 2021. Accessed 31 Aug. 2022.

    Noone, Cat. “4 Common Ways Companies Alienate People with Disabilities.” Harvard Business Review, 29 Nov. 2021. Accessed Jul. 2022.

    Taylor, Jason. “A Record-Breaking Year for ADA Digital Accessibility Lawsuits.” UsableNet, 21 December 2020. Accessed Jul. 2022.

    “The Business Case for Digital Accessibility.” W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.

    “The WebAIM Million.” Web AIM, 31 March 2022. Accessed 28 Jul. 2022.

    Washington, Ella F. “The Five Stages of DEI Maturity.” Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.

    Wyman, Nicholas. “An Untapped Talent Resource: People With Disabilities.” Forbes, 25 Feb. 2021. Accessed 14 Sep. 2022.

    Improve Service Desk Ticket Queue Management

    • Buy Link or Shortcode: {j2store}492|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • Service desk tickets pile up in the queue, get lost or buried, jump between queues without progress, leading to slow response and resolution times, a seemingly insurmountable backlog and breached SLAs.
    • There are no defined rules or processes for how tickets should be assigned and routed and technicians don’t know how to prioritize their assigned work, meaning tickets take too long to get to the right place and aren’t always resolved in the correct or most efficient order.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Our Advice

    Critical Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue, then it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Impact and Result

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Once processes have been defined, identify opportunities to build in automation to improve efficiency.
    • Ensure everyone who handles tickets is clear on their responsibilities and establish clear ownership and accountability for queue management.

    Improve Service Desk Ticket Queue Management Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Ticket Queue Management Deck – A guide to service desk ticket queue management best practices and advice

    This storyboard reviews the top ten pieces of advice for improving ticket queue management at the service desk.

    • Improve Service Desk Ticket Queue Management Storyboard

    2. Service Desk Queue Structure Template – A template to help you map out and optimize your service desk ticket queues

    This template includes several examples of service desk queue structures, followed by space to build your own model of your optimal service desk queue structure and document who is assigned to each queue and responsible for managing each queue.

    • Service Desk Queue Structure Template
    [infographic]

    Further reading

    Improve Service Desk Ticket Queue Management

    Strong queue management is the foundation to good customer service

    Analyst Perspective

    Secure your foundation before you start renovating.

    Service Desk and IT leaders who are struggling with low efficiency, high backlogs, missed SLAs, and poor service desk metrics often think they need to hire more resources or get a new ITSM tool with better automation and AI capabilities. However, more often than not, the root cause of their challenges goes back to the fundamentals.

    Strong ticket queue management processes are critical to the success of all other service desk processes. You can’t resolve incidents and fulfill service requests in time to meet SLAs without first getting the ticket to the right place efficiently and then managing all tickets in the queue effectively. It sounds simple, but we see a lot of struggles around queue management, from new tickets sitting too long before being assigned, to in-progress tickets getting buried in favor of easier or higher-priority tickets, to tickets jumping from queue to queue without progress, to a seemingly insurmountable backlog.

    Once you have taken the time to clearly structure your queues, assign resources, and define your processes for routing tickets to and from queues and resolving tickets in the queue, you will start to see response and resolution time decrease along with the ticket backlog. However, accountability for queue management is often overlooked and is really key to success.
    This is an image of Dr. Natalie Sansone, Senior Research Analyst at Info-Tech Research Group

    Natalie Sansone, PhD
    Senior Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Tickets come into the service desk via multiple channels (email, phone, chat, portal) and aren’t consolidated into a single queue, making it difficult to know what to prioritize.
    • New tickets sit in the queue for too long before being assigned while assigned tickets sit for too long without progress or in the wrong queue, leading to slow response and resolution times.
    • Tickets quickly pile up in the queues, get lost or buried, or jump between queues without finding the right home, leading to a seemingly insurmountable backlog and breached SLAs.

    Common Obstacles

    • All tickets pile into the same queue, making it difficult to view, manage, or know who’s working on what.
    • There are no defined rules or processes for how tickets should be assigned and routed, meaning they often take too long to get to the right place.
    • Technicians have no guidelines as to how to prioritize their work, and no easy way to organize their tickets or queue to know what to work on next.
    • Nobody has authority or accountability for queue management, meaning everyone has eyes only on their own tickets while others fall through the cracks.

    Info-Tech’s Approach

    • Clearly define your queue structure, organize the queues by content, then assign resources to relevant queues depending on their role and expertise.
    • Define and document queue management processes, from initial triage to how to prioritize work on assigned tickets. Ensure everyone who handles tickets is clear on their responsibilities.
    • Establish clear ownership and accountability for queue management.
    • Once processes have been defined, identify opportunities to build in automation to improve efficiency.

    Info-Tech Insight

    If everybody is managing the queue, then nobody is. Without clear ownership and accountability over each and every queue it becomes too easy for everyone to assume someone else is handling or monitoring a ticket when in fact nobody is. Assign a Queue Manager to each queue and ensure someone is responsible for monitoring ticket movement across all the queues.

    Timeliness is essential to customer satisfaction

    And timeliness can’t be achieved without good queue management practices.

    As soon as that ticket comes in, the clock starts ticking…

    A host of different factors influence service desk response time and resolution time, including process optimization and documentation, workflow automation, clearly defined prioritization and escalation rules, and a comprehensive and easily accessible knowledgebase.

    However, the root cause of poor response and resolution time often comes down to the basics like ticket queue management. Without clearly defined processes and ownership for assigning and actioning tickets from the queue in the most effective order and manner, customer satisfaction will suffer.

    For every 12-hour delay in response time*, CSAT drops by 9.6%.

    *to email and web support tickets
    Source: Freshdesk, 2021

    A Freshworks analysis of 107 million service desk interactions found the relationship between CSAT and response time is stronger than resolution time - when customers receive prompt responses and regular updates, they place less value on actual resolution time.

    A queue is simply a line of people (or tickets) waiting to be helped

    When customers reach out to the service desk for help, their messages are converted into tickets that are stored in a queue, waiting to be actioned appropriately.

    Ticket Queue

    Email/web
    Ideally, the majority of tickets come into the ticket queue through email or a self-service portal, allowing for appropriate categorization, prioritization, and assignment.

    Phone
    For IT teams with a high volume of support requests coming in through the phone, reducing wait time in queue may be a priority.

    Chat
    Live chat is growing in popularity as an intake method and may require routing and distribution rules to prevent long or multiple queues.

    Queue Management

    Queue management is a set of processes and tools to direct and monitor tickets or manage ticket flow. It involves the following activities:

    • Review incoming tickets
    • Categorize and prioritize tickets
    • Route or assign appropriately
    • View or update ticket status
    • Monitor resource workload
    • Ensure tickets are being actioned in time
    • Proactively identify SLA breaches

    Ineffective queue management can bury you in backlog

    Ticket backlog with poor queue management

    Without a clear and efficient process or accountability for moving incoming tickets to the right place, tickets will be worked on randomly, older tickets will get buried, the backlog will grow, and SLAs will be missed.

    Ticket backlog with good queue management

    With effective queue management and ownership, tickets are quickly assigned to the right resource, worked on within the appropriate SLO/SLA, and actively monitored, leading to a more manageable backlog and good response and resolution times.

    A growing backlog will quickly lead to dissatisfied end users and staff

    Failing to efficiently move tickets from the queue or monitor tickets in the queue can quickly lead to tickets being buried and support staff feeling buried in tickets.

    Common challenges with queue management include:

    • Tickets come in through multiple channels and aren’t consolidated into a single queue
    • New tickets sit unassigned for too long, resulting in long response times
    • Tickets move around between multiple queues with no clear ownership
    • Assigned tickets sit too long in a queue without progress and breach SLA
    • No accountability for queue ownership and monitoring
    • Technicians cherry pick the easiest tickets from the queue
    • Technicians have no easy way to organize their queue to know what to work on next

    This leads to:

    • Long response times
    • Long resolution times
    • Poor workload distribution and efficiency
    • High backlog
    • Disengaged, frustrated staff
    • Dissatisfied end users

    Info-Tech Insight

    A growing backlog will quickly lead to frustrated and dissatisfied customers, causing them to avoid the service desk and seek alternate methods to get what they need, whether going directly to their favorite technician or their peers (otherwise known as shadow IT).

    Dig yourself out with strong queue management

    Strong queue management is the foundation to good customer service.

    Build a mature ticket queue management process that allows your team to properly prioritize, assign, and work on tickets to maximize response and resolution times.

    A mature queue management process will:

    • Reduce response time to address tickets.
    • Effectively prioritize tickets and ensure everyone knows what to work on next.
    • Ensure tickets get assigned and routed to the right queue and/or resource efficiently.
    • Reduce overall resolution time to resolve tickets.
    • Enable greater accountability for queue management and monitoring of tickets.
    • Improve customer and employee satisfaction.

    As queue management maturity increases:
    Response time decreases
    Resolution time decreases
    Backlog decreases
    End-user satisfaction increases

    Ten Tips to Effectively Manage Your Queue

    The remaining slides in this deck will review these ten pieces of advice for designing and managing your ticket queues effectively and efficiently.

    1. Define your optimal queue structure
    2. Design and assign resources to relevant queues
    3. Define and document queue management processes
    4. Clearly define queue management responsibilities for every team member
    5. Establish clear ownership & accountability over all queues
    6. Always keep ticket status and documentation up to date
    7. Shift left to reduce queue volume
    8. Build-in automation to improve efficiency
    9. Configure your ITSM tool to support and optimize queue management processes
    10. Don’t lose visibility of the backlog

    #1: Define your optimal queue structure

    There is no one right way to do queue management; choose the approach that will result in the highest value for your customers and IT staff.

    Sample queue structures

    This is an image of a sample Queue structure, where Incoming Tickets from all channels pass through auto or manual Queue assignment, to a numbered queue position.

    *Queues may be defined by skillset, role, ticket category, priority, or a hybrid.

    Triage and Assign

    • All incoming tickets are assigned to an appropriate queue based on predefined criteria.
    • Queue assignment may be done through automated workflows based on specific fields within the ticket, or manually by a
    • Queue Manager, dedicated coordinator, or Tier 1 staff.
    • Queues may be defined based on:
      • Skillset/team (e.g. Infrastructure, Security, Apps, etc.)
      • Ticket category (e.g. Network, Office365, Hardware, etc.)
      • Priority (e.g. P1, P2, P3, P4, P5)
    • Resources may be assigned to multiple queues.

    Define your optimal queue structure (cont.)

    Tiered generalist model

    • All incidents and service requests are routed to Tier 1 first, who prioritize and, if appropriate, conduct initial triage, troubleshooting, and resolution on a wide range of issues.
    • More complex or high-priority tickets are escalated to resources at Tier 2 and/or Tier 3, who are specialists working on projects in addition to support tickets.
    This is an image of the Tiered Generalist Model

    Unassigned queue

    • Very small teams may work from an unassigned queue if there are processes in place to monitor tickets and workload balance.
    • Typically, these teams work by resolving the oldest tickets first regardless of complexity (also known as First In, First Out or FIFO). However, this doesn’t allow for much flexibility in terms of priority of the request or customer.
    This is an image of an unassigned queue model

    #2: Design and assign resources to relevant queues

    Once you’ve defined your overall structure, define the content of each queue.

    This image depicts a sample queue organization structure. The bin titles are: Workgroup; Customer Group; Problem Type; and Hybrid

    Info-Tech Insight

    Start small; don’t create a queue for every possible ticket type. Remember that someone needs to be accountable for each of these queues, so only build what you can monitor.

    #3 Define and document queue management processes

    A clear, comprehensive, easily digestible SOP or workflow outlining the steps for handling new tickets and working tickets from the queue will help agents deliver a consistent experience.

    PROCESS INCLUDES:

    DEFINE THE FOLLOWING:

    TRIAGING INCOMING TICKETS

    • Ensure a ticket is created for every issue coming from every channel (e.g. phone, email, chat, walk-in, portal).
    • Assign a priority to each ticket.
    • Categorize ticket and add any necessary documentation
    • Update ticket status.
    • Delete spam, merge duplicate tickets, clean up inbox.
    • Assign tickets to appropriate queue or resource, escalate when necessary.
    • How should tickets be prioritized?
    • How should tickets from each channel be prioritized and routed? (e.g. are phone calls resolved right away? Are chats responded to immediately?)
    • Criteria that determine where a ticket should be sent or assigned (i.e. ticket category, priority, customer type).
    • How should VIP tickets be handled?
    • When should tickets be automatically escalated?
    • Which tickets require hierarchical escalation (i.e. to management)?

    WORKING ON ASSIGNED TICKETS

    • Continually update ticket status and documentation.
    • Assess which tickets should be worked on or completed ahead of others.
    • Troubleshoot, resolve, or escalate tickets.
    • In what order should tickets be worked on (e.g. by priority, by age, by effort, by time to breach)?
    • How long should a ticket be worked on without progress before it should be escalated to a different tier or queue?
    • Exceptions to the rule (e.g. in which circumstances should a lower priority ticket be worked on over a higher priority ticket).

    Process recommendations

    As you define queue management processes, keep the following advice in mind:

    Rotate triage role

    The triage role is critical but difficult. Consider rotating your Tier 1 resources through this role, or your service desk team if you’re a very small group.

    Limit and prioritize channels

    You decide which channels to enable and prioritize, not your users. Phone and chat are very interrupt-driven and should be reserved for high-priority issues if used. Your users may not understand that but can learn over time with training and reinforcement.

    Prioritize first

    Priority matrixes are necessary for consistency but there are always circumstances that require judgment calls. Think about risk and expected outcome rather than simply type of issue alone. And if the impact is bigger than the initial classification, change it.

    Define VIP treatment

    In some organizations, the same issue can be more critical if it happens to a certain user role (e.g. client facing, c-suite). Identify and flag VIP users and clearly define how their tickets should be prioritized.

    Consider time zone

    If users are in different time zones, take their current business hours into account when choosing which ticket to work on.

    Info-Tech Insight

    Think of your service desk as an emergency room. Patients come in with different symptoms, and the triage nurse must quickly assess these symptoms to decide who the patient should see and how soon. Some urgent cases will need to see the doctor immediately, while others can wait in another queue (the waiting room) for a while before being dealt with. Some cases who come in through a priority channel (e.g. ambulance) may jump the queue. Checklists and criteria can help with this decision making, but some degree of judgement is also required and that comes with experience. The triage role is sometimes seen as a junior-level role, but it actually requires expertise to be done well.

    For more detailed process guidance, see Standardize the Service Desk

    Info-Tech’s blueprint Standardize the Service Desk will help you standardize and document core service desk processes and functions, including:

    • Service desk structure, roles, and responsibilities
    • Metrics and reporting
    • Ticket handling and ticket quality
    • Incident and critical incident management
    • Ticket categorization
    • Prioritization and escalation
    • Service request fulfillment
    • Self-service considerations
    • Building a knowledgebase
    this image contains three screenshots from Info-Tech's Standardize the Service Desk Blueprint

    #4 Clearly define queue management responsibilities for every team member

    This may be one of the most critical yet overlooked keys to queue management success. Define the following:

    Who will have overall accountability?

    Someone must be responsible for monitoring all incoming and open tickets as well as assigned tickets in every queue to ensure they are routed and fulfilled appropriately. This person must have authority to view and coordinate all queues and Queue Managers.

    Who will manage each queue?

    Someone must be responsible for managing each queue, including assigning resources, balancing workload, and ensuring SLOs are met for the tickets within their queue. For example, the Apps Manager may be the Queue Manager for all tickets assigned to the Apps team queue.

    Who is responsible for assigning tickets?

    Will you have a triage team who monitors and assigns all incoming tickets? What are their specific responsibilities (e.g. prioritize, categorize, attempt troubleshooting, assign or escalate)? If not, who is responsible for assigning new tickets and how is this done? Will the triage role be a rotating role, and if so, what will the schedule be?

    What are everyone’s responsibilities?

    Everyone who is assigned tickets should understand the ticket handling process and their specific responsibilities when it comes to queue management.

    #5 Establish clear ownership & accountability over all queues

    If everyone is accountable, then no one is accountable. Ownership for each queue and all queues must be clearly designated.

    You may have multiple queue manager roles: one for each queue, and one who has visibility over all the queues. Typically, these roles make up only part of an individual’s job. Clearly define the responsibilities of the Queue Manager role; sample responsibilities are on the right.

    Info-Tech Insight

    Lack of authority over queues – especially those outside Tier 1 of the service desk – is one of the biggest pitfalls we see causing aging tickets and missed SLAs. Every queue needs clear ownership and accountability with everyone committed to meeting the same SLOs.

    The Queue Manager or Coordinator is accountable for ensuring tickets are routed to the correct resources service level objectives or agreements are met.

    Specific responsibilities may include:

    • Monitors queues daily
    • Ensures new tickets are assigned to appropriate resources for resolution
    • Verifies tickets have been routed and assigned correctly and reroutes if necessary
    • Reallocates tickets if assigned resource is suddenly unavailable or away
    • Ensures ticket handling process is met, ticket status is up to date and correct, and ticket documentation is complete
    • Escalates tickets that are aging or about to breach
    • Ensures service level objectives or agreements are met
    • Facilitates resource allocation based on workload
    • Coordinates tickets that require collaboration across workgroups to ensure resolution is achieved within SLA
    • Associates child and parent tickets
    • Prepares reports on ticket status and volume by queues
    • Regularly reviews reports to identify and act on issues and make improvements or changes where needed
    • Identifies opportunities for improvement

    #6 Always keep ticket status and documentation up to date

    Anyone should be able to quickly understand the status and progress on a ticket without needing to ask the technician working on it. This means both the ticket status and documentation must be continually and accurately updated.

    Ticket Documentation
    Ticket descriptions and documentation must be kept accurate and up to date. This ensures that if the ticket is escalated or assigned to a new person, or the Queue Manager or Service Desk Manager needs to know what progress has been made on a ticket, that person doesn’t need to waste time with back-and-forth communication with the technician or end user.

    Ticket Status
    The ticket status field should change as the ticket moves toward resolution, and must be updated every time the status changes. This ensures that anyone looking at the ticket queue can quickly learn and communicate the status of a ticket, tickets don’t get lost or neglected, metrics are accurate (such as time to resolve), and SLAs are not impacted if a ticket is on hold.

    Common ticket statuses include:

    • New/open
    • Assigned
    • In progress
    • Declined
    • Canceled
    • Pending/on hold
    • Resolved
    • Closed
    • Reopened

    For more guidance on ticket handling and documentation, download Info-Tech’s blueprint: Standardize the Service Desk.

    • For ticket handling and documentation, see Step 1.4
    • For ticket status fields, see Step 2.2.

    #7 Shift left to reduce queue volume

    Enable processes such as knowledge management, self-service, and problem management to prevent tickets from even coming into the queue.

    Shift left means enabling fulfilment of repeatable tasks and requests via faster, lower-cost delivery channels, self-help tools, and automation.

    This image contains a graph, where the Y axis is labeled Cost, and the X axis is labeled Time to Resolve.  On the graph are depicted service desk levels 0, 1, 2, and 3.

    Shift to Level 1

    • Identify tickets that are often escalated beyond Tier 1 but could be resolved by Level 1 if they were given the tools, training, resources, or access they need to do so.
    • Provide tools to succeed at resolving those defined tasks (e.g. knowledge article, documentation, remote tools).
    • Embed knowledge management in resolution workflows.

    Shift to End User

    • Build a centralized, easily accessible self-service portal where users can search for solutions to resolve their issues without having to submit a ticket.
    • Communicate and train users on how to use the portal regularly update and improve it.

    Automate & Eliminate

    • Identify processes or tasks that could be automated to eliminate work.
    • Invest in problem management and event management to fix the root problem of recurring issues and prevent a problem from occurring in the first place, thereby preventing future tickets.

    #8 Build in automation to improve efficiency

    Manually routing every ticket can be time-consuming and prone to errors. Once you’ve established the process, automate wherever possible.

    Automation rules can be used to ensure tickets are assigned to the right person or queue, to alert necessary parties when a ticket is about to breach or has breached SLA, or to remind technicians when a ticket has sat in a queue or at a particular status for too long.

    This can improve efficiency, reduce error, and bring greater visibility to both high-priority tickets and aging tickets in the backlog.

    However, your processes, queues, and responsibilities must be clearly defined before you can build in automation.

    For more guidance on implementing automation and AI within your service desk, see these blueprints:

    https://tymansgrpup.com/research/ss/accelerate-your-automation-processes https://tymansgrpup.com/research/ss/improve-it-operations-with-ai-and-ml

    For examples of rules, triggers, and fields you can automate to improve the efficiency of your queue management processes, see the next slide.

    Sample automation rules

    Criteria or triggers you can automate actions based on:

    • Ticket type
    • Specific field in a ticket web form
    • Ticket form that was used (e.g. specific service request form from the portal)
    • Ticket category
    • Ticket priority
    • Keyword in an email subject line
    • Keywords or string in a chat
    • Requester name or email
    • Requester location
    • Requester/ticket language
    • Requester VIP status
    • Channel ticket was received through
    • SLAs or time-based automations
    • Agent skill
    • Agent status or capacity

    Fields or actions those triggers can automate

    • Priority
    • Category
    • Ticket routing
    • Assigned agent
    • Assigned queue
    • SLA/due date
    • Notifications/communication

    Sample Automation Rules

    • When ticket is about to breach, send alert to Queue Manager and Service Desk Manager.
    • When ticket comes from VIP user, set urgency to high.
    • When ticket status has been set to “open” for ten hours, send an alert to Queue Manager.
    • When ticket status has been set to “on hold” for five days, send a reminder to assignee.
    • When ticket is categorized as “Software-ERP,” send to ERP queue.
    • When ticket is prioritized as P1/critical, send alert to emergency response team.
    • When ticket is prioritized as P1 and hasn’t been updated for one hour, send an alert to Incident Manager.
    • When an in-progress ticket is reassigned to a new queue, alert Queue Manager.
    • When ticket has not been resolved within seven days, flag as aging ticket.

    #9 Configure your ITSM tool to support and optimize queue management processes

    Configure your tool to support your needs; don’t adjust your processes to match the tool.

    • Most ITSM tools have default queues out of the box and the option to create as many custom queues, filters, and views as you need. Custom queues should allow you to name the queue, decide which tickets will be sent to the queue, and what columns or information are displayed in the queue.
    • Before you configure your queues and dashboards, sit down with your team to decide what you need and what will best enable each agent to manage their workload.
    • Decide which queues each role should have access to – most should only need to see their own queue and their team’s queue.
    • Configure which queues or views new tickets will be sent to.
    • Configure automation rules defined earlier (e.g. automate sending certain tickets to specific queues or sending notifications to specific parties when certain conditions are met).
    • Configure dashboards and reports on queue volume and ticket status data relevant to each team to help them manage their workload, increase visibility, and identify issues or actions.

    Info-Tech Insight

    It can be overwhelming to support agents when their view is a long and never-ending queue. Set the default dashboard view to show only those tickets assigned to the viewer to make it appear more manageable and easier to organize.

    Configure queues to maximize productivity

    Info-Tech Insight

    The queue should quickly give your team all the information they need to prioritize their work, including ticket status, priority, category, due date, and updated timestamps. Configuration is important - if it’s confusing, clunky, or difficult to filter or sort, it will impact response and resolution times and can lead to missed tickets. Give your team input into configuration and use visuals such as color coding to help agents prioritize their work – for example, VIP tickets may be clearly flagged, critical or high priority tickets may be highlighted, tickets about to breach may be red.

    this image contains a sample queue organization which demonstrates how to maximize productivity

    #10 Don’t lose visibility of the backlog

    Be careful not to focus so much on assigning new tickets that you forget to update aging tickets, leading to an overwhelming backlog and dissatisfied users.

    Track metrics that give visibility into how quickly tickets are being resolved and how many aging tickets you have. Metrics may include:

    • Ticket resolution time by priority, by workgroup
    • Ticket volume by status (i.e. open, in progress, on hold, resolved)
    • Ticket volume by age
    • Ticket volume by queue and assignee

    Regularly review reports on these metrics with the team.

    Make it an agenda item to review aging tickets, on hold tickets, and tickets about to breach or past breach with the team.

    Take action on aging tickets to ensure progress is being made.

    Set rules to close tickets after a certain number of attempts to reach unresponsive users (and change ticket status appropriately).

    Schedule times for your team to tackle aged tickets or tickets in the backlog.

    Info-Tech Insight

    It can be easy for high priority work to constantly push down low priority work, leaving the lower priority tickets to constantly be ignored and users to be frustrated. If you’re struggling with aging tickets, backlog, and tickets breaching SLA, experiment with your team and queue structure to figure out the best resource distribution to handle your workload. This could mean rotating people through the triage role to allow them time to work through the backlog, reducing the number of people doing triage during slower volume periods, or giving technicians dedicated time to work through tickets. For help with forecasting demand and optimizing resources, see Staff the Service Desk to Meet Demand.

    Activity 1.1: Define ticket queues

    1 hour

    Map out your optimal ticket queue structure using the Service Desk Queue Structure Template. Follow the instructions in the template to complete it as a team.

    The template includes several examples of service desk queue structures followed by space to build your own model of an optimal service desk queue structure and to document who is assigned to each queue and responsible for managing each queue.

    Note:

    The template is not meant to map out your entire service desk structure (e.g. tiers, escalation paths) or ticket resolution process, but simply the ticket queues and how a ticket moves between queues. For help documenting more detailed process workflows or service desk structure, see the blueprint Standardize the Service Desk.

    this image contains screenshot from Info-Tech's blueprint: Service Desk Queue structure Template

    Input

    • Current queue structure and roles

    Output

    • Defined service desk ticket queues and assigned responsibilities

    Materials

    • Org chart
    • ITSM tool for reference, if needed

    Participants

    • Service Desk Manager
    • IT Director
    • Queue Managers

    Document in the Service Desk Queue Structure Template.

    Related Info-Tech Research

    Standardize the Service Desk

    This project will help you build and improve essential service desk processes including incident management, request fulfillment, and knowledge management to create a sustainable service desk.

    Optimize the Service Desk With a Shift-Left Strategy

    This project will help you build a strategy to shift service support left to optimize your service desk operations and increase end-user satisfaction.

    Improve Service Desk Ticket Intake

    This project will help you streamline your ticket intake process and identify improvements to your intake channels.

    Staff the Service Desk to Meet Demand

    This project will help you determine your optimal service desk structure and staffing levels based on your unique environment, workload, and trends.

    Works Cited

    “What your Customers Really Want.” Freshdesk, 31 May 2021. Accessed May 2022.

    CIO Priorities 2023

    • Buy Link or Shortcode: {j2store}84|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $10,000 Average $ Saved
    • member rating average days saved: 9 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    CIOs are facing these challenges in 2023:

    • Trying to understand the implications of external trends.
    • Determining what capabilities are most important to support the organization.
    • Understanding how to help the organization pursue new opportunities.
    • Preparing to mitigate new sources of organizational risk.

    Our Advice

    Critical Insight

    • While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full context awareness. It's up to them to assess their gaps, consider the present scenario, and then make their next move.
    • Each priority carries new opportunities for organizations that pursue them.
    • There are also different risks to mitigate as each priority is explored.

    Impact and Result

    • Inform your IT strategy for the year ahead.
    • Identify which capabilities you need to improve.
    • Add initiatives that support your priorities to your roadmap.

    CIO Priorities 2023 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. CIO Priorities 2023 Report – Read about the priorities on IT leaders' agenda.

    Understand the five priorities that will help navigate the opportunities and risks of the year ahead.

    • CIO Priorities 2023 Report

    Infographic

     

    Further reading

    CIO Priorities 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    Analyst Perspective

    Take a full view of the board and use all your pieces to win.

    In our Tech Trends 2023 report, we called on CIOs to think of themselves as chess grandmasters. To view strategy as playing both sides of the board, simultaneously attacking the opponent's king while defending your own. In our CIO Priorities 2023 report, we'll continue with that metaphor as we reflect on IT's capability to respond to trends.

    If the trends report is a study of the board state that CIOs are playing with, the priorities report is about what move they should make next. We must consider all the pieces we have at our disposal and determine which ones we can afford to use to seize on opportunity. Other pieces are best used by staying put to defend their position.

    In examining the different capabilities that CIOs will require to succeed in the year ahead, it's apparent that a siloed view of IT isn't going to work. Just like a chess player in a competitive match would never limit themselves to only using their knights or their rooks, a CIO's responsibility is to deploy each of their pieces to win the day. While functional leaders may only see their next move, as head of the organization with a complete view of all the pieces, the CIO has full awareness of the board state.

    It's up to them to assess their gaps, consider the present scenario, and then make their next move.

    This is a picture of Brian Jackson

    Brian Jackson
    Principal Research Director, Research – CIO
    Info-Tech Research Group

    CIO Priorities 2023 is informed by Info-Tech's primary research data of surveys and benchmarks

    Info-Tech's Tech Trends 2023 report and State of Hybrid Work in IT: A Trend Report inform the externalities faced by organizations in the year ahead. They imply opportunities and risks that organizations face. Leadership must determine if they will respond and how to do so. CIOs then determine how to support those responses by creating or improving their IT capabilities. The priorities are the initiatives that will deliver the most value across the capabilities that are most in demand. The CIO Priorities 2023 report draws on data from several different Info-Tech surveys and diagnostic benchmarks.

    2023 Tech Trends and Priorities Survey; N=813 (partial), n=521 (completed)
    Info-Tech's Trends and Priorities 2023 Survey was conducted between August 9 and September 9, 2022. We received 813 total responses with 521 completed surveys. More than 90% of respondents work in IT departments. More than 84% of respondents are at a manager level of seniority or higher.

    2023 The State of Hybrid Work in IT Survey; N=518
    The State of Hybrid Work in IT Survey was conducted between July 11 and July 29 and received 518 responses. Nine in ten respondents were at a manager level of seniority or higher.

    Every organization will have its own custom list of priorities based on its internal context. Organizational goals, IT maturity level, and effectiveness of capabilities are some of the important factors to consider. To provide CIOs with a starting point for their list of priorities for 2023, we used aggregate data collected in our diagnostic benchmark tools between August 1, 2021, and October 31, 2022.

    Info-Tech's CEO-CIO Alignment Program is intended to be completed by CIOs and their supervisors (CEO or other executive position [CxO]) and will provide the average maturity level and budget expectations (N=107). The IT Management and Governance Diagnostic will provide the average capability effectiveness and importance ranking to CIOs (N=271). The CIO Business Vision Diagnostic will provide stakeholder satisfaction feedback (N=259).

    The 2023 CIO priorities are based on that data, internal collaboration sessions at Info-Tech, and external interviews with CIOs and subject matter experts.

    Build IT alignment

    Assess your IT processes

    Determine stakeholder satisfaction

    Most IT departments should aim to drive outcomes that deliver better efficiency and cost savings

    Slightly more than half of CIOs using Info-Tech's CEO-CIO Alignment Program rated themselves at a Support level of maturity in 2022. That aligns with IT professionals' view of their organizations from our Tech Trends and Priorities Survey, where organizations are rated at the Support level on average. At this level, IT departments can provide reliable infrastructure and support a responsive IT service desk that reasonably satisfies stakeholders.

    In the future, CIOs aspire to attain the Transform level of maturity. Nearly half of CIOs select this future state in our diagnostic, indicating a desire to deliver reliable innovation and lead the organization to become a technology-driven firm. However, we see that fewer CxOs aspire for that level of maturity from IT. CxOs are more likely than CIOs to say that IT should aim for the Optimize level of maturity. At this level, IT will help other departments become more efficient and lower costs across the organization.

    Whether a CIO is aiming for the top of the maturity scale in the future or not, IT maturity is achieved one step at a time. Aiming for outcomes at the Optimize level will be a realistic goal for most CIOs in 2023 and will satisfy many stakeholders.

    Current and future state of IT maturity

    This image depicts a table showing the Current and future states of IT maturity.

    Trends indicate a need to focus on leadership and change management

    Trends imply new opportunities and risks that an organization must decide on. Organizational leadership determines if action will be taken to respond to the new external context based on its importance compared to current internal context. To support their organizations, IT must use its capabilities to deliver on initiatives. But if a capability's effectiveness is poor, it could hamper the effort.

    To determine what capabilities IT departments may need to improve or create to support their organizations in 2023, we conducted an analysis of our trends data. Using the opportunities and risks implied by the Tech Trends 2023 report and the State of Hybrid Work in IT: A Trend Report, we've determined the top capabilities IT will need to respond. Capabilities are defined by Info-Tech's IT Management and Governance Framework.

    Tier 1: The Most Important Capabilities In 2023

    Enterprise Application Selection & Implementation

    Manage the selection and implementation of enterprise applications, off-the-shelf software, and software as a service to ensure that IT provides the business with the most appropriate applications at an acceptable cost.

    Effectiveness: 6.5; Importance: 8.8

    Leadership, Culture, and Values

    Ensure that the IT department reflects the values of your organization. Improve the leadership skills of your team to generate top performance.

    Effectiveness: 6.9; Importance: 9

    Data Architecture

    Manage the business' databases, including the technology, the governance processes, and the people that manage them. Establish the principles, policies, and guidelines relevant to the effective use of data within the organization.

    Effectiveness: 6.3; Importance: 8.8

    Organizational Change Management

    Implement or optimize the organization's capabilities for managing the impact of new business processes, new IT systems, and changes in organizational structure or culture.

    Effectiveness: 6.1; Importance: 8.8

    External Compliance

    Ensure that IT processes and IT-supported business processes are compliant with laws, regulations, and contractual requirements.

    Effectiveness: 7.4; Importance: 8.8

    Info-Tech's Management and Diagnostic Benchmark

    Tier 2: Other Important Capabilities In 2023

    Ten more capabilities surfaced as important compared to others but not as important as the capabilities in tier 1.

    Asset Management

    Track IT assets through their lifecycle to make sure that they deliver value at optimal cost, remain operational, and are accounted for and physically protected. Ensure that the assets are reliable and available as needed.

    Effectiveness: 6.4; Importance: 8.5

    Business Intelligence and Reporting

    Develop a set of capabilities, including people, processes, and technology, to enable the transformation of raw data into meaningful and useful information for the purpose of business analysis.

    Effectiveness: 6.3; Importance: 8.8

    Business Value

    Secure optimal value from IT-enabled initiatives, services, and assets by delivering cost-efficient solutions and services and by providing a reliable and accurate picture of costs and benefits.

    Effectiveness: 6.5; Importance: 8.7

    Cost and Budget Management

    Manage the IT-related financial activities and prioritize spending through the use of formal budgeting practices. Provide transparency and accountability for the cost and business value of IT solutions and services.

    Effectiveness: 6.5; Importance: 8.8

    Data Quality

    Put policies, processes, and capabilities in place to ensure that appropriate targets for data quality are set and achieved to match the needs of the business.

    Effectiveness: 6.4; Importance: 8.9

    Enterprise Architecture

    Establish a management practice to create and maintain a coherent set of principles, methods, and models that are used in the design and implementation of the enterprise's business processes, information systems, and infrastructure.

    Effectiveness: 6.8; Importance: 8.8

    IT Organizational Design

    Set up the structure of IT's people, processes, and technology as well as roles and responsibilities to ensure that it's best meeting the needs of the business.

    Effectiveness: 6.8; Importance: 8.8

    Performance Measurement

    Manage IT and process goals and metrics. Monitor and communicate that processes are performing against expectations and provide transparency for performance and conformance.

    Effectiveness: 6; Importance: 8.4

    Stakeholder Relations

    Manage the relationship between the business and IT to ensure that the stakeholders are satisfied with the services they need from IT and have visibility into IT processes.

    Effectiveness: 6.7; Importance: 9.2

    Vendor Management

    Manage IT-related services provided by all suppliers, including selecting suppliers, managing relationships and contracts, and reviewing and monitoring supplier performance.

    Effectiveness: 6.6; Importance: 8.4

    Defining the CIO Priorities for 2023

    Understand the CIO priorities by analyzing both how CIOs respond to trends in general and how a specific CIO responded in the context of their organization.

    This is an image of the four analyses: 1: Implications; 2: Opportunities and risks; 3: Case examples; 4: Priorities to action.

    The Five CIO Priorities for 2023

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
      • Business Value
      • Vendor Management
      • Cost and Budget Management
    2. Prepare your data pipeline to train AI
      • Business Intelligence and Reporting
      • Data Quality
      • Data Architecture
    3. Go all in on zero-trust security
      • Asset Management
      • Stakeholder Relations
      • External Compliance
    4. Engage employees in the digital age
      • Leadership, Culture, and Values
      • Organizational Change Management
      • Enterprise Architecture
    5. Shape the IT organization to improve customer experience
      • Enterprise Application Selection & Implementation
      • Performance Measurement
      • IT Organizational Design

    Adjust IT operations to manage for inflation

    Priority 01

    • APO06 Cost and Budget Management
    • APo10 Vendor Management
    • EDM02 Business Value

    Recognize the relative impact of higher inflation on IT's spending power and adjust accordingly.

    Inflation takes a bite out of the budget

    Two-thirds of IT professionals are expecting their budgets to increase in 2023, according to our survey. But not every increase is keeping up with the pace of inflation. The International Monetary Fund forecasts that global inflation rose to 8.8% in 2022. It projects it will decline to 6.5% in 2023 and 4.1% by 2024 (IMF, 2022).

    CIOs must account for the impact of inflation on their IT budgets and realize that what looks like an increase on paper is effectively a flat budget or worse. Applied to our survey takers, an IT budget increase of more than 6.5% would be required to keep pace with inflation in 2023. Only 40% of survey takers are expecting that level of increase. For the 27% expecting an increase between 1-5%, they are facing an effective decrease in budget after the impact of inflation. Those expecting no change in budget or a decrease will be even worse off.

    Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

    Global inflation estimates by year

    2022 8.8%
    2023 6.5%
    2024 4.1%

    International Monetary Fund, 2022

    CIOs are more optimistic about budgets than their supervisors

    Data from Info-Tech's CEO-CIO Alignment Diagnostic benchmark also shows that CIOs and their supervisors are planning for increases to the budget. This diagnostic is designed for a CIO to use with their direct supervisor, whether it's the CEO or otherwise (CxO). Results show that on average, CIOs are more optimistic than their supervisors that they will receive budget increases and headcount increases in the years ahead.

    While 14% of CxOs estimated the IT budget would see no change or a decrease in the next three to five years, only 3% of CIOs said the same. A larger discrepancy is seen in headcount, where nearly one-quarter of CXOs estimated no change or decrease in the years ahead, versus only 10% of CIOs estimating the same.

    When we account for the impact of inflation in 2023, this misalignment between CIOs and their supervisors increases. When adjusting for inflation, we need to view the responses projecting an increase of between 1-5% as an effective decrease. With the inflation adjustment, 26% of CXOs are predicting IT budgets to stay flat or see a decrease compared to only 10% of CIOs.

    CIOs should consider how inflation has affected their projected spending power over the past year and take into account projected inflation rates over the next couple of years. Given that the past decade has seen inflation rates between 2-3%, the higher rates projected will have more of an impact on organizational budgets than usual.

    Expect headcount to stay flat or decline over 3-5 years

    CIO: 10%; CXO: 24%

    IT budget expectations to stay flat or decrease before inflation

    CIO: 13.6 %; CXO: 3.2%

    IT budget expectations to stay flat or decrease adjusted for inflation

    CIO: 25.8%; CXO: 9.7%

    Info-Tech's CEO-CIO Alignment Program

    Opportunities

    Appoint a "cloud economist"

    Organizations that migrated from on-premises data centers to infrastructure as a service shifted their capital expenditures on server racks to operational expenditures on paying the monthly service bill. Managing that monthly bill so that it is in line with desired performance levels now becomes crucial. The expected benefit of the cloud is that an organization can turn the dial up to meet higher demand and turn it down when demand slows. In practice this is sometimes more difficult to execute than anticipated. Some IT departments realize their cloud-based data flows aren't always connected to the revenue-generating activity seen in the business. As a result, a "cloud economist" is needed to closely monitor cloud usage and adjust it to financial expectations. Especially during any recessionary period, IT departments will want to avoid a "bill shock" incident.

    Partner with technology providers

    Keep your friends close and your vendors closer. Look for opportunities to create leverage with your strategic vendors to unlock new opportunities. Identify if a vendor you work with is not entrenched in your industry and offer them the credibility of working with you in exchange for a favorable contract. Offering up your logo for a website listing clients or giving your own time to speak in a customer session at a conference can go a long way to building up some goodwill with your vendors. That's goodwill you'll need when you ask for a new multi-year contract on your software license without annual increases built into the structure.

    Demonstrate IT projects improve efficiency

    An IT department that operates at the Optimize level of Info-Tech's maturity scale can deliver outcomes that lower costs for other departments. IT can defend its own budget if it's able to demonstrate that its initiatives will automate or augment business activities in a way that improves margins. The argument becomes even more compelling if IT can demonstrate it is supporting a revenue-generating initiative or customer-facing experience. CIOs will need to find business champions to vouch for the important contributions IT is making to their area.

    Risks

    Imposition of non-financial reporting requirements

    In some jurisdictions, the largest companies will be required to start collecting information on carbon emissions emitted as a result of business activities by the end of next year. Smaller sized organizations will be next on the list to determine how to meet new requirements issued by various regulators. Risks of failure include facing fines or being shunned by investors. CIOs will need to support their financial reporting teams in collecting the new required data accurately. This will incur new costs as well.

    Rising asset costs

    Acquiring IT equipment is becoming more expensive due to overall inflation and specific pressures around semiconductor supply chains. As a result, more CIOs are extending their device refresh policies to last another year or two. Still, demands for new devices to support new hybrid work models could put pressure on budgets as IT teams are asked to modernize conferencing rooms. For organizations adopting mixed reality headsets, cutting-edge capabilities will come at a premium. Operating costs of devices may also increase as inflation increases costs of the electricity and bandwidth they depend on.

    CASE STUDY
    Leverage your influence in vendor negotiations

    Denise Cornish, Associate VP of IT and Deputy COO,
    Western University of Health Sciences

    Since taking on the lead IT role at Western University in 2020, Denise Cornish has approached vendor management like an auditable activity. She evaluates the value she gets from each vendor relationship and creates a list of critical vendors that she relies upon to deliver core business services. "The trick is to send a message to the vendor that they also need us as a customer that's willing to act as a reference," she says. Cornish has managed to renegotiate a contract with her ERP vendor, locking in a multi-year contract with a very small escalator in exchange for presenting as a customer at conferences. She's also working with them on developing a new integration to another piece of software popular in the education space.

    Western University even negotiated a partnership approach with Apple for a program run with its College of Osteopathic Medicine of the Pacific (COMP) called the Digital Doctor Bag. The partnership saw Apple agree to pre-package a customer application developed by Western that delivered the curriculum to students and facilitated communications across students and faculty. Apple recognized Western as an Apple Distinguished School, a program that recognizes innovative schools that use Apple products.

    "I like when negotiations are difficult.
    I don't necessarily expect a zero-sum game. We each need to get something out of this and having the conversation and really digging into what's in it for you and what's in it for me, I enjoy that. So usually when I negotiate a vendor contract, it's rare that it doesn't work out."

    CASE STUDY
    Control cloud costs with a simplified approach

    Jim Love, CIO, IT World Canada

    As an online publisher and a digital marketing platform for technology products and services companies, IT World Canada (ITWC) has observed that there are differences in how small and large companies adopt the cloud as their computing infrastructure. For smaller companies, even though adoption is accelerating, there may still be some reluctance to fully embrace cloud platforms and services. While larger companies often have a multi-cloud approach, this might not be practical for smaller IT shops that may struggle to master the skills necessary to effectively manage one cloud platform. While Love acknowledges that the cloud is the future of corporate computing, he also notes that not all applications or workloads may be well suited to run in the cloud. As well, moving data into the cloud is cheap but moving it back out can be more expensive. That is why it is critical to understand your applications and the data you're working with to control costs and have a successful cloud implementation.

    "Standardization is the friend of IT. So, if you can standardize on one platform, you're going to do better in terms of costs."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Cost and Budget Management

    Take control of your cloud costs by providing central financial oversight on the infrastructure-as-a-service provider your organization uses. Create visibility into your operational costs and define policies to control them. Right-size the use of cloud services to stay within organizational budget expectations.

    Take Control of Cloud Costs on AWS

    Take Control of Cloud Costs on Microsoft Azure

    Improve Business Value

    Reduce the funds allocated to ongoing support and impose tougher discipline around change requests to lighten your maintenance burden and make room for investment in net-new initiatives to support the business.

    Free up funds for new initiatives

    Improve Vendor Management

    Lay the foundation for a vendor management process with long-term benefits. Position yourself as a valuable client with your strategic vendors and leverage your position to improve your contract terms.

    Elevate Your Vendor Management Initiative

    Prepare your data pipeline to train AI

    Priority 02

    • ITRG06 BUSINESS INTELLIGENCE AND REPORTING
    • ITRG07 DATA ARCHITECTURE
    • ITRG08 DATA QUALITY

    Keep pace as the market adopts AI capabilities, and be ready to create competitive advantage.

    Today's innovation is tomorrow's expectation

    During 2022, some compelling examples of generative-AI-based products took the world by storm. Images from AI-generating bots Midjourney and Stable Diffusion went viral, flooding social media and artistic communities with images generated from text prompts. Exchanges with OpenAI's ChatGPT bot also caught attention, as the bot was able to do everything from write poetry, to provide directions on a cooking recipe and then create a shopping list for it, to generate working code in a variety of languages. The foundation models are trained with AI techniques that include generative adversarial networks, transformers, and variational autoencoders. The end result is an algorithm that can produce content that's meaningful to people based on some simple direction. The industry is only beginning to come to grips with how this sort of capability will disrupt the enterprise.

    Slightly more than one-third of IT professionals say their organization has already invested in AI or machine learning. It's the sixth-most popular technology to have already invested in after cloud computing (82%), application programming interfaces (64%), workforce management solutions (44%), data lakes (36%), and next-gen cybersecurity (36%). It's ahead of 12 other technologies that IT is already invested in.

    When we asked what technologies organizations planned to invest in for next year, AI rocketed up the list to second place, as it's selected by 44% of IT professionals. It falls behind only cloud computing. This jump up the list makes AI the fastest growing technology for new investment from organizations.

    Many AI capabilities seem cutting edge now, but organizations are prioritizing it as a technology investment. In a couple of years, access to foundational models that produce images, text, or code will become easy to access with a commercial license and an API integration. AI will become embedded in off-the-shelf software and drive many new features that will quickly become commonplace.

    To stay even with the competition and meet customer expectations, organizations will have to work to at least adopt these AI-enhanced products and services. For those that want to create a competitive advantage, they will have to build a data pipeline that is capable of training their own custom AI models based on their unique data sets.

    Which of the following technology categories has your organization already invested in?

    A bar graph is depicted the percentage of organizations which already had invested in the following Categories: Cloud Computing; Application Programming; Next-Gen Cybersecurity; Workforce Management Solutions; Data Lake/Lakehouse; Artificial Intelligence or Machine Learning.

    Which of those same technologies does your organization plan to invest in by the end of 2023?

    A bar graph is depicted the percentage of organizations which plan to invest in the following categories by the end of 2023: No-Code / Low-Code Platforms; Next-Gen Cybersecurity; Application Programming Interfaces (APIs); Data Lake / Lakehouse; Artificial Intelligence (AI) or Machine Learning; Cloud Computing

    Tech Trends 2023 Survey

    Data quality and governance will be critical to customize generative AI

    Data collection and analysis are on the minds of both CIOs and their supervisors. When asked what technologies the business should adopt in the next three to five years, big data (analytics) ranked as most critical to adopt among CIOs and their supervisors. Big data (collection) ranked fourth out of 11 options.

    Organizations that want to drive a competitive advantage from generative AI will need to train these large, versatile models on their own data sets. But at the same time, IT organizations are struggling to provide clean data. The second-most critical gap for IT organizations on average is data quality, behind only organizational change management. Organizations know that data quality is important to support analytics goals, as algorithms can suffer in their integrity if they don't have reliable data to work with. As they say, garbage in, garbage out.

    Another challenge to overcome is the gap seen in IT governance, the sixth largest gap on average. Using data toward training custom generative models will hold new compliance and ethical implications for IT departments to contend with. How user data can be leveraged is already the subject of privacy legislation in many different jurisdictions, and new AI legislation is being developed in various places around the world that could create further demands. In some cases, users are reacting negatively to AI-generated content.

    Biggest capability gaps between rated importance and effectiveness

    This is a Bar graph showing the capability gaps between rated importance and effectiveness.

    IT Management and Governance Diagnostic

    Most critical technologies to adopt rated by CIOs and their supervisors

    This is a Bar graph showing the most critical technologies to adopt as rated by CIO's and their supervisors

    CEO-CIO Alignment Program

    Opportunities

    Enterprise content discovery

    Many organizations still cobble together knowledgebases in SharePoint or some other shared corporate drive, full of resources that no one quite knows how to find. A generative AI chatbot holds potential to be trained on an organization's content and produce content based on an employee's queries. Trained properly, it could point employees to the right resource they need to answer their question or just provide the answer directly.

    Supply chain forecasts

    After Hurricane Ian shut down a Walmart distribution hub, the retailer used AI to simulate the effects on its supply chain. It rerouted deliveries from other hubs based on the predictions and planned for how to respond to demand for goods and services after the storm. Such forecasts would typically take a team of analysts days to compose, but thanks to AI, Walmart had it done in a matter of hours (The Economist, 2022).

    Reduce the costs of AI projects

    New generative AI models of sufficient scale offer advantages over previous AI models in their versatility. Just as ChatGPT can write poetry or dialogue for a play or perhaps a section of a research report (not this one, this human author promises), large models can be deployed for multiple use cases in the enterprise. One AI researcher says this could reduce the costs of an AI project by 20-30% (The Economist, 2022).

    Risks

    Impending AI regulation

    Multiple jurisdictions around the world are pursuing new legislation that imposes requirements on organizations that use AI, including the US, Europe, and Canada. Some uses of AI will be banned outright, such as the real-time use of facial recognition in public spaces, while in other situations people can opt out of using AI and work with a human instead. Regulations will take the risk of the possible outcomes created by AI into consideration, and organizations will often be required to disclose when and how AI is used to reach decisions (Science | Business, 2022). Questions around whether creators can prevent their content from being used for training AI are being raised, with some efforts already underway to collect a list of those who want to opt out. Organizations that adopt a generative AI model today may find it needs to be amended for copyright reasons in the future.

    Bias in the algorithms

    Organizations using a large AI model trained by a third party to complete their tasks or as a foundation to further customize it with their own data will have to contend with the inherent bias of the algorithm. This can lead to unintended negative experiences for users, as it did for MIT Technology Review journalist Melissa Heikkilä when she uploaded her images to AI avatar app Lensa, only to have it render a collection of sexualized portraits. Heikkilä contends that her Asian heritage overly influenced the algorithm to associate her with video-game characters, anime, and adult content (MIT Technology Review, 2022).

    Convincing nonsense

    Many of the generative AI bots released so far often create very good responses to user queries but sometimes create nonsense that at first glance might seem to be accurate. One example is Meta's Galactica bot – intended to streamline scientific research discovery and aid in text generation – which was taken down only three days after being made available. Scientists found that it generated fake research that sounded convincing or failed to do math correctly (Spiceworks, 2022).

    CASE STUDY
    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    At the Toronto Raptors practice facility, the OVO Athletic Centre, a new 120-foot custom LG video screen towers over the court. The video board is used to playback game clips so coaches can use them to teach players, but it also displays analytics from algorithmic models that are custom-made for each player. Data on shot-making or defensive deflections are just a couple examples of what might inform the players.

    Vice President of Digital Technology Christian Magsisi leads a functional Digital Labs technical group at MLSE. The in-house team builds the specific data models that support the Raptors in their ongoing efforts to improve. The analytics are fed by Noah Analytics, which uses cognitive vision to provide real-time feedback on shot accuracy. SportsVU is a motion capture system that represents how players are positioned on the court, with detail down to which way they are facing and whether their arms are up or down. The third-party vendors provide the solutions to generate the analytics, but it's up to MLSE's internal team to shape them to be actionable for players during a practice.

    "All the way from making sure that a specific player is achieving the results that they're looking for and showing that through data, or finding opportunities for the coaching staff. This is the manifestation of it in real life. Our ultimate goal with the coaches was to be able to take what was on emails or in a report and sometimes even in text message and actually implement it into practice."

    Read the full story on Spiceworks Insights.

    How MLSE enhances the Toronto Raptors' competitiveness with data-driven practices (cont.)

    Humza Teherany, Chief Technology Officer, MLSE

    MLSE's Digital Labs team architects its data insights pipeline on top of cloud services. Amazon Web Services Rekognition provides cognitive vision analysis from video and Amazon Kinesis provides the video processing capabilities. Beyond the court, MLSE uses data to enhance the fan experience, explains CTO Humza Teherany. It begins with having meaningful business goals about where technology can provide the most value. He starts by engaging the leadership of the organization and considering the "art of the possible" when it comes to using technology to unlock their goals.

    Humza Teherany (left) and Christian Magsisi lead MLSE's digital efforts for the pro sports teams owned by the group, including the Toronto Raptors, Toronto Maple Leafs, and Toronto Argonauts. (Photo by Brian Jackson).

    Read the full story on Spiceworks Insights.

    "Our first goal in the entire buildup of the Digital Labs organization has been to support MLSE and all of our teams. We like to do things first. We leverage our own technology to make things better for our fans and for our teams to complete and find incremental advantages where possible."
    Humza Teherany,
    Chief Technology Officer, MLSE

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Data Quality

    The performance of AI-assisted tools depends on mature IT operations processes and reliable data sets. Standardize service management processes and build a knowledgebase of structured content to prepare for AI-assisted IT operations.

    Prepare for Cognitive Service Management

    Improve Business Intelligence and Reporting

    Explore the enterprise chatbots that are available to not only assist with customer interactions but also help your employees find the resources they need to do their jobs and retrieve data in real time.

    Explore the best chatbots software

    Improve Data Architecture

    Understand if you are ready to embark on the AI journey and what business use cases are appropriate for AI. Plan around the organization's maturity in people, tools, and operations for delivering the correct data, model development, and model deployment and managing the models in the operational areas.

    Create an Architecture for AI

    Go all in on zero-trust security

    Priority 03

    • BAI09 ASSET MANAGEMENT
    • APO08 STAKEHOLDER RELATIONS
    • MEA03 EXTERNAL COMPLIANCE

    Adopt zero-trust architecture as the new security paradigm across your IT stack and from an organizational risk management perspective.

    Putting faith in zero trust

    The push toward a zero-trust security framework is becoming necessary for organizations for several different reasons over the past couple of years. As the pandemic forced workers away from offices and into their homes, perimeter-based approaches to security were challenged by much wider network footprints and the need to identify users external to the firewall. Supply-chain security became more of a concern with notable attacks affecting many thousands of firms, some with severe consequences. Finally, the regulatory pressure to implement zero trust is rising following President Joe Biden's 2021 Executive Order on Improving the Nation's Cybersecurity. It directs federal agencies to implement zero trust. That will impact any company doing business with the federal government, and it's likely that zero trust will propagate through other government agencies in the years ahead. Zero-trust architecture can also help maintain compliance around privacy-focused regulations concerned about personal data (CSO Online, 2022).

    IT professionals are modestly confident that they can meet new government legislation regarding cybersecurity requirements. When asked to rank their confidence on a scale of one to five, the most common answer was 3 out of 5 (38.5%). The next most common answer was 4 out of 5 (33.3%).

    Zero-trust barriers:
    Talent shortage and lack of leadership involvement

    Out of a list of challenges, IT professionals are most concerned with talent shortages leading to capacity constraints in cybersecurity. Fifty-four per cent say they are concerned or very concerned with this issue. Implementing a new zero-trust framework for security will be difficult if capacity only allows for security teams to respond to incidents.

    The next most pressing concern is that cyber risks are not on the radar of executive leaders or the board of directors, with 46% of IT pros saying they are concerned or very concerned. Since zero-trust requires that organizations take an enterprise risk management approach to cybersecurity and involve top decision makers, this reveals another area where organizations may fall short of achieving a zero-trust environment.

    How confident are you that your organization is prepared to meet current and future government legislation regarding cybersecurity requirements? A circle graph is shown with 68.6% colored dark green, and the words: AVG 3.43 written inside the graph.
    a bar graph showing the confidence % for numbers 1-5
    54%

    of IT professionals are concerned with talent shortages leading to capacity constraints in cybersecurity.

    46%

    of IT professionals are concerned that cyber risks are not on the radar of executive leaders or the board of directors.

    Zero trust mitigates risk while removing friction

    A zero-trust approach to security requires organizations to view cybersecurity risk as part of its overall risk framework. Both CIOs and their supervisors agree that IT-related risks are a pain point. When asked to rate the severity of pain points, 58% of CIOs rated IT-related business risk incidents as a minor pain or major pain. Their supervisors were more concerned, with 61% rating it similarly. Enterprises can mitigate this pain point by involving top levels of leadership in cybersecurity planning.

    Organizations can be wary about implementing new security measures out of concern it will put barriers between employees and what they need to work. Through a zero-trust approach that focuses on identity verification, friction can be avoided. Overall, IT organizations did well to provide security without friction for stakeholders over the past 18 months. Results from Info-Tech's CIO Business Vision Diagnostic shows that stakeholders almost all agree friction due to security practices are acceptable. The one area that stands to be improved is remote/mobile device access, where 78.3% of stakeholders view the friction as acceptable.

    A zero-trust approach treats user identity the same regardless of device and whether it is inside or outside of the corporate network. This can remove friction when workers are looking to connect remotely from a mobile device.

    IT-related business risk incidents viewed as a pain point

    CXO 61%
    CIO 58%

    Business stakeholders rate security friction levels as acceptable

    A bar graph is depicted with the following dataset: Regulatory Compliance: 93.80%; Office/Desktop Computing:	86.50%;Data Access/Integrity: 86.10%; Remote/Mobile Device Access:	78.30%;

    CIO Business Vision Diagnostic, N=259

    Opportunities

    Move to identity-driven access control

    Today's approach to access control on the network is to allow every device to exchange data with every other device. User endpoints and servers talk to each other directly without any central governance. In a zero-trust environment, a centralized zero-trust network access broker provides one-to-one connectivity. This allows servers to rest offline until needed by a user with the right access permissions. Users verify their identity more often as they move throughout the network. The user can access the resources and data they need with minimal friction while protecting servers from unauthorized access. Log files are generated for analysis to raise alerts about when an authorized identity has been compromised.

    Protect data with just-in-time authentication

    Many organizations put process in place to make sure data at rest is encrypted, but often when users copy that data to their own devices, it becomes unencrypted, allowing attackers opportunities to exfiltrate sensitive data from user endpoints. Moving to a zero-trust environment where each data access is brokered by a central broker allows for encryption to be preserved. Parties accessing a document must exchange keys to gain access, locking out unauthorized users that don't have both sets of keys to decrypt the data (MIT Lincoln Laboratory, 2022).

    Harness free and open-source tools to deploy zero trust

    IT teams may not be seeing a budget infusion to invest in a new approach to security. By making use of the many free and open-source tools available, they can bootstrap their strategy into reality. Here's a list to get started:

    PingCastle Wrangle your Active Directory and find all the domains that you've long since forgotten about and manage the situation appropriately. Also builds a spoke-and-hub map of your Active Directory.

    OpenZiti Create an overlay network to enable programmable networking that supports zero trust.

    Snyk Developers can automatically find and fix vulnerabilities before they commit their code. This vendor offers a free tier but users that scale up will need to pay.

    sigstore Open-source users and maintainers can use this solution to verify the code they are running is the code the developer intended. Works by stitching together free services to facilitate software signing, verify against a transparent ledger, and provide auditable logs.

    Microsoft's SBOM generation tool A software bill of materials is a requirement in President Biden's Executive Order, intended to provide organizations with more transparency into their software components by providing a comprehensive list. Microsoft's tool will work with Windows, Linux, and Mac and auto-detect a longlist of software components, and it generates a list organized into four sections that will help organizations comprehend their software footprint.

    Risks

    Organizational culture change to accommodate zero trust

    Zero trust requires that top decision makers get involved in cybersecurity by treating it as an equal consideration of overall enterprise risk. Not all boards will have the cybersecurity expertise required, and some executives may not prioritize cybersecurity despite the warnings. Organizations that don't appoint a chief information security officer (CISO) role to drive the cybersecurity agenda from the top will be at risk of cybersecurity remaining an afterthought.

    Talent shortage

    No matter what industry you're in or what type of organization you run, you need cybersecurity. The demand for talent is very high and organizations are finding it difficult to hire in this area. Without the talent needed to mature cybersecurity approaches to a zero-trust model, the focus will remain on foundational principles of patch management to eliminate vulnerabilities and intrusion prevention. Smaller organizations may want to consider a "virtual CISO" that helps shape the organizational strategy on a part-time basis.

    Social engineering

    Many enterprise security postures remain vulnerable to an attack that commandeers an employee's identity to infiltrate the network. Hosted single sign-on models provide low friction and continuity of identity across applications but also offer a single point of failure that hackers can exploit. Phishing scams that are designed to trick an employee into providing their credentials to a fake website or to just click on a link that delivers a malware payload are the most common inroads that criminals take into the corporate network. Being aware of how user behavior influences security is crucial.

    CASE STUDY
    Engage the entire organization with cybersecurity awareness

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    Brosnan provides private security services to high-profile clients and is staffed by security experts with professional backgrounds in intelligence services and major law enforcement agencies. Safe to say that security is taken seriously in this culture and CIO Serge Suponitskiy makes sure that extends to all back-office staff that support the firm's activities. He's aware that people are often the weakest link in a cybersecurity posture and are prone to being fooled by a phishing email or even a fraudulent phone call. So cybersecurity training is an ongoing activity that takes many forms. He sends out a weekly cybersecurity bulletin that features a threat report and a story about the "scam of the week." He also uses KnowBe4, a tool that simulates phishing attacks and trains employees in security awareness. Suponitskiy advises reaching out to Marketing or HR for help with engaging employees and finding the right learning opportunities.

    "What is financially the best solution to protect yourself? It's to train your employees. … You can buy all of the tools and it's expensive. Some of the prices are going up for no reason. Some by 20%, some by 50%, it's ridiculous. So, the best way is to keep training, to keep educating, and to reimagine the training. It's not just sending this video that no one clicks on or posting a poster no one looks at. … Given the fact we're moving into this recession world, and everyone is questioning why we need to spend more, it's time to reimagine the training approach."

    CASE STUDY
    Focus on micro-segmentation as the foundation of zero trust

    David Senf, National Cybersecurity Strategist, Bell

    As a cybersecurity analyst and advisor that works with Bell's clients, David Senf sees zero-trust security as an opportunity for organizations to put a strong set of mitigating controls in place to defend against the thorny challenge of reducing vulnerabilities in their software supply chain. With major breaches being linked to widely used software in the past couple of years, security teams might find it effective to focus on a different layer of security to prevent certain breaches. With security policy being enforced at a narrow point/perimeter, attacks are in essence blocked from exploiting application vulnerabilities (e.g. you can't exploit what you can see). Organizations must still ensure there is a solid vulnerability management program in place, but surrounding applications with other controls is critical. One aspect of zero trust, micro-segmentation, which is an approach to network management, can limit the damage caused by a breach. The solutions help to map out and protect the different connections between applications that could otherwise be abused for discovery or lateral movement. Senf advises that knowing your inventory of software and the interdependencies between applications is the first step on a zero-trust journey, before putting protection and detection in place.

    "Next year will be a year of a lot more ZTNA, zero-trust network access, being deployed. So, I think that will give organizations more of an understanding of what zero trust is as well, from a really basic perspective. If I can just limit what applications you can see and no one can even see that application, it's undiscoverable because I've got that ZTNA solution in place. … I would see that as a leading area of deployment and coming to understand what zero trust is in 2023."

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Asset Management

    Enable reduced friction in the remote user experience by underpinning it with a hardware asset management program. Creating an inventory of devices and effectively tracking them will aid in maintaining compliance, result in stronger policy enforcement, and reduce the harm of a lost or stolen device.

    Implement Hardware Asset Management

    Improve Stakeholder Relations

    Communicate the transition from a perimeter-based security approach to an "Always Verify" approach with a clear roadmap toward implementation. Map key protect surfaces to business goals to demonstrate the importance of zero-trust security in helping the organization succeed. Help the organization's top leadership build awareness of cybersecurity risk.

    Build a Zero Trust Roadmap

    Improve External Compliance

    Manage the challenge of meeting new government requirements to implement zero-trust security and other data protection and cybersecurity regulations with a compliance program. Create a control environment that aligns multiple compliance regimes, and be prepared for IT audits.

    Build a Security Compliance Program

    Engage employees in the digital age

    Priority 04

    • ITRG02 LEADERSHIP, CULTURE, AND VALUES
    • BAI05 ORGANIZATIONAL CHANGE MANAGEMENT
    • APO03 ENTERPRISE ARCHITECTURE

    Lead a strong culture through digital means to succeed in engaging the hybrid workforce.

    The new deal for employers in a hybrid work world

    Necessity is the mother of innovation.

    The pandemic's disruption for non-essential workers looks to have a long-lasting, if not permanent, effect on the relationship between employer and employee. The new bargain for almost all organizations is a hybrid work reality, with employees splitting time between the office and working remotely, if not working remotely full-time. IT is in a unique position in the organization as it must not only contend with the shift to this new deal with its own employees but facilitate it for the entire organization.

    With 90% of organizations embracing some form of hybrid work, IT leaders have an opportunity to shift from coping with the new work reality to finding opportunities to improve productivity. Organizations that embrace a hybrid model for their IT departments see a more effective IT department. Organizations that offered no remote work for IT rated their IT effectiveness on average 6.2 out of 10, while organizations with at least 10% of IT roles in a hybrid model saw significantly higher effectiveness. At minimum, organizations with between 50%-70% of IT roles in a hybrid model rated their effectiveness at 6.9 out of 10.

    IT achieved this increase in effectiveness during a disruptive time that often saw IT take on a heavier burden. Remote work required IT to support more users and be involved in facilitating more work processes. Thriving through this challenging time is a win that's worth sharing with the rest of the organization.

    90% of organizations are embracing some form of hybrid work.

    IT's effectiveness compared to % working hybrid or remotely

    A bar graph is shown which compares the effectiveness of IT work with hybrid and full remote work, compared to No Remote Work for IT.

    High effectiveness doesn't mean high engagement

    Despite IT's success with hybrid work, CIOs are more concerned about their staff sufficiency, skill, and engagement than their supervisors. Among clients using our CEO-CIO Alignment Diagnostic, 49% of CIOs considered this issue a major pain point compared to only 32% of CXOs. While IT staff are more effective than ever, even while carrying more of a burden in the digital age, CIOs are still looking to improve staff engagement.

    Info-Tech's State of Hybrid Work Survey illuminates further details about where IT leaders are concerned for their employee engagement. About four in ten IT leaders say they are concerned for employee wellbeing, and almost the same amount say they are concerned they are not able to see signs that employees are demotivated (N=518).

    Boosting IT employees' engagement levels to match their effectiveness will require IT leaders to harness all the tools at their disposal. Communicating culture and effectively managing organizational change in the digital age is a real test of leadership.

    Staff sufficiency, skill, and engagement issues as a major pain point

    CXO 32%
    CIO 49%

    CEO-CIO Alignment Diagnostic

    Opportunities

    Drive effectiveness with a hybrid environment

    IT leaders concerned about the erosion of culture and connectedness due to hybrid work can mitigate those effects with increased and improved communication. Among highly effective IT departments, 55% of IT leaders made themselves highly available through instant messaging chat. Another 54% of highly effective leaders increased team meetings (State of Hybrid Work Survey, n=213). The ability to adapt to the team's needs and use a number of tactics to respond is the most important factor. The greater the number of tactics used to overcome communication barriers, the more effective the IT department (State of Hybrid Work Survey, N=518).

    Modernize the office conference room

    A hybrid work approach emphasizes the importance of not only the technology in the office conference room but the process around how meetings are conducted. Creating an equal footing for all participants regardless of how they join is the goal. In pursuit of that, 63% of organizations say they have made changes or upgrades to their conference room technology (n=496). The conferencing experience can influence employee engagement and work culture and enhance collaboration. IT should determine if the business case exists for upgrades and work to decrease the pain of using legacy solutions where possible (State of Hybrid Work in IT: A Trend Report).

    Understand the organizational value chain

    Map out the value chain from the customer perspective and then determine the organizational capabilities involved in delivering on that experience. It is a useful tool for helping IT staff understand how they're connected to the customer experience and organizational mission. It's crucial to identify opportunities to resolve pain points and create more efficiency throughout the organization.

    Risks

    Talent rejects the working model

    Many employees that experienced hybrid work over the past couple of years are finding it's a positive development for work/life balance and aren't interested in a full-time return to the office. Organizations that insist on returning all employees to the office all the time may find that employees choose to leave the organization. Similarly, it could be hard to hire IT talent in a competitive market if the position is required to be onsite every day. Most organizations are providing flexible options to employees and finding ways to manage work in the new digital age.

    Wasted expense on facilities

    Organizations may choose to keep their physical office only to later realize that no one is going to work there. While providing an office space can help foster positive culture through valuable face time, it has to be used intentionally. Managers should plan for specific days that their teams will meet in the office and make sure that work activities take advantage of everyone being in the same place at the same time. Asking everyone to come in so that they can be on a videoconference meeting in their cubicle isn't the point.

    Isolated employees and teams

    Studies on a remote work environment show it has an impact on how many connections each employee maintains within the company. Employees still interact well within their own teams but have fewer interactions across departments. Overall, workers are likely to collaborate just as often as they did when working in the office but with fewer other individuals at the company. Keep the isolating effect of remote work in mind and foster collaboration and networking opportunities across different departments (BBC News, 2022).

    CASE STUDY
    Equal support of in-office and remote work

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Working in the legislature of the Ontario provincial government, CIO Roberto Eberhardt's staff went from a fully onsite model to a fully remote model at the outset of the pandemic. Today he's navigating his path to a hybrid model that's somewhere in the middle. His approach is to allow his business colleagues to determine the work model that's needed but to support a technology environment that allows employees to work from home or in the office equally. Every new process that's introduced must meet that paradigm, ensuring it will work in a hybrid environment. For his IT staff, he sees a culture of accountability and commitment to metrics to drive performance measurement as key to the success of this new reality.

    "While it's good in a way, the challenge for us is it became a little more complex because you have to account for all those things in the office environment and in the remote work approach. Everything you do now, you have to say OK well how is this going to work in this world and how will it work in the other world?"

    Creating purpose for IT through strategy

    Mike Russell, Virginia Community College System

    At the Virginia Community College System (VCCS), CIO Mike Russell's IT team supports an organization that governs and delivers services to all community colleges in the state. Russell sees his IT team's purpose as being driven by the organization's mission to ensure success throughout the entire student journey, from enrolment to becoming employed after graduation. That customer-focused mindset starts from the top-level leadership, the chancellor, and the state governor. The VCCS maintains a six-year business plan that informs IT's strategic plan and aligns IT with the mission, and both plans are living documents that get refreshed every two years. Updating the plans provides opportunities for the chancellor to engage the organization and remind everyone of the purpose of their work.

    "The outcome isn't the degree. The outcome we're trying to measure is the job. Did you get the job that you wanted? Whether it's being re-employed or first-time employment, did you get what you were after?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Leadership, Culture, and Values

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Prepare People Leaders for the Hybrid Work Environment

    Improve Organizational Change Management

    Assign accountability for managing the changes that the organization is experiencing in the digital age. Make a people-centric approach that takes human behavior into account and plans to address different needs in different ways. Be proactive about change.

    Master Organizational Change Management Practices

    Improve Enterprise Architecture

    Develop a foundation for aligning IT's activities with business value by creating a right-sized enterprise architecture approach that isn't heavy on bureaucracy. Drive IT's purpose by illustrating how their work contributes to the overall mission and the customer experience.

    Create a Right-Sized Enterprise Architecture Governance Framework

    Shape the IT organization to improve customer experience

    PRIORITY 05

    • BAI03 ENTERPRISE APPLICATION SELECTION & IMPLEMENTATION
    • MEA01 PERFORMANCE MEASUREMENT
    • ITRG01 IT ORGANIZATIONAL DESIGN

    Tightly align the IT organization with the organization's value chain from a customer perspective.

    IT's value is defined by faster, better, bigger

    The pandemic motivated organizations to accelerate their digital transformation efforts, digitalizing more of their tasks and organizing the company's value chain around satisfying the customer experience. Now we see organizations taking their foot off the gas pedal of digitalization and shifting their focus to extracting the value from their investments. They want to execute on the digital transformation in their operations and realize the vision they set out to achieve.

    In our Trends Report we compared the emphasis organizations are putting on digitalization to last year. Overall, we see that most organizations shifted fewer of their processes to digital in the past year.

    We also asked organizations what motivated their push toward automation. The most common drivers are to improve efficiency, with almost seven out of ten organizations looking to increase staff on high-level tasks by automating repetitive tasks, 67% also wanting to increase productivity without increasing headcount, and 59% wanting to reduce errors being made by people. In addition, more than half of organizations pursued automation to improve customer satisfaction.

    What best describes your main motivation to pursue automation, above other considerations?

    A bar graph is depicted showing the following dataset: Increase staff focus on high-level tasks by automating repetitive tasks:	69%; Increase productivity of existing staff to avoid increasing headcount:	67%; Reduce errors made by people:	59%; Improve customer satisfaction:	52%; Achieve cost savings through reduction in headcount:	35%; Increase revenue by enabling higher volume of work:	30%

    Tech Trends 2023 Survey

    To what extent did your organization shift its processes from being manually completed to digitally completed during past year?

    A bar graph is depicted showing the extent to which organizations shifted processes from manual to digital during the past year for 2022 and 2023, from Tech Trends 2023 Survey

    With the shift in focus from implementing new applications to support digital transformation to operating in the new environment, IT must shift its own focus to help realize the value from these systems. At the same time, IT must reorganize itself around the new value chain that's defined by a customer perspective.

    IT struggles to deliver business value or support innovation

    Many current IT departments are structured around legacy processes that hinder their ability to deliver business value. CIOs are trying to grapple with the misalignment between the modern business structure and keep up with the demands for innovation and agility.

    Almost nine in ten CIOs say that business frustration with IT's failure to deliver value is a pain point. Their supervisors have a slightly more favorable opinion, with 76% agreeing that it is a pain point.

    Similarly, nine in ten CIOs say that IT limits affecting business innovation and agility is a pain point, while 81% of their supervisors say the same.

    Supervisors say that IT should "ensure benefits delivery" as the most important process (CEO-CIO Alignment Program). This underlines the need to achieve alignment, optimize service delivery, and facilitate innovation. The pain points identified here will need to be resolved to make this possible.

    IT departments will need to contend with a tight labor market and economic volatility in the year ahead. If this drives down resource capacity, it will be even more critical to tightly align with the organization.

    Views business frustration with IT failure to deliver value as a pain point

    CXO 76%
    CIO 88%

    Views IT limits affecting business innovation and agility as a pain point

    CXO 81%
    CIO

    90%

    CEO-CIO Alignment Program

    Opportunities

    Define IT's value by its contributions to enterprise value

    Communicate the performance of IT to stakeholders by attributing positive changes in enterprise value to IT initiatives. For example, if a digital channel helped increase sales in one area, then IT can claim some portion of that revenue. If optimization of another process resulted in cost savings, then IT can claim that as a contribution toward the bottom line. CIOs should develop their handle on how KPIs influence revenues and costs. Keeping tabs on normalized year-over-year revenue comparisons can help demonstrate that IT contributions are making an impact on driving profitability.

    Go with buy versus build if it's a commodity service

    Most back-office functions common to operating a company can be provided by cloud-based applications accessed through a web browser. There's no value in having IT spend time maintaining on-premises applications that require hosting and ongoing maintenance. Organizations that are still accruing technical debt and are unable to modernize will increasingly find it is negatively impacting employee experience, as users expect their working experience to be similar to their experience with consumer applications. In addition, IT will continue to have capacity challenges as resources will be consumed by maintenance. As they seek to outsource some applications, IT will need to consider the geopolitical risk of certain jurisdictions in selecting a provider.

    Redefine how employee performance is tracked

    The concept of "clocking in" for a shift and spending eight hours a day on the job doesn't help guide IT toward its objectives or create any higher sense of purpose. Leaders must work to create a true sense of accountability by reaching consensus on what key performance indicators are important and tasking staff to improve them. Metrics should clearly link back to business outcomes and IT should understand the role they play in delivering a good customer experience.

    Risks

    Lack of talent available to drive transformation

    CIOs are finding it difficult to hire the talent needed to create the capacity they need as digital demands of their organizations increase. This could slow the pace of change as new positions created in IT go unfilled. CIOs may need to consider reskilling and rebalancing workloads of existing staff in the short term and tap outsourcing providers to help make up shortfalls.

    Resistance to change

    New processes may have been given the official rubber stamp, but that doesn't mean staff are adhering to them. Organizations that reorganize themselves must take steps to audit their processes to ensure they're executed the way they intend. Some employees may feel they are being made obsolete or pushed out of their jobs and become disengaged.

    Short-term increased costs

    Restructuring the organization can come with the need for new tools and more training. It may be necessary to operate with redundant staff for the transitional period. Some additional expenses might be incurred for a brief period as the new structure is being put in place.

    Emphasize the value of IT in driving revenue

    Salman Ali, CIO, McDonald's Germany

    As the new CIO to McDonald's Germany, Salman Ali came on board with an early mandate to reorganize the IT department. The challenge is to merge two organizations together: one that delivers core technology services of infrastructure, security, service desk, and compliance and one that delivers customer-facing technology such as in-store touchscreen kiosks and the mobile app for food delivery. He is looking to organize this new-look department around the technology in the hands of both McDonald's staff and its customers. In conversations with his stakeholders, Ali emphasizes the value that IT is driving rather than discussing the costs that go into it. For example, there was a huge cost in integrating third-party meal delivery apps into the point-of-sales system, but the seamless experience it delivers to customers looking to place an order helps to drive a large volume of sales. He plans to reorganize his department around this value-driven approach. The organization model will be executed with clear accountability in place and key performance indicators to measure success.

    "Technology is no longer just an enabler. It's now a strategic business function. When they talk about digital, they are really talking about what's in the customers' hands and what do they use to interact with the business directly? Digital transformation has given technology a new front seat that's really driving the business."

    CASE STUDY
    Overhauling the "heartbeat" of the organization

    Ernest Solomon, Former CIO, LAWPRO

    LAWPRO is a provider of professional liability insurance and title insurance in Canada. The firm is moving its back-office applications from a build approach to a buy approach and focusing its build efforts on customer-facing systems tied to revenue generation. CIO Ernest Solomon says his team has been developing on a legacy platform for two decades, but it's time to modernize. The firm is replacing its legacy platform and moving to a cloud-based system to address technical debt and improve the experience for staff and customers. The claims and policy management platform, the "heartbeat" of the organization, is moving to a software-as-a-service model. At the same time, the firm's customer-facing Title Plus application is being moved to a cloud-native, serverless architecture. Solomon doesn't see the need for IT to spend time building services for the back office, as that doesn't align with the mission of the organization. Instead, he focuses his build efforts on creating a competitive advantage.

    "We're redefining the customer experience, which is how do we move the needle in a positive direction for all the lawyers that interact with us? How do we generate that value-based proposition and improve their interactions with our organization?"

    From priorities to action

    Go deeper on pursuing your priorities by improving the associated capabilities.

    Improve Enterprise Application Selection & Implementation

    Help leaders manage their teams effectively in a hybrid environment by providing them with the right tools and tactics to manage the challenges of hybrid work. Focus on promoting teamwork and fostering connection.

    Embrace Business-Managed Applications

    Improve Performance Measurement

    Drive the most important IT process in the eyes of supervisors by defining business value and linking IT spend to it. Make benefits realization part of your IT governance.

    Maximize Business Value From IT Through Benefits Realization

    Improve IT Organizational Design

    Showcase IT's value to the business by aligning IT spending and staffing to business functions. Provide transparency into business consumption of IT and compare your spending to your peers'.

    IT Spend & Staffing Benchmarking

    The Five Priorities

    Engage cross-functional leadership to seize opportunity while protecting the organization from volatility.

    1. Adjust IT operations to manage for inflation
    2. Prepare your data pipeline to train AI
    3. Go all in on zero-trust security
    4. Engage employees in the digital age
    5. Shape the IT organization to improve customer experience

    Expert Contributors

    In order of appearance

    Denise Cornish, Associate VP of IT and Deputy COO, Western University of Health Sciences

    Jim Love, CIO, IT World Canada

    Christian Magsisi, Vice President of Venue and Digital Technology, MLSE

    Humza Teherany, Chief Technology Officer, MLSE

    Serge Suponitskiy, CIO, Brosnan Risk Consultants

    David Senf, National Cybersecurity Strategist, Bell

    Roberto Eberhardt, CIO, Ontario Legislative Assembly

    Mike Russell, Virginia Community College System

    Salman Ali, CIO, McDonald's Germany

    Ernest Solomon, Former CIO, LAWPRO

    Bibliography

    Anderson, Brad, and Seth Patton. "In a Hybrid World, Your Tech Defines Employee Experience." Harvard Business Review, 18 Feb. 2022. Accessed 12 Dec. 2022.
    "Artificial Intelligence Is Permeating Business at Last." The Economist, 6 Dec. 2022. Accessed 12 Dec. 2022.
    Badlani, Danesh Kumar, and Adrian Diglio. "Microsoft Open Sources Its Software Bill
    of Materials (SBOM) Generation Tool." Engineering@Microsoft, 12 July 2022. Accessed
    12 Dec. 2022.
    Birch, Martin. "Council Post: Equipping Employees To Succeed In Digital Transformation." Forbes, 9 Aug. 2022. Accessed 7 Dec. 2022.
    Bishop, Katie. "Is Remote Work Worse for Wellbeing than People Think?" BBC News,
    17 June 2022. Accessed 7 Dec. 2022.
    Carlson, Brian. "Top 5 Priorities, Challenges For CIOs To Recession-Proof Their Business." The Customer Data Platform Resource, 19 July 2022. Accessed 7 Dec. 2022.
    "CIO Priorities: 2020 vs 2023." IT PRO, 23 Sept. 2022. Accessed 2 Nov. 2022.
    cyberinsiders. "Frictionless Zero Trust Security - How Minimizing Friction Can Lower Risks and Boost ROI." Cybersecurity Insiders, 9 Sept. 2021. Accessed 7 Dec. 2022.
    Garg, Sampak P. "Top 5 Regulatory Reasons for Implementing Zero Trust."
    CSO Online, 27 Oct. 2022. Accessed 7 Dec. 2022.
    Heikkilä, Melissa. "The Viral AI Avatar App Lensa Undressed Me—without My Consent." MIT Technology Review, 12 Dec. 2022. Accessed 12 Dec. 2022.
    Jackson, Brian. "How the Toronto Raptors Operate as the NBA's Most Data-Driven Team." Spiceworks, 1 Dec. 2022. Accessed 12 Dec. 2022.
    Kiss, Michelle. "How the Digital Age Has Transformed Employee Engagement." Spiceworks,16 Dec. 2021. Accessed 7 Dec. 2022.
    Matthews, David. "EU Hopes to Build Aligned Guidelines on Artificial Intelligence with US." Science|Business, 22 Nov. 2022. Accessed 12 Dec. 2022.
    Maxim, Merritt. "New Security & Risk Planning Guide Helps CISOs Set 2023 Priorities." Forrester, 23 Aug. 2022. Accessed 7 Dec. 2022.
    Miller, Michael J. "Gartner Surveys Show Changing CEO and Board Concerns Are Driving a Different CIO Agenda for 2023." PCMag, 20 Oct. 2022. Accessed 2 Nov. 2022.
    MIT Lincoln Laboratory. "Overview of Zero Trust Architectures." YouTube,
    2 March 2022. Accessed 7 Dec. 2022.
    MIT Technology Review Insights. "CIO Vision 2025: Bridging the Gap between BI and AI." MIT Technology Review, 20 Sept. 2022. Accessed 1 Nov. 2022.
    Paramita, Ghosh. "Data Architecture Trends in 2022." DATAVERSITY, 22 Feb. 2022. Accessed 7 Dec. 2022.
    Rosenbush, Steven. "Cybersecurity Tops the CIO Agenda as Threats Continue to Escalate - WSJ." The Wall Street Journal, 17 Oct. 2022. Accessed 2 Nov. 2022.
    Sacolick, Isaac. "What's in the Budget? 7 Investments for CIOs to Prioritize." StarCIO,
    22 Aug. 2022. Accessed 2 Nov. 2022.
    Singh, Yuvika. "Digital Culture-A Hurdle or A Catalyst in Employee Engagement." International Journal of Management Studies, vol. 6, Jan. 2019, pp. 54–60. ResearchGate, https://doi.org/10.18843/ijms/v6i1(8)/08.
    "Talent War Set to Become Top Priority for CIOs in 2023, Study Reveals." CEO.digital,
    8 Sept. 2022. Accessed 7 Dec. 2022.
    Tanaka, Rodney. "WesternU COMP and COMP-Northwest Named Apple Distinguished School." WesternU News. 10 Feb. 2022. Accessed 12 Dec. 2022.
    Wadhwani, Sumeet. "Meta's New Large Language Model Galactica Pulled Down Three Days After Launch." Spiceworks, 22 Nov. 2022. Accessed 12 Dec. 2022.
    "World Economic Outlook." International Monetary Fund (IMF), 11 Oct. 2022. Accessed
    14 Dec. 2022.

    Accelerate Digital Transformation With a Digital Factory

    • Buy Link or Shortcode: {j2store}93|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $50,000 Average $ Saved
    • member rating average days saved: 20 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Organizational challenges are hampering digital transformation (DX) initiatives.
    • The organization’s existing digital factory is failing to deliver value.
    • Designing a successful digital factory is a difficult process.

    Our Advice

    Critical Insight

    To remain competitive, enterprises must deliver products and services like a startup or a digital native enterprise. This requires enterprises to:

    • Understand how digital native enterprises are designed.
    • Understand the foundations of good design: purpose, organizational support, and leadership.
    • Understand the design of the operating model: structure and organization, management practices, culture, environment, teams, technology platforms, and meaningful metrics and KPIs.

    Impact and Result

    Organizations that implement this project will draw benefits in the following aspects:

    • Gain awareness and understanding of various aspects that hamper DX.
    • Set the right foundations by having clarity of purpose, alignment on organizational support, and the right leadership in place.
    • Design an optimal operating model by setting up the right organizational structures, management practices, lean and optimal governance, agile teams, and an environment that promotes productivity and wellbeing.
    • Finally, set the right measures and KPIs.

    Accelerate Digital Transformation With a Digital Factory Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to understand the importance of a well-designed digital factory.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the case

    Collect data and stats that will help build a narrative for digital factory.

    • Digital Factory Playbook

    2. Lay the foundation

    Discuss purpose, mission, organizational support, and leadership.

    3. Design the operating model

    Discuss organizational structure, management, culture, teams, environment, technology, and KPIs.

    [infographic]

    Workshop: Accelerate Digital Transformation With a Digital Factory

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build the case

    The Purpose

    Understand and gather data and stats for factors impacting digital transformation.

    Develop a narrative for the digital factory.

    Key Benefits Achieved

    Identification of key pain points and data collected

    Narrative to support the digital factory

    Activities

    1.1 Understand the importance and urgency of digital transformation (DX).

    1.2 Collect data and stats on the progress of DX initiatives.

    1.3 Identify the factors that hamper DX and tie them to data/stats.

    1.4 Build the narrative for the digital factory (DF) using the data/stats.

    Outputs

    Identification of factors that hamper DX

    Data and stats on progress of DX

    Narrative for the digital factory

    2 Lay the foundation

    The Purpose

    Discuss the factors that impact the success of establishing a digital factory.

    Key Benefits Achieved

    A solid understanding and awareness that successful digital factories have clarity of purpose, organizational support, and sound leadership.

    Activities

    2.1 Discuss

    2.2 Discuss what organizational support the digital factory will require and align and commit to it.

    2.3 Discuss reference models to understand the dynamics and the strategic investment.

    2.4 Discuss leadership for the digital age.

    Outputs

    DF purpose and mission statements

    Alignment and commitment on organizational support

    Understanding of competitive dynamics and investment spread

    Develop the profile of a digital leader

    3 Design the operating model (part 1)

    The Purpose

    Understand the fundamentals of the operating model.

    Understand the gaps and formulate the strategies.

    Key Benefits Achieved

    Design of structure and organization

    Design of culture aligned with organizational goals

    Management practices aligned with the goals of the digital factory

    Activities

    3.1 Discuss structure and organization and associated organizational pathologies, with focus on hierarchy and silos, size and complexity, and project-centered mindset.

    3.2 Discuss the importance of culture and its impact on productivity and what shifts will be required.

    3.3 Discuss management for the digital factory, with focus on governance, rewards and compensation, and talent management.

    Outputs

    Organizational design in the context of identified pathologies

    Cultural design for the DF

    Management practices and governance for the digital factory

    Roles/responsibilities for governance

    4 Design the operating model (part 2)

    The Purpose

    Understand the fundamentals of the operating model.

    Understand the gaps and formulate the strategies.

    Key Benefits Achieved

    Discuss agile teams and the roles for DF

    Environment design that supports productivity

    Understanding of existing and new platforms

    Activities

    4.1 Discuss teams and various roles for the DF.

    4.2 Discuss the impact of the environment on productivity and satisfaction and discuss design factors.

    4.3 Discuss technology and tools, focusing on existing and future platforms, platform components, and organization.

    4.4 Discuss design of meaningful metrics and KPIs.

    Outputs

    Roles for DF teams

    Environment design factors

    Platforms and technology components

    Meaningful metrics and KPIs

    Customer Value Contribution

    I'm proud to announce our new Customer Value Contribution Calculator©, or CVCC© in short.

    It enhances and possibly replaces the BIA (Business Impact Analysis) process with a much simpler way.

    More info to follow shortly.

    The Essential COVID-19 Childcare Policy for Every Organization, Yesterday

    • Buy Link or Shortcode: {j2store}598|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Manage & Coach
    • Parent Category Link: /manage-coach
    • Helping employees navigate personal and business responsibilities to find solutions that ensure both are taken care of.
    • Reducing potential disruption to business operations through employee absenteeism due to increased care-provider responsibilities.

    Our Advice

    Critical Insight

    • Remote work is complicated by children at home with school closures. Implement alternative temporary work arrangements that allow and support employees to balance work and personal obligations.
    • Adjustments to work arrangements and pay may be necessary. Temporary work arrangements while caring for dependents over a longer-term pandemic may require adjustments to the duties carried out, number of hours worked, and adjustments to employee pay.
    • Managing remotely is more than staying in touch by phone. As a leader you will need to provide clear options that provide solutions to your employees to avoid them getting overwhelmed while taking care of the business to ensure there is a business long term.

    Impact and Result

    • Develop a policy that provides parameters around mutually agreed adjustments to performance levels while balancing dependent care with work during a pandemic.
    • Take care of the business through clear guidelines on compensation while taking care of the health and wellness of your people.
    • Develop detailed work-from-home plans that lessen disruption to your work while taking care of children or aged parents.

    The Essential COVID-19 Childcare Policy for Every Organization, Yesterday Research & Tools

    Start here. Read The Essential COVID-19 Childcare Policy for Every Organization, Yesterday

    Read our recommendations and follow the steps to develop a policy that will help your employees work productively while managing care-provider responsibilities at home.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • The Essential COVID-19 Childcare Policy for Every Organization, Yesterday Storyboard
    • Pandemic Dependent Care Policy
    • COVID-19 Dependent Care Policy Manager Action Toolkit
    • COVID-19 Dependent Care Policy Employee Guide
    • Dependent-Flextime Agreement Template
    • Workforce Planning Tool
    • Nine Ways to Support Working Caregivers Today
    • Employee Resource Group (ERG) Charter Template
    [infographic]

    Applications Priorities 2022

    • Buy Link or Shortcode: {j2store}183|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy

    There is always more work than hours in the day. IT often feels understaffed and doesn’t know how to get it all done. Trying to satisfy all the requests results in everyone getting a small piece of the pie and in users being dissatisfied.

    Our Advice

    Critical Insight

    Focusing on one initiative will allow leaders to move the needle on what is important.

    Impact and Result

    Focus on the big picture, leveraging Info-Tech’s blueprints. By increasing maturity and efficiency, IT staff can spend more time on value-added activities.

    Applications Priorities 2022 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Applications Priorities 2022 – A deck that discusses the five priorities we are seeing among Applications leaders.

    There is always more work than hours in the day. IT often feels understaffed and doesn’t know how to get it all done. Trying to satisfy all the requests results in everyone getting a small piece of the pie and in users being dissatisfied. Use Info-Tech's Applications Priorities 2022 to learn about the five initiatives that IT should prioritize for the coming year.

    • Applications Priorities Report for 2022
    [infographic]

    Build a Data Classification MVP for M365

    • Buy Link or Shortcode: {j2store}67|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications
    • Resources are the primary obstacle to getting a foot hold in O365 governance, whether it is funding or FTE resources.
    • Data is segmented and is difficult to analyze when you can’t see it or manage the relationships between sources.
    • Organizations expect results early and quickly and a common obstacle is that building a proper data classification framework can take more than two years and the business can't wait that long.

    Our Advice

    Critical Insight

    • Data classification is the lynchpin to ANY effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model.
    • Start your journey by identifying what and where your data is and how much data you have. You need to understand what sensitive data you have and where it is stored before you can protect it or govern that data.
    • Ensure there is a high-level leader who is the champion of the governance objective.

    Impact and Result

    • Using least complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

    Build a Data Classification MVP for M365 Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Data Classification MVP for M365 Deck – A guide for how to build a minimum-viable product for data classification that end users will actually use.

    Discover where your data resides, what governance helps you do, and what types of data you're classifying. Then build your data and security protection baselines for your retention policy, sensitivity labels, workload containers, and both forced and unforced policies.

    • Build a Data Classification MVP for M365 Storyboard
    [infographic]

    Further reading

    Build a Data Classification MVP for M365

    Kickstart your governance with data classification users will actually use!

    Executive Summary

    Info-Tech Insight

    • Creating an MVP gets you started in data governance
      Information protection and governance are not something you do once and then you are done. It is a constant process where you start with the basics (a minimum-viable product or MVP) and enhance your schema over time. The objective of the MVP is reducing obstacles to establishing an initial governance position, and then enabling rapid development of the solution to address a variety of real risks, including data loss prevention (DLP), data retention, legal holds, and data labeling.
    • Define your information and protection strategy
      The initial strategy is to start looking across your organization and identifying your customer data, regulatory data, and sensitive information. To have a successful data protection strategy you will include lifecycle management, risk management, data protection policies, and DLP. All key stakeholders need to be kept in the loop. Ensure you keep track of all available data and conduct a risk analysis early. Remember, data is your highest valued intangible asset.
    • Planning and resourcing are central to getting started on MVP
      A governance plan and governance decisions are your initial focus. Create a team of stakeholders that include IT and business leaders (including Legal, Finance, HR, and Risk), and ensure there is a top-level leader who is the champion of the governance objective, which is to ensure your data is safe, secure, and not prone to leakage or theft, and maintain confidentiality where it is warranted.

    Executive Summary

    Your Challenge
    • Today, the amount of data companies are gathering is growing at an explosive rate. New tools are enabling unforeseen channels and ways of collaborating.
    • Combined with increased regulatory oversight and reporting obligations, this makes the discovery and management of data a massive undertaking. IT can’t find and protect the data when the business has difficulty defining its data.
    • The challenge is to build a framework that can easily categorize and classify data yet allows for sufficient regulatory compliance and granularity to be useful. Also, to do it now because tomorrow is too late.
    Common Obstacles

    Data governance has several obstacles that impact a successful launch, especially if governing M365 is not a planned strategy. Below are some of the more common obstacles:

    • Resources are the primary obstacle to starting O365 governance, whether it is funding or people.
    • Data is segmented and is difficult to analyze when you can’t see it or manage the relationships between sources.
    • Organizations expect results early and quickly and a common obstacle is that building a "proper data classification framework” is a 2+ year project and the business can't wait that long.
    Info-Tech’s Approach
    • Start with the basics: build a minimum-viable product (MVP) to get started on the path to sustainable governance.
    • Identify what and where your data resides, how much data you have, and understand what sensitive data needs to be protected.
    • Create your team of stakeholders, including Legal, records managers, and privacy officers. Remember, they own the data and should manage it.
    • Categorization comes before classification, and discovery comes before categorization. Use easy-to-understand terms like high, medium, or low risk.

    Info-Tech Insight

    Data classification is the lynchpin to any effective governance of O/M365 and your objective is to navigate through this easily and effectively and build a robust, secure, and viable governance model. Start your journey by identifying what and where your data is and how much data do you have. You need to understand what sensitive data you have and where it is stored before you can protect or govern it. Ensure there is a high-level leader who is the champion of the governance objectives. Data classification fulfills the governance objectives of risk mitigation, governance and compliance, efficiency and optimization, and analytics.

    Questions you need to ask

    Four key questions to kick off your MVP.

    1

    Know Your Data

    Do you know where your critical and sensitive data resides and what is being done with it?

    Trying to understand where your information is can be a significant project.

    2

    Protect Your Data

    Do you have control of your data as it traverses across the organization and externally to partners?

    You want to protect information wherever it goes through encryption, etc.

    3

    Prevent Data Loss

    Are you able to detect unsafe activities that prevent sharing of sensitive information?

    Data loss prevention (DLP) is the practice of detecting and preventing data breaches, exfiltration, or unwanted destruction of sensitive data.

    4

    Govern Your Data

    Are you using multiple solutions (or any) to classify, label, and protect sensitive data?

    Many organizations use more than one solution to protect and govern their data, making it difficult to determine if there are any coverage gaps.

    Classification tiers

    Build your schema.

    Pyramid visualization for classification tiers. The top represents 'Simplicity', and the bottom 'Complexity' with the length of the sides at each level representing the '# of policies' and '# of labels'. At the top level is 'MVP (Minimum-Viable Product) - Confidential, Internal (Subcategory: Personal), Public'. At the middle level is 'Regulated - Highly Confidential, Confidential, Sensitive, General, Internal, Restricted, Personal, Sub-Private, Public'. And a the bottom level is 'Government (DOD) - Top Secret (TS), Secret, Confidential, Restricted, Official, Unclassified, Clearance'

    Info-Tech Insight

    Deciding on how granular you go into data classification will chiefly be governed by what industry you are in and your regulatory obligations – the more highly regulated your industry, the more classification levels you will be mandated to enforce. The more complexity you introduce into your organization, the more operational overhead both in cost and resources you will have to endure and build.

    Microsoft MIP Topology

    Microsoft Information Protection (MIP), which is Microsoft’s Data Classification Services, is the key to achieving your governance goals. Without an MVP, data classification will be overwhelming; simplifying is the first step in achieving governance.

    A diagram of multiple offerings all connected to 'MIP Data Classification Service'. Circled is 'Sensitivity Labels' with an arrow pointing back to 'MIP' at the center.
    (Source: Microsoft, “Microsoft Purview compliance portal”)

    Info-Tech Insight

    Using least-complex sensitivity labels in your classification are your building blocks to compliance and security in your data management schema; they are your foundational steps.

    MVP RACI Chart

    Data governance is a "takes a whole village" kind of effort.

    Clarify who is expected to do what with a RACI chart.

    End User M365 Administrator Security/ Compliance Data Owner
    Define classification divisions R A
    Appy classification label to data – at point of creation A R
    Apply classification label to data – legacy items R A
    Map classification divisions to relevant policies R A
    Define governance objectives R A
    Backup R A
    Retention R A
    Establish minimum baseline A R

    What and where your data resides

    Data types that require classification.

    Logos for 'Microsoft', 'Office 365', and icons for each program included in that package.
    M365 Workload Containers
    Icon for MS Exchange. Icon for MS SharePoint.Icon for MS Teams. Icon for MS OneDrive. Icon for MS Project Online.
    Email
    • Attachments
    Site Collections, Sites Sites Project Databases
    Contacts Teams and Group Site Collections, Sites Libraries and Lists Sites
    Metadata Libraries and Lists Documents
    • Versions
    Libraries and Lists
    Teams Conversations Documents
    • Versions
    Metadata Documents
    • Versions
    Teams Chats Metadata Permissions
    • Internal Sharing
    • External Sharing
    Metadata
    Permissions
    • Internal Sharing
    • External Sharing
    Files Shared via Teams Chats Permissions
    • Internal Sharing
    • External Sharing

    Info-Tech Insight

    Knowing where your data resides will ensure you do not miss any applicable data that needs to be classified. These are examples of the workload containers; you may have others.

    Discover and classify on- premises files using AIP

    AIP helps you manage sensitive data prior to migrating to Office 365:
    • Use discover mode to identify and report on files containing sensitive data.
    • Use enforce mode to automatically classify, label, and protect files with sensitive data.
    Can be configured to scan:
    • SMB files
    • SharePoint Server 2016, 2013
    Stock image of a laptop uploading to the cloud with a padlock and key in front of it.
    • Map your network and find over-exposed file shares.
    • Protect files using MIP encryption.
    • Inspect the content in file repositories and discover sensitive information.
    • Classify and label file per MIP policy.
    Azure Information Protection scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data. Discover mode helps you identify and report on files containing sensitive data (Microsoft Inside Track and CIAOPS, 2022). Enforce mode automatically classifies, labels, and protects files with sensitive data.

    Info-Tech Insight

    Any asset deployed to the cloud must have approved data classification. Enforcing this policy is a must to control your data.

    Understanding governance

    Microsoft Information Governance

    Information Governance
    • Retention policies for workloads
    • Inactive and archive mailboxes

    Arrow pointing down-right

    Records Management
    • Retention labels for items
    • Disposition review

    Arrow pointing down-left

    Retention and Deletion

    ‹——— Connectors for Third-Party Data ———›

    Information governance manages your content lifecycle using solutions to import, store, and classify business-critical data so you can keep what you need and delete what you do not. Backup should not be used as a retention methodology since information governance is managed as a “living entity” and backup is a stored information block that is “suspended in time.” Records management uses intelligent classification to automate and simplify the retention schedule for regulatory, legal, and business-critical records in your organization. It is for that discrete set of content that needs to be immutable.
    (Source: Microsoft, “Microsoft Purview compliance portal”)

    Retention and backup policy decision

    Retention is not backup.

    Info-Tech Insight

    Retention is not backup. Retention means something different: “the content must be available for discovery and legal document production while being able to defend its provenance, chain of custody, and its deletion or destruction” (AvePoint Blog, 2021).

    Microsoft Responsibility (Microsoft Protection) Weeks to Months Customer Responsibility (DLP, Backup, Retention Policy) Months to Years
    Loss of service due to natural disaster or data center outage Loss of data due to departing employees or deactivated accounts
    Loss of service due to hardware or infrastructure failure Loss of data due to malicious insiders or hackers deleting content
    Short-term (30 days) user error with recycle bin/ version history (including OneDrive “File Restore”) Loss of data due to malware or ransomware
    Short-term (14 days) administrative error with soft- delete for groups, mailboxes, or service-led rollback Recovery from prolonged outages
    Long-term accidental deletion coverage with selective rollback

    Understand retention policy

    What are retention policies used for? Why you need them as part of your MVP?

    Do not confuse retention labels and policies with backup.

    Remember: “retention [policies are] auto-applied whereas retention label policies are only applied if the content is tagged with the associated retention label” (AvePoint Blog, 2021).

    E-discovery tool retention policies are not turned on automatically.

    Retention policies are not a backup tool – when you activate this feature you are unable to delete anyone.

    “Data retention policy tools enable a business to:

    • “Decide proactively whether to retain content, delete content, or retain and then delete the content when needed.
    • “Apply a policy to all content or just content meeting certain conditions, such as items with specific keywords or specific types of sensitive information.
    • “Apply a single policy to the entire organization or specific locations or users.
    • “Maintain discoverability of content for lawyers and auditors, while protecting it from change or access by other users. […] ‘Retention Policies’ are different than ‘Retention Label Policies’ – they do the same thing – but a retention policy is auto-applied, whereas retention label policies are only applied if the content is tagged with the associated retention label.

    “It is also important to remember that ‘Retention Label Policies’ do not move a copy of the content to the ‘Preservation Holds’ folder until the content under policy is changed next.” (Source: AvePoint Blog, 2021)

    Definitions

    Data classification is a focused term used in the fields of cybersecurity and information governance to describe the process of identifying, categorizing, and protecting content according to its sensitivity or impact level. In its most basic form, data classification is a means of protecting your data from unauthorized disclosure, alteration, or destruction based on how sensitive or impactful it is.

    Once data is classified, you can then create policies; sensitive data types, trainable classifiers, and sensitivity labels function as inputs to policies. Policies define behaviors, like if there will be a default label, if labeling is mandatory, what locations the label will be applied to, and under what conditions. A policy is created when you configure Microsoft 365 to publish or automatically apply sensitive information types, trainable classifiers, or labels.

    Sensitivity label policies show one or more labels to Office apps (like Outlook and Word), SharePoint sites, and Office 365 groups. Once published, users can apply the labels to protect their content.

    Data loss prevention (DLP) policies help identify and protect your organization's sensitive info (Microsoft Docs, April 2022). For example, you can set up policies to help make sure information in email and documents is not shared with the wrong people. DLP policies can use sensitive information types and retention labels to identify content containing information that might need protection.

    Retention policies and retention label policies help you keep what you want and get rid of what you do not. They also play a significant role in records management.

    Data examples for MVP classification

    • Examples of the type of data you consider to be Confidential, Internal, or Public.
    • This will help you determine what to classify and where it is.
    Internal Personal, Employment, and Job Performance Data
    • Social Security Number
    • Date of birth
    • Marital status
    • Job application data
    • Mailing address
    • Resume
    • Background checks
    • Interview notes
    • Employment contract
    • Pay rate
    • Bonuses
    • Benefits
    • Performance reviews
    • Disciplinary notes or warnings
    Confidential Information
    • Business and marketing plans
    • Company initiatives
    • Customer information and lists
    • Information relating to intellectual property
    • Invention or patent
    • Research data
    • Passwords and IT-related information
    • Information received from third parties
    • Company financial account information
    • Social Security Number
    • Payroll and personnel records
    • Health information
    • Self-restricted personal data
    • Credit card information
    Internal Data
    • Sales data
    • Website data
    • Customer information
    • Job application data
    • Financial data
    • Marketing data
    • Resource data
    Public Data
    • Press releases
    • Job descriptions
    • Marketing material intended for general public
    • Research publications

    New container sensitivity labels (MIP)

    New container sensitivity labels

    Public Private
    Privacy
    1. Membership to group is open; anyone can join
    2. “Everyone except external guest” ACL onsite; content available in search to all tenants
    1. Only owner can add members
    2. No access beyond the group membership until someone shares it or changes permissions
    Allowed Not Allowed
    External guest policy
    1. Membership to group is open; anyone can join
    2. “Everyone except external guest” ACL onsite; content available in search to all tenants
    1. Only owner can add members
    2. No access beyond the group membership until someone shares it or changes permissions

    What users will see when they create or label a Team/Group/Site

    Table of what users will see when they create or label a team/group/site highlighting 'External guest policy' and 'Privacy policy options' as referenced above.
    (Source: Microsoft, “Microsoft Purview compliance portal”)

    Info-Tech Insights

    Why you need sensitivity container labels:
    • Manage privacy of Teams Sites and M365 Groups
    • Manage external user access to SPO sites and teams
    • Manage external sharing from SPO sites
    • Manage access from unmanaged devices

    Data protection and security baselines

    Data Protection Baseline

    “Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline" (Microsoft Docs, June 2022). This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance. This baseline draws elements primarily from NIST CSF (National Institute of Standards and Technology Cybersecurity Framework) and ISO (International Organization for Standardization) as well as from FedRAMP (Federal Risk and Authorization Management Program) and GDPR (General Data Protection Regulation of the European Union).

    Security Baseline

    The final stage in M365 governance is security. You need to implement a governance policy that clearly defines storage locations for certain types of data and who has permission to access it. You need to record and track who accesses content and how they share it externally. “Part of your process should involve monitoring unusual external sharing to ensure staff only share documents that they are allowed to” (Rencore, 2021).

    Info-Tech Insights

    • Controls are already in place to set data protection policy. This assists in the MVP activities.
    • Finally, you need to set your security baseline to ensure proper permissions are in place.

    Prerequisite baseline

    Icon of crosshairs.
    Security

    MFA or SSO to access from anywhere, any device

    Banned password list

    BYOD sync with corporate network

    Icon of a group.
    Users

    Sign out inactive users automatically

    Enable guest users

    External sharing

    Block client forwarding rules

    Icon of a database.
    Resources

    Account lockout threshold

    OneDrive

    SharePoint

    Icon of gears.
    Controls

    Sensitivity labels, retention labels and policies, DLP

    Mobile application management policy

    Building baselines

    Sensitivity Profiles: Public, Internal, Confidential; Subcategory: Highly Confidential

    Microsoft 365 Collaboration Protection Profiles

    Sensitivity Public External Collaboration Internal Highly Confidential
    Description Data that is specifically prepared for public consumption Not approved for public consumption, but OK for external collaboration External collaboration highly discouraged and must be justified Data of the highest sensitivity: avoid oversharing, internal collaboration only
    Label details
    • No content marking
    • No encryption
    • Public site
    • External collaboration allowed
    • Unmanaged devices: allow full access
    • No content marking
    • No encryption
    • Private site
    • External collaboration allowed
    • Unmanaged devices: allow full access
    • Content marking
    • Encryption
    • Private site
    • External collaboration allowed but monitored
    • Unmanaged devices: limited web access
    • Content marking
    • Encryption
    • Private site
    • External collaboration disabled
    • Unmanaged devices: block access
    Teams or Site details Public Team or Site open discovery, guests are allowed Private Team or Site members are invited, guests are allowed Private Team or Site members are invited, guests are not allowed
    DLP None Warn Block

    Please Note: Global/Compliance Admins go to the 365 Groups platform, the compliance center (Purview), and Teams services (Source: Microsoft Documentation, “Microsoft Purview compliance documentation”)

    Info-Tech Insights

    • Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly.
    • Sensitivity labels are a way to classify your organization's data in a way that specifies how sensitive the data is. This helps you decrease risks in sharing information that shouldn't be accessible to anyone outside your organization or department. Applying sensitivity labels allows you to protect all your data easily.

    MVP activities

    PRIMARY
    ACTIVITIES
    Define Your Governance
    The objective of the MVP is reducing barriers to establishing an initial governance position, and then enabling rapid progression of the solution to address a variety of tangible risks, including DLP, data retention, legal holds, and labeling.
    Decide on your classification labels early.

    CATEGORIZATION





    CLASSIFICATION

    MVP
    Data Discovery and Management
    AIP (Azure Information Protection) scanner helps discover, classify, label, and protect sensitive information in on-premises file servers. You can run the scanner and get immediate insight into risks with on-premises data.
    Baseline Setup
    Building baseline profiles will be a part of your MVP. You will understand what type of information you are addressing and label it accordingly. Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline.
    Default M365 settings
    Microsoft provides a default assessment in Compliance Manager for the Microsoft 365 data protection baseline. This baseline assessment has a set of controls for key regulations and standards for data protection and general data governance.
    SUPPORT
    ACTIVITIES
    Retention Policy
    Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content.
    Sensitivity Labels
    Automatically enforce policies on groups through labels; classify groups.
    Workload Containers
    M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies.
    Unforced Policies
    Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy.
    Forced Policies
    Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names.

    ACME Company MVP for M/O365

    PRIMARY
    ACTIVITIES
    Define Your Governance


    Focus on ability to use legal hold and GDPR compliance.

    CATEGORIZATION





    CLASSIFICATION

    MVP
    Data Discovery and Management


    Three classification levels (public, internal, confidential), which are applied by the user when data is created. Same three levels are used for AIP to scan legacy sources.

    Baseline Setup


    All data must at least be classified before it is uploaded to an M/O365 cloud service.

    Default M365 settings


    Turn on templates 1 8 the letter q and the number z

    SUPPORT
    ACTIVITIES
    Retention Policy


    Retention policy is auto-applied. Decide whether to retain content, delete content, or retain and then delete the content.

    Sensitivity Labels


    Automatically enforce policies on groups through labels; classify groups.

    Workload Containers


    M365: SharePoint, Teams, OneDrive, and Exchange, where your data is stored for labels and policies.

    Unforced Policies


    Written policies that are not enforceable by controls in Compliance Manager such as acceptable use policy.

    Forced Policies


    Restrict sharing controls to outside organizations. Enforce prefix or suffix to group or team names.

    Related Blueprints

    Govern Office 365

    Office 365 is as difficult to wrangle as it is valuable. Leverage best practices to produce governance outcomes aligned with your goals.

    Map your organizational goals to the administration features available in the Office 365 console. Your governance should reflect your requirements.

    Migrate to Office 365 Now

    Jumping into an Office 365 migration project without careful thought of the risks of a cloud migration will lead to project halt and interruption. Intentionally plan in order to expose risk and to develop project foresight for a smooth migration.

    Microsoft Teams Cookbook

    Remote work calls for leveraging your Office 365 license to use Microsoft Teams – but IT is unsure about best practices for governance and permissions. Moreover, IT has few resources to help train end users with Teams best practices

    IT Governance, Risk & Compliance

    Several blueprints are available on a broader topic of governance, from Make Your IT Governance Adaptable to Improve IT Governance to Drive Business Results and Build an IT Risk Management Program.

    Bibliography

    “Best practices for sharing files and folders with unauthenticated users.” Microsoft Build, 28 April 2022. Accessed 2 April 2022.

    “Build and manage assessments in Compliance Manager.” Microsoft Docs, 15 June 2022. Web.

    “Building a modern workplace with Microsoft 365.” Microsoft Inside Track, n.d. Web.

    Crane, Robert. “June 2020 Microsoft 365 Need to Know Webinar.” CIAOPS, SlideShare, 26 June 2020. Web.

    “Data Classification: Overview, Types, and Examples.” Simplilearn, 27 Dec. 2021. Accessed 11 April 2022.

    “Data loss prevention in Exchange Online.” Microsoft Docs, 19 April 2022. Web.

    Davies, Nahla. “5 Common Data Governance Challenges (and How to Overcome Them).” Dataversity. 25 October 2021. Accessed 5 April 2022.

    “Default labels and policies to protect your data.” Microsoft Build, April 2022. Accessed 3 April 2022.

    M., Peter. "Guide: The difference between Microsoft Backup and Retention." AvePoint Blog, 9 Oct. 2021. Accessed 4 April 2022.

    Meyer, Guillaume. “Sensitivity Labels: What They Are, Why You Need Them, and How to Apply Them.” nBold, 6 October 2021. Accessed 2 April 2022.

    “Microsoft 365 guidance for security & compliance.” Microsoft, 27 April 2022. Accessed 28 April 2022.

    “Microsoft Purview compliance portal.” Microsoft, 19 April 2022. Accessed 22 April 2022.

    “Microsoft Purview compliance documentation.” Microsoft, n.d. Accessed 22 April 2022.

    “Microsoft Trust Center: Products and services that run on trust.” Microsoft, 2022. Accessed 3 April 2022.

    “Protect your sensitive data with Microsoft Purview.” Microsoft Build, April 2022. Accessed 3 April 2022.

    Zimmergren, Tobias. “4 steps to successful cloud governance in Office 365.” Rencore, 9 Sept. 2021. Accessed 5 April 2022.

    Recruit and Retain People of Color in IT

    • Buy Link or Shortcode: {j2store}546|cart{/j2store}
    • member rating overall impact (scale of 10): 9.7/10 Overall Impact
    • member rating average dollars saved: $19,184 Average $ Saved
    • member rating average days saved: 21 Average Days Saved
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • Organizations have been trying to promote equality for many years. Diversity and inclusion strategies and a myriad of programs have been implemented in companies across the world. Despite the attempts, many organizations still struggle to ensure that their workforce is representative of the populations they support or want to support.
    • IT brings another twist. Many IT companies and departments are based on the culture of white males, and underrepresented ethnic communities find it more of a challenge to fit in.
    • This sometimes means that talented minorities are less incentivized to join or stay in technology.

    Our Advice

    Critical Insight

    • Diversity and inclusion cannot be a one-time campaign or a one-off initiative.
    • For real change to happen, every leader needs to internalize the value of creating and retaining diverse teams.

    Impact and Result

    • To stay competitive, IT leaders need to be more involved and commit to a plan to recruit and retain people of color in their departments and organizations. A diverse team is an answer to innovation that can differentiate your company.
    • Treat recruiting and retaining a diverse team as a business challenge that requires full engagement. Info-Tech offers a targeted solution that will help IT leaders build a plan to attract, recruit, engage, and retain people of color.

    Recruit and Retain People of Color in IT Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should recruit and retain people of color in your IT department or organization, review Info-Tech’s methodology, and understand the ways we can support you in this endeavor.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recruit people of color in IT

    Diverse teams are necessary to foster creativity and guide business strategies. Overcome limitations by recruiting people of color and creating a diverse workforce.

    • Recruit and Retain People of Color in IT – Phase 1: Recruit People of Color in IT
    • Support Plan
    • IT Behavioral Interview Question Library

    2. Retain people of color in IT

    Underrepresented employees benefit from an expansive culture. Create an inclusive environment and retain people of color and promote value within your organization.

    • Recruit and Retain People of Color in IT – Phase 2: Retain People of Color in IT

    Infographic

    Workshop: Recruit and Retain People of Color in IT

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Setting the Stage

    The Purpose

    Introduce challenges and concerns around recruiting and retaining people of color.

    Key Benefits Achieved

    Gain a sense of direction.

    Activities

    1.1 Introduction to diversity conversations.

    1.2 Assess areas to focus on and determine what is right, wrong, missing, and confusing.

    1.3 Obtain feedback from your team about the benefits of working at your organization.

    1.4 Establish your employee value proposition (EVP).

    1.5 Discuss and establish your recruitment goals.

    Outputs

    Current State Analysis

    Right, Wrong, Missing, Confusing Quadrant

    Draft EVP

    Recruitment Goals

    2 Refine Your Recruitment Process

    The Purpose

    Identify areas in your current recruitment process that are preventing you from hiring people of color.

    Establish a plan to make improvements.

    Key Benefits Achieved

    Optimized recruitment process

    Activities

    2.1 Brainstorm and research community partners.

    2.2 Review current job descriptions and equity statement.

    2.3 Update job description template and equity statement.

    2.4 Set team structure for interview and assessment.

    2.5 Identify decision-making structure.

    Outputs

    List of community partners

    Updated job description template

    Updated equity statement

    Interview and assessment structure

    Behavioral Question Library

    3 Culture and Management

    The Purpose

    Create a plan for an inclusive culture where your managers are supported.

    Key Benefits Achieved

    Awareness of how to better support employees of color.

    Activities

    3.1 Discuss engagement and belonging.

    3.2 Augment your onboarding materials.

    3.3 Create an inclusive culture plan.

    3.4 Determine how to support your management team.

    Outputs

    List of onboarding content

    Inclusive culture plan

    Management support plan

    4 Close the Loop

    The Purpose

    Establish mechanisms to gain feedback from your employees and act on them.

    Key Benefits Achieved

    Finalize the plan to create your diverse and inclusive workforce.

    Activities

    4.1 Ask and listen: determine what to ask your employees.

    4.2 Create your roadmap.

    4.3 Wrap-up and next steps.

    Outputs

    List of survey questions

    Roadmap

    Completed support plan

    Accelerate Business Growth and Valuation by Building Brand Awareness

    • Buy Link or Shortcode: {j2store}569|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions

    Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and recognition
    • Inability to reach and engage with the buyers
    • Difficulties generating and converting leads
    • Low customer retention rate
    • Inability to justify higher pricing
    • Limited brand equity, business valuation, and sustainability

    Our Advice

    Critical Insight

    Awareness brings visibility and traction to brands, which is essential in taking the market leadership position and becoming the trusted brand that buyers think of first.

    Brand awareness also significantly contributes to increasing brand equity, market valuation, and business sustainability.

    Impact and Result

    Building brand awareness allows for the increase of:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share & share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    Accelerate Business Growth and Valuation by Building Brand Awareness Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard - Learn how to establish the brand foundation, create assets and workflows, and deploy effective brand awareness strategies and tactics.

    A two-step approach to building brand awareness, starting with defining the brand foundations and then implementing effective brand awareness strategies and tactics.

    • Accelerate Business Growth and Valuation by Building Brand Awareness Storyboard

    2. Define Brand's Personality and Message - Analyze your target market and develop key elements of your brand guidelines.

    With this set of tools, you will be able to capture and analyze your target market, your buyers and their journeys, define your brand's values, personality, and voice, and develop all the key elements of your brand guidelines to enable people within your organization and external resources to build a consistent and recognizable image across all assets and platforms.

    • Market Analysis Template
    • Brand Recognition Survey and Interview Questionnaire and List Template
    • External and Internal Factors Analysis Template
    • Buyer Personas and Journey Presentation Template
    • Brand Purpose, Mission, Vision, and Values Template
    • Brand Value Proposition and Positioning Statement
    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist

    3. Start Building Brand Awareness - Achieve strategic alignment.

    These tools will allow you to achieve strategic alignment and readiness, create assets and workflows, deploy tactics, establish Key Performance Indicators (KPIs), and monitor and optimize your strategy on an ongoing basis.

    • Brand Awareness Strategy and Tactics Template
    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template
    • Survey Emails Best Practices Guidelines

    Infographic

    Further reading

    Accelerate Business Growth and Valuation By Building Brand Awareness

    Develop and deploy comprehensive, multi-touchpoint brand awareness strategies to become the trusted brand that buyers think of first.

    EXECUTIVE BRIEF

    Analyst perspective

    Building brand awareness

    Achieving high brand awareness in a given market and becoming the benchmark for buyers

    is what every brand wants to achieve, as it is a guarantee of success. Building brand awareness,

    even though its immediate benefits are often difficult to see and measure, is essential for companies that want to stand out from their competitors and continue to grow in a sustainable way. The return on investment (ROI) may take longer, but the benefits are also greater than those achieved through short-term initiatives with the expectation of immediate, albeit often limited, results.

    Brands that are familiar to their target market have greater credibility, generate more sales,

    and have a more loyal customer base. CMOs that successfully execute brand awareness programs

    build brand equity and grow company valuation.

    This is a picture of Nathalie Vezina

    Nathalie Vezina
    Marketing Research Director
    SoftwareReviews Advisory

    Executive summary

    Brand leaders know that brand awareness is essential to the success of all marketing and sales activities. Brands that fail to invest in brand awareness are likely to face some, if not all these problems:

    • Lack of brand visibility and compelling storytelling.
    • Inability to reach the target audience.
    • Low engagement on digital platforms and with ads.
    • Difficulties generating and converting leads, or closing/winning sales/deals, and facing a high cost per acquisition.
    • Low/no interest or brand recognition, trust level, and customer retention rate.
    • Inability to justify higher pricing.

    Convincing stakeholders of the benefits of strong brand awareness can be difficult when the positive outcomes are hard to quantify, and the return on investment (ROI) is often long-term. Among the many obstacles brand leaders must overcome are:

    • Lack of longer-term corporate vision, focusing all efforts and resources on short-term growth strategies for a quick ROI.
    • Insufficient market and target buyers' information and understanding of the brand's key differentiator.
    • Misalignment of brand message, and difficulties creating compelling content that resonates with the target audience, generates interest, and keeps them engaged.
    • Limited or no resources dedicated to the development of the brand.

    Inspired by top-performing businesses and best practices, this blueprint provides the guidance and tools needed to successfully build awareness and help businesses grow. By following these guidelines, brand leaders can expect to:

    • Gain market intelligence and a clear understanding of the buyer's needs, your competitive advantage, and key differentiator.
    • Develop a clear and compelling value proposition and a human-centric brand messaging driven by the brand's values.
    • Increase online presence and brand awareness to attract and engage with buyers.
    • Develop a long-term brand strategy and execution plan.

    "A brand is the set of expectations, memories, stories, and relationships that, taken together, account for a consumer's decision to choose one product or service over another."

    – Seth Godin

    What is brand awareness?

    The act of making a brand visible and memorable.

    Brand awareness is the degree to which buyers are familiar with and recognize the attributes and image of a particular brand, product, or service. The higher the level of awareness, the more likely the brand is to come into play when a target audience enters the " buying consideration" phase of the buyer's journey.

    Brand awareness also plays an important role in building equity and increasing business valuation. Brands that are familiar to their target market have greater credibility, drive more sales and have a more loyal customer base.
    Building brand awareness allows increasing:

    • Brand visibility, perception, recognition, and reputation
    • Interactions and engagement with the target audience
    • Digital advertising performance and ROI
    • Conversion rates and sales wins
    • Revenue and profitability
    • Market share and share of voice (SOV)
    • Talents, partners, and investors attraction and retention
    • Brand equity, business growth, and market valuation

    "Products are made in a factory, but brands are created in the mind."
    Source: Walter Landor

    Capitalizing on a powerful brand

    A longer-term approach for an increased and more sustainable ROI.

    Market leader position

    Developing brand awareness is essential to increase the visibility and traction of a brand.

    Several factors may cause a brand to be not well-known. One reason might be that the brand recently launched, such as a startup. Another reason could be that the brand has rebranded or entered a new market.

    To become the trusted brand that buyers think of first in their target markets, it is critical for these brands to develop and deploy comprehensive, multi-touchpoint brand awareness strategies.

    A relationship leading to loyalty

    A longer-term brand awareness strategy helps build a strong relationship between the brand and the buyer, fostering a lasting and rewarding alliance.

    It also enables brands to reach and engage with their target audience effectively by using compelling storytelling and meaningful content.

    Adopting a more human-centric approach and emphasizing shared values makes the brand more attractive to buyers and can drive sales and gain loyalty.

    Sustainable business growth

    For brands that are not well established in their target market, short-term tactics that focus on immediate benefits can be ineffective. In contrast, long-term brand awareness strategies provide a more sustainable ROI (return on investment).

    Investing in building brand awareness can impact a business's ability to interact with its target audience, generate leads, and increase sales. Moreover, it can significantly contribute to boosting the business's brand equity and market valuation.

    "Quick wins may work in the short term, but they're not an ideal substitute for long-term tactics and continued success."
    Source: Forbes

    Impacts of low brand awareness on businesses

    Unfamiliar brands, despite their strong potential, won't thrive unless they invest in their notoriety.

    Brands that choose not to invest in longer-term awareness strategies and rely solely on short-term growth tactics in hopes of an immediate gain will see their ability to grow diminished and their longevity reduced due to a lack of market presence and recognition.

    Symptoms of a weakening brand include:

    • High marketing spending and limited result
    • Low market share or penetration
    • Low sales, revenue, and gross margin
    • Weak renewal rate, customer retention, and loyalty
    • Difficulties delivering on the brand promise, low/no trust in the brand
    • Limited brand equity, business valuation, and sustainability
    • Unattractive brand to partners and investors

    "Your brand is the single most important investment you can make in your business."
    Source: Steve Forbes

    Most common obstacles to increasing brand awareness

    Successfully building brand awareness requires careful preparation and planning.

    • Limited market intelligence
    • Unclear competitive advantage/key differentiator
    • Misaligned and inconsistent messaging and storytelling
    • Lack of long-term vision
    • and low prioritization
    • Limited resources to develop and execute brand awareness building tactics
    • Unattractive content that does not resonate, generates little or no interest and engagement

    Investing in the notoriety of the brand

    Become the top-of-mind brand in your target market.

    To stand out, be recognized by their target audience, and become major players in their industry, brands must adopt a winning strategy that includes the following elements:

    • In-depth knowledge and understanding of the market and audience
    • Strengthening digital presence and activities
    • Creating and publishing content relevant to the target audience
    • Reaching out through multiple touchpoints
    • Using a more human-centric approach
    • Ensure consistency in all aspects of the brand, across all media and channels

    How far are you from being the brand buyers think of first in your target market?

    This is an image of the Brand Awareness Pyramid.

    Brand awareness pyramid

    Based on David Aaker's brand loyalty pyramid

    Tactics for building brand awareness

    Focus on effective ways to gain brand recognition in the minds of buyers.

    This is an image of the Brand Awareness Journey Roadmap.

    Brand recognition requires in-depth knowledge of the target market, the creation of strong brand attributes, and increased presence and visibility.

    Understand the market and audience you're targeting

    Be prepared. Act smart.

    To implement a winning brand awareness-building strategy, you must:

    • Be aware of your competitor's strengths and weaknesses, as well as yours.
    • Find out who is behind the keyboard, and the user experience they expect to have.
    • Plan and continuously adapt your tactics accordingly.
    • Make your buyer the hero.

    Identify the brands' uniqueness

    Find your "winning zone" and how your brand uniquely addresses buyers' pain points.

    Focus on your key differentiator

    A brand has found its "winning zone" or key differentiator when its value proposition clearly shows that it uniquely solves its buyers' specific pain points.

    Align with your target audience's real expectations and successfully interact with them by understanding their persona and buyer's journey. Know:

    • How you uniquely address their pain points.
    • Their values and what motivates them.
    • Who they see as authorities in your field.
    • Their buying habits and trends.
    • How they like brands to engage with them.

    An image of a Venn diagram between the following three terms: Buyer pain point; Competitors' value proposition; your unique value proposition.  The overlapping zone is labeled the Winning zone.  This is your key differentiator.

    Give your brand a voice

    Define and present a consistent voice across all channels and assets.

    The voice reflects the personality of the brand and the emotion to be transmitted. That's why it's crucial to establish strict rules that define the language to use when communicating through the brand's voice, the type of words, and do's and don'ts.

    To be recognizable it is imperative to avoid inconsistencies. No matter how many people are behind the brand voice, the brand must show a unique, distinctive personality. As for the tone, it may vary according to circumstances, from lighter to more serious.

    Up to 80% Increased customer recognition when the brand uses a signature color scheme across multiple platforms
    Source: startup Bonsai
    23% of revenue increase is what consistent branding across channels leads to.
    Source: Harvard Business Review

    When we close our eyes and listen, we all recognize Ella Fitzgerald's rich and unique singing voice.

    We expect to recognize the writing of Stephen King when we read his books. For the brand's voice, it's the same. People want to be able to recognize it.

    Adopt a more human-centric approach

    If your brand was a person, who would it be?

    Human attributes

    Physically attractive

    • Brand identity
    • Logo and tagline
    • Product design

    Intellectually stimulating

    • Knowledge and ideas
    • Continuous innovation
    • Thought leadership

    Sociable

    • Friendly, likeable and fun
    • Confidently engage with audience through multiple touchpoints
    • Posts and shares meaningful content
    • Responsive

    Emotionally connected

    • Inspiring
    • Powerful influencer
    • Triggers emotional reactions

    Morally sound

    • Ethical and responsible
    • Value driven
    • Deliver on its promise

    Personable

    • Honest
    • Self-confident and motivated
    • Accountable

    0.05 Seconds is what it takes for someone to form an opinion about a website, and a brand.
    Source: 8ways

    90% of the time, our initial gut reaction to products is based on color alone.
    Source: startup Bonsai

    56% of the final b2b purchasing decision is based on emotional factors.
    Source: B@B International

    Put values at the heart of the brand-buyers relationship

    Highlight values that will resonate with your audience.

    Brands that focus on the values they share with their buyers, rather than simply on a product or service, succeed in making meaningful emotional connections with them and keep them actively engaged.

    Shared values such as transparency, sustainability, diversity, environmental protection, and social responsibility become the foundation of a solid relationship between a brand and its audience.

    The key is to know what motivates the target audience.

    86% of consumers claim that authenticity is one of the key factors they consider when deciding which brands they like and support.
    Source: Business Wire

    56% of the final decision is based on having a strong emotional connection with the supplier.
    Source: B2B International

    64% of today's customers are belief-driven buyers; they want to support brands that "can be a powerful force for change."
    Source: Edelman

    "If people believe they share values with a company, they will stay loyal to the brand."
    – Howard Schultz
    Source: Lokus Design

    Double-down on digital

    Develop your digital presence and reach out to your target audiences through multiple touchpoints.

    Beyond engaging content, reaching the target audience requires brands to connect and interact with their audience in multiple ways so that potential buyers can form an opinion.

    With the right message consistently delivered across multiple channels, brands increase their reach, create a buzz around their brand and raise awareness.

    73% of today's consumers confirm they use more than one channel during a shopping journey
    Source: Harvard Business Review

    Platforms

    • Website and apps
    • Social media
    • Group discussions

    Multimedia

    • Webinars
    • Podcasts
    • Publication

    Campaign

    • Ads and advertising
    • Landing pages
    • Emails, surveys drip campaigns

    Network

    • Tradeshows, events, sponsorships
    • Conferences, speaking opportunities
    • Partners and influencers

    Use social media to connect

    Reach out to the masses with a social media presence.

    Social media platforms represent a cost-effective opportunity for businesses to connect and influence their audience and tell their story by posting relevant and search-engine-optimized content regularly on their account and groups. It's also a nice gateway to their website.

    Building a relationship with their target buyer through social media is also an easy way for businesses to:

    • Understand the buyers.
    • Receive feedback on how the buyers perceive the brand and how to improve it.
    • Show great user experience and responsiveness.
    • Build trust.
    • Create awareness.

    75% of B2B buyers and 84% of C-Suite executives use social media when considering a purchase
    Source: LinkedIn Business

    92% of B2B buyers use social media to connect with leaders in the sales industry.
    Source: Techjury

    With over 4.5 billion social media users worldwide, and 13 new users signing up to their first social media account every second, social media is fast becoming a primary channel of communication and social interaction for many.
    Source: McKinsey

    Become the expert subject matter

    Raise awareness with thought leadership content.

    Thought leadership is about building credibility
    by creating and publishing meaningful, relevant content that resonates with a target audience.
    Thought leaders write and publish all kinds of relevant content such as white papers, ebooks, case studies, infographics, video and audio content, webinars, and research reports.
    They also participate in speaking opportunities, live presentations, and other high-visibility forums.
    Well-executed thought leadership strategies contribute to:

    • Raise awareness.
    • Build credibility.
    • Be recognized as a subject expert matter.
    • Become an industry leader.

    60% of buyers say thought leadership builds credibility when entering a new category where the brand is not already known.
    Source: Edelman | LinkedIn

    70% of people would rather learn about a company through articles rather than advertising.
    Source: Brew Interactive

    57% of buyers say that thought leadership builds awareness for a new or little-known brand.
    Source: Edelman | LinkedIn

    To achieve best results

    • Know the buyers' persona and journey.
    • Create original content that matches the persona of the target audience and that is close to their values.
    • Be Truthful and insightful.
    • Find the right tone and balance between being human-centric, authoritative, and bold.
    • Be mindful of people's attention span and value their time.
    • Create content for each phase of the buyer's journey.
    • Ensure content is SEO, keyword-loaded, and add calls-to-action (CTAs).
    • Add reason to believe, data to support, and proof points.
    • Address the buyers' pain points in a unique way.

    Avoid

    • Focusing on product features and on selling.
    • Publishing generic content.
    • Using an overly corporate tone.

    Promote personal branding

    Rely on your most powerful brand ambassadors and influencers: your employees.

    The strength of personal branding is amplified when individuals and companies collaborate to pursue personal branding initiatives that offer mutual benefits. By training and positioning key employees as brand ambassadors and industry influencers, brands can boost their brand awareness through influencer marketing strategies.

    Personal branding, when well aligned with business goals, helps brands leverage their key employee's brands to:

    • Increase the organization's brand awareness.
    • Broaden their reach and circle of influence.
    • Show value, gain credibility, and build trust.
    • Stand out from the competition.
    • Build employee loyalty and pride.
    • Become a reference to other businesses.
    • Increase speaking opportunities.
    • Boost qualified leads and sales.

    About 90% of organizations' employee network tends to be completely new to the brand.
    Source: Everyone Social

    8X more engagement comes from social media content shared by employees rather than brand accounts.
    Source: Entrepreneur

    561% more reach when brand messages are shared by employees on social media, than the same message shared by the Brand's social media.
    Source: Entrepreneur

    "Personal branding is the art of becoming knowable, likable and trustable."
    Source: Founder Jar, John Jantsch

    Invest in B2B influencer marketing

    Broaden your reach and audiences by leveraging the voice of influencers.

    Influencers are trusted industry experts and analysts who buyers can count on to provide reliable information when looking to make a purchase.

    Influencer marketing can be very effective to reach new audiences, increase awareness, and build trust. But finding the right influencers with the level of credibility and visibility brands are expecting can sometimes be challenging.

    Search for influencers that have:

    • Relevance of audience and size.
    • Industry expertise and credibility.
    • Ability to create meaningful content (written, video, audio).
    • Charismatic personality with values consistent with the brand.
    • Frequent publications on at least one leading media platform.

    76% of people say that they trust content shared by people over a brand.
    Source: Adweek


    44% increased media mention of the brand using B2B influencer marketers.
    Source: TopRank Marketing

    Turn your customers into brand advocates

    Establish customer advocacy programs and deliver a great customer experience.

    Retain your customers and turn them into brand advocates by building trust, providing an exceptional experience, and most importantly, continuously delivering on the brand promise.

    Implement a strong customer advocacy program, based on personalized experiences, the value provided, and mutual exchange, and reap the benefits of developing and growing long-term relationships.

    92% of individuals trust word-of-mouth recommendations, making it one of the most trust-rich forms of advertising.
    Source: SocialToaster

    Word-of-mouth (advocacy) marketing increases marketing effectiveness by 54%
    Source: SocialToaster

    Make your brand known and make it stick in people's minds

    Building and maintaining high brand awareness requires that each individual within the organization carry and deliver the brand message clearly and consistently across all media whether in person, in written communications, or otherwise.

    To achieve this, brand leaders must first develop a powerful, researched narrative that people will embrace and convey, which requires careful preparation.

    Target market and audience intel

    • Target market Intel
    • Buyer persona and journey/pain points
    • Uniqueness and positioning

    Brand attributes

    • Values at the heart of the relationship
    • Brand's human attributes

    Brand visibly and recall

    • Digital and social media presence
    • Thought leadership
    • Personal branding
    • Influencer marketing

    Brand awareness building plan

    • Long-term awareness and multi-touchpoint approach
    • Monitoring and optimization

    Short and long-term benefits of increasing brand awareness

    Brands are built over the long term but the rewards are high.

    • Stronger brand perception
    • Improved engagement and brand associations
    • Enhanced credibility, reputation, and trust
    • Better connection with customers
    • Increased repeat business
    • High-quality leads
    • Higher and faster conversion rate
    • More sales closed/ deals won
    • Greater brand equity
    • Accelerated growth

    "Strong brands outperform their less recognizable competitors by as much as 73%."
    Source: McKinsey

    Brand awareness building

    Building brand awareness, even though immediate benefits are often difficult to see and measure, is essential for companies to stand out from their competitors and continue to grow in a sustainable way.

    To successfully raise awareness, brands need to have:

    • A longer-term vision and strategy.
    • Market Intelligence, a clear value proposition, and key differentiator.
    • Consistent, well-aligned messaging and storytelling.
    • Digital presence and content.
    • The ability to reach out through multiple touchpoints.
    • Necessary resources.

    Without brand awareness, brands become less attractive to buyers, talent, and investors, and their ability to grow, increase their market value, and be sustainable is reduced.

    Brand awareness building methodology

    Define brands' personality and message

    • Gather market intel and analyze the market.
    • Determine the value proposition and positioning.
    • Define the brand archetype and voice.
    • Craft a compelling brand message and story.
    • Get all the key elements of your brand guidelines.

    Start building brand awareness

    • Achieve strategy alignment and readiness.
    • Create and manage assets.
    • Deploy your tactics, assets, and workflows.
    • Establish key performance indicators (KPIs).
    • Monitor and optimize on an ongoing basis.

    Toolkit

    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan

    Short and long-term benefits of increasing brand awareness

    Increase:

    • Brand perception
    • Brand associations and engagement
    • Credibility, reputation, and trust
    • Connection with customers
    • Repeat business
    • Quality leads
    • Conversion rate
    • Sales closed / deals won
    • Brand equity and growth

    It typically takes 5-7 brand interactions before a buyer remembers the brand.
    Source: Startup Bonsai

    Who benefits from this brand awareness research?

    This research is being designed for:
    Brand and marketing leaders who:

    • Know that brand awareness is essential to the success of all marketing and sales activities.
    • Want to make their brand unique, recognizable, meaningful, and highly visible.
    • Seek to increase their digital presence, connect and engage with their target audience.
    • Are looking at reaching a new segment of the market.

    This research will also assist:

    • Sales with qualified lead generation and customer retention and loyalty.
    • Human Resources in their efforts to attract and retain talent.
    • The overall business with growth and increased market value.

    This research will help you:

    • Gain market intelligence and a clear understanding of the target audience's needs and trends, competitive advantage, and key differentiator.
    • The ability to develop clear and compelling, human-centric messaging and compelling story driven by brand values.
    • Increase online presence and brand awareness activities to attract and engage with buyers.
    • Develop a long-term brand awareness strategy and deployment plan.

    This research will help them:

    • Increase campaign ROI.
    • Develop a longer-term vision and benefits of investing in longer-term initiatives.
    • Build brand equity and increase business valuation.
    • Grow your business in a more sustainable way.

    SoftwareReviews' brand awareness building methodology

    Phase 1 Define brands' personality and message

    Phase 2 Start building brand awareness

    Phase steps

    1.1 Gather market intelligence and analyze the market.

    1.2 Develop and document the buyer's persona and journey.

    1.3 Uncover the brand mission, vision statement, core values, value proposition and positioning.

    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    2.1 Achieve strategy alignment and readiness.

    2.2 Create assets and workflows and deploy tactics.

    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcomes

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place and ready to use, along with the existing logo, typography, color palette, and imagery.
    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Insight summary

    Brands to adapt their strategies to achieve longer-term growth
    Brands must adapt and adjust their strategies to attract informed buyers who have access to a wealth of products, services, and brands from all over. Building brand awareness, even though immediate benefits are often difficult to see and measure, has become essential for companies that want to stand out from their competitors and continue to grow in a sustainable way.

    A more human-centric approach
    Brand personalities matter. Brands placing human values at the heart of the customer-brand relationship will drive interest in their brand and build trust with their target audience.

    Stand out from the crowd
    Brands that develop and promote a clear and consistent message across all platforms and channels, along with a unique value proposition, stand out from their competitors and get noticed.

    A multi-touchpoints strategy
    Engage buyers with relevant content across multiple media to address their pain points. Analyze touchpoints to determine where to invest your efforts.

    Going social
    Buyers expect brands to be active and responsive in their interactions with their audience. To build awareness, brands are expected to develop a strong presence on social media by regularly posting relevant content, engaging with their followers and influencers, and using paid advertising. They also need to establish thought leadership through content such as white papers, case studies, and webinars.

    Thought leaders wanted
    To enhance their overall brand awareness strategy, organizations should consider developing the personal brand of key executives. Thought leadership can be a valuable method to gain credibility, build trust, and drive conversion. By establishing thought leadership, businesses can increase brand mentions, social engagement, website traffic, lead generation, return on investment (ROI), and Net Promoter Score (NPS).

    Save time and money with SoftwareReviews' branding advice

    Collaborating with SoftwareReviews analysts for inquiries not only provides valuable advice but also leads to substantial cost savings during branding activities, particularly when partnering with an agency.

    Guided Implementation Purpose Measured Value
    Build brands' personality and message Get the key elements of the brand guidelines in place and ready to use, along with your existing logo, typography, color palette, and imagery, to ensure consistency and clarity across all brand touchpoints from internal communication to customer-facing materials. Working with SoftwareReviews analysts to develop brand guidelines saves costs compared to hiring an agency.

    Example: Building the guidelines with an agency will take more or less the same amount of time and cost approximately $80K.

    Start building brand awareness Achieve strategy alignment and readiness, then deploy tactics, assets, and other deliverables. Start building brand awareness and reap the immediate and long-term benefits.

    Working with SoftwareReviews analysts and your team to develop a long-term brand strategy and deployment will cost you less than a fraction of the cost of using an agency.

    Example: Developing and executing long-term brand awareness strategies with an agency will cost between $50-$75K/month over a 24-month period minimum.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Build brands' personality and message

    Phase 2

    Start building brand awareness

    • Call #1: Discuss concept and benefits of building brand awareness. Identify key stakeholders. Anticipate concerns and objections.
    • Call #2: Discuss target market intelligence, information gathering, and analysis.
    • Call #3: Review market intelligence information. Address questions or concerns.
    • Call #4: Discuss value proposition and guide to find positioning and key differentiator.
    • Call #5: Review value proposition. Address questions or concerns.
    • Call #6: Discuss how to build a comprehensive brand awareness strategy using SR guidelines and template.
    • Call #7: Review strategy. Address questions or concerns.
    • Call #8: Second review of the strategy. Address questions or concerns.
    • Call #9 (optional): Third review of the strategy. Address questions or concerns.
    • Call #10: Discuss how to build the Execution Plan using SR template.
    • Call #11: Review Execution Plan. Address questions or concerns.
    • Call #12: Second review of the Execution Plan. Address questions or concerns.
    • Call #13 (optional): Third review of the Execution Plan. Address questions or concerns.
    • Call #14: Discuss how to build a compelling storytelling and content creation.
    • Call #15: Discuss website and social media platforms and other initiatives.
    • Call #16: Discuss marketing automation and continuous monitoring.
    • Call #17 (optional): Discuss optimization and reporting
    • Call #18: Debrief and determine how we can help with next steps.

    A Guided Implementation (GI) is a series of calls with a SoftwareReviews Marketing Analyst to help implement our best practices in your organization.

    Your engagement managers will work with you to schedule analyst calls.

    Brand awareness building tools

    Each step of this blueprint comes with tools to help you build brand awareness.

    Brand Awareness Tool Kit

    This kit includes a comprehensive set of tools to help you better understand your target market and buyers, define your brand's personality and message, and develop an actionable brand awareness strategy, workflows, and rollout plan.

    The set includes these templates:
    • Market and Influencing Factors Analysis
    • Recognition Survey and Best Practices
    • Buyer Personas and Journeys
    • Purpose, Mission, Vision, and Values
    • Value Proposition and Positioning
    • Brand Message, Voice, and Writing Style
    • Brand Strategy and Tactics
    • Asset Creation and Management
    • Strategy Rollout Plan
    An image of a series of screenshots from the templates listed in the column to the left of this image.

    Get started!

    Know your target market and audience, deploy well-designed strategies based on shared values, and make meaningful connections with people.

    Phase 1

    Define brands' personality and message

    Phase 2

    Start building brand awareness

    Phase 1

    Define brands' personality and message

    Steps

    1.1 Gather market intelligence and analyze the market.
    1.2 Develop and document the buyer's persona and journey.
    1.3 Uncover the brand mission, vision statement, core values, positioning, and value proposition.
    1.4 Define the brand's archetype and tone of voice, then craft a compelling brand messaging.

    Phase outcome

    • Target market and audience are identified and documented.
    • A clear value proposition and positioning are determined.
    • The brand personality, voice, and messaging are developed.
    • All the key elements of the brand guidelines are in place. and ready to use, along with the existing logo, typography, color palette, and imagery..

    Build brands' personality and message

    Step 1.1 Gather market intelligence and analyze the market.

    Total duration: 2.5-8 hours

    Objective

    Analyze and document your competitive landscape, assess your strengths, weaknesses, opportunities,
    and threats, gauge the buyers' familiarity with your brand, and identify the forces of influence.

    Output

    This exercise will allow you to understand your market and is essential to developing your value proposition.

    Participants

    • Head of branding and key stakeholders

    MarTech
    May require you to:

    • Register to a Survey Platform.
    • Use, setup, or install platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.1.1 SWOT and competitive landscape

    (60-120 min.)

    Analyze & Document

    Follow the instructions in the Market Analysis Template to complete the SWOT and Competitive Analysis, slides 4 to 7.

    1.1.3 Internal and External Factors

    (30-60 min.)

    Analyze

    Follow the instructions in the External and Internal Factors Analysis Template to perform the PESTLE, Porter's 5 Forces, and Internal Factors and VRIO Analysis.

    Transfer

    Transfer key information into slides 10 and 11 of the Market Analysis Template.

    Consult SoftwareReviews website to find the best survey and MarTech platforms or contact one of our analysts for more personalized assistance and guidance

    1.1.2 Brand recognition

    (60-300 min.)

    Prep

    Adapt the survey and interview questions in the Brand Recognition Survey Questionnaire and List Template.

    Determine how you will proceed to conduct the survey and interviews (internal or external resources, and tools).

    Refer to the Survey Emails Best Practices Guidelines for more information on how to conduct email surveys.

    Collect & Analyze

    Use the Brand Recognition Survey Questionnaire and List Template to build your list, conduct the survey /interviews, and collect and analyze the feedback received.

    Transfer

    Transfer key information into slides 8 and 9 of the Market Analysis Template.

    Brand performance diagnostic

    Have you considered diagnosing your brand's current performance before you begin building brand awareness?

    Audit your brand using the Diagnose Brand Health to Improve Business Growth blueprint.Collect and interpret qualitative and quantitative brand performance measures.

    The toolkit includes the following templates:

    • Surveys and interviews questions and lists
    • External and internal factor analysis
    • Digital and financial metrics analysis

    Also included is an executive presentation template to communicate the results to key stakeholders and recommendations to fix the uncovered issues.

    Build brands' personality and message

    Step 1.2 Develop and document the buyer's persona and journey.

    Total duration: 4-8 hours

    Objective

    Gather existing and desired customer insights and conduct market research to define and personify your buyers' personas and their buying behaviors.

    Output

    Provide people in your organization with clear direction on who your target buyers are and guidance on how to effectively reach and engage with them throughout their journey.
    Participants

    • Head of branding
    • Key stakeholders from sales and product marketing

    MarTech
    May require you to:

    • Register to an Online Survey Platform (free version or subscription).
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.

    Tools

    1.2.1 Buyer Personas and Journeys

    (240-280 min.)

    Research

    Identify your tier 1 to 3 customers using the Ideal Client Profile (ICP) Workbook. (Recommended)

    Survey and interview existing and desired customers based using the Buyer Persona and Journey Interview Guide and Data Capture Tool. (Recommended)

    Create

    Define and document your tier 1 to 3 Buyer Personas and Journeys using the Buyer Personas and Journeys Presentation Template.

    Consult SoftwareReviews website to find the best survey platform for your needs or contact one of our analysts for more personalized assistance and guidance

    Buyer Personas and Journeys

    A well-defined buyer persona and journey is a great way for brands to ensure they are effectively reaching and engaging their ideal buyers through a personalized buying experience.

    When properly documented, it provides valuable insights about the ideal customers, their needs, challenges, and buying decision processes allowing the development of initiatives that correspond to the target buyers.

    Build brands' personality and message

    Step 1.3 Uncover the brand mission, vision statement, core values, value proposition, and positioning.

    Total duration: 4-5.5 hours

    Objective
    Define the "raison d'être" and fundamental principles of your brand, your positioning in the marketplace, and your unique competitive advantage.

    Output
    Allows everyone in an organization to understand and align with the brand's raison d'être beyond the financial dimension, its current positioning and objectives, and how it intends to achieve them.
    It also serves to communicate a clear and appealing value proposition to buyers.

    Participants

    • Head of branding
    • Chief Executive Officer (CEO)
    • Key stakeholders

    Tools

    • Brand Purpose, Mission, Vision, and Values Template
    • Value Proposition and Positioning Statement Template

    1.3.1 Brand Purpose, Mission, Vision, and Values

    (90-120 min.)

    Capture or Develop

    Capture or develop, if not already existing, your brand's purpose, mission, vision statement, and core values using slides 4 to 7 of the Brand Purpose, Mission, Vision, and Values Template.

    1.3.2 Brand Value Proposition and Positioning

    (150-210 min.)

    Define

    Map the brand value proposition using the canvas on slide 5 of the Value Proposition and Positioning Statement Template, and clearly articulate your value proposition statement on slide 4.

    Optional: Use canvas on slide 7 to develop product-specific product value propositions.

    On slide 8 of the same template, develop your brand positioning statement.

    Build brands' personality and message

    Steps 1.4 Define the brand's archetype and tone of voice, and craft a compelling brand messaging.

    Total duration: 5-8 hours

    Objective

    Define your unique brand voice and develop a set of guidelines, brand story, and messaging to ensure consistency across your digital and non-digital marketing and communication assets.
    Output

    A documented brand personality and voice, as well as brand story and message, will allow anyone producing content or communicating on behalf of your brand to do it using a unique and recognizable voice, and convey the right message.

    Participants

    • Head of branding
    • Content specialist
    • Chief Executive Officer and other key stakeholders

    Tools

    • Brand Voice Guidelines Template
    • Writing Style Guide Template
    • Brand Messaging Template
    • Writer Checklist Template

    1.4.1 Brand Archetype and Tone of Voice

    (120-240 min.)

    Define and document

    Refer to slides 5 and 6 of the Brand Voice Guidelines Template to define your brand personality (archetype), slide 7.

    Use the Brand Voice Guidelines Template to define your brand tone of voice and characteristics on slides 8 and 9, based on the 4 primary tone of voice dimensions, and develop your brand voice chart, slide 9.

    Set Rules

    In the Writing Style Guide template, outline your brand's writing principles, style, grammar, punctuation, and number rules.

    1.4.2 Brand Messaging

    (180-240 min.)

    Craft

    Use the Brand Messaging template, slides 4 to 7, to craft your brand story and message.

    Audit

    Create a content audit to review and approve content to be created prior to publication, using the Writer's Checklist template.

    Important Tip!

    A consistent brand voice leads to remembering and trusting the brand. It should stand out from the competitors' voices and be meaningful to the target audience. Once the brand voice is set, avoid changing it.

    Phase 2

    Start building brand awareness

    Steps

    2.1 Achieve strategy alignment and readiness.
    2.2 Create assets and workflows, and deploy tactics.
    2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Phase outcome

    • A comprehensive and actionable brand awareness strategy, with tactics, KPIs, and metrics, is set and ready to execute.
    • A progressive and effective deployment plan with deliverables, timelines, workflows, and checklists is in place.
    • Resources are assigned.

    Start building brand awareness

    Step 2.1 Achieve strategy readiness and alignment.

    Total duration: 4-5 hours

    Objective

    Now that you have all the key elements of your brand guidelines in place, in addition to your existing logo, typography, color palette, and imagery, you can begin to build brand awareness.

    Start planning to build brand awareness by developing a comprehensive and actionable brand awareness strategy with tactics that align with the company's purpose and objectives. The strategy should include achievable goals and measurables, budget and staffing considerations, and a good workload assessment.

    Output

    A comprehensive long-term, actionable brand awareness strategy with KPIs and measurables.

    Participants

    • Head of branding
    • Key stakeholders

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.1.1 Brand Awareness Analysis

    (60-120 min.)

    Identify

    In slide 5 of the Brand Awareness Strategy and Tactics Template, identify your top three brand awareness drivers, opportunities, inhibitors, and risks to help you establish your strategic objectives in building brand awareness.

    2.1.2 Brand Awareness Strategy

    (60-120 min.)

    Elaborate

    Use slides 6 to 10 of the Brand Awareness Strategy and Tactics Template to elaborate on your strategy goals, key issues, and tactics to begin or continue building brand awareness.

    2.1.3 Brand Awareness KPIs and Metrics

    (180-240 min.)

    Set

    Set the strategy performance metrics and KPIs on slide 11 of the Brand Awareness Strategy and Tactics Template.

    Monitor

    Once you start executing the strategy, monitor and report each quarter using slides 13 to 15 of the same document.

    Understanding the difference between strategies and tactics

    Strategies and tactics can easily be confused, but although they may seem similar at times, they are in fact quite different.

    Strategies and tactics are complementary.

    A strategy is a plan to achieve specific goals, while a tactic is a concrete action or set of actions used to implement that strategy.

    To be effective, brand awareness strategies should be well thought-out, carefully planned, and supported by a series of tactics to achieve the expected outcomes.

    Start building brand awareness

    Step 2.2 Create assets and workflows and deploy tactics.

    Total duration: 3.5-4.5 hours

    Objective

    Build a long-term rollout with deliverables, milestones, timelines, workflows, and checklists. Assign resources and proceed to the ongoing development of assets. Implement, manage, and continuously communicate the strategy and results to key stakeholders.

    Output

    Progressive and effective development and deployment of the brand awareness-building strategy and tactics.

    Participants

    • Head of branding

    Tools

    • Asset Creation and Management List
    • Campaign Workflows Template
    • Brand Awareness Strategy Rollout Plan Template

    2.2.1 Assets Creation List

    (60-120 min.)

    Inventory

    Inventory existing assets to create the Asset Creation and Management List.

    Assign

    Assign the persons responsible, accountable, consulted, and informed of the development of each asset, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and add release dates.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    2.2.2 Rollout Plan

    (60-120 min.)

    Inventory

    Map out your strategy deployment in the Brand Awareness Strategy Rollout Plan Template and workflow in the Campaign Workflow Template.

    Assign

    Assign the persons responsible, accountable, consulted, and informed for each tactic, using the RACI model in the template. Ensure you identify and collaborate with the right stakeholders.

    Prioritize

    Prioritize and adjust the timeline accordingly.

    Communicate

    Update status and communicate regularly. Make the list with links to the assets available to the extended team to consult as needed.

    Band Awareness Strategy Rollout Plan
    A strategy rollout plan typically includes the following:

    • Identifying a cross-functional team and resources to develop the assets and deploy the tactics.
    • Listing the various assets to create and manage.
    • A timeline with key milestones, deadlines, and release dates.
    • A communication plan to keep stakeholders informed and aligned with the strategy and tactics.
    • Ongoing performance monitoring.
    • Constant adjustments and improvements to the strategy based on data collected and feedback received.

    Start building brand awareness

    Step 2.3 Establish key performance indicators (KPIs), monitor, and optimize on an ongoing basis.

    Total duration: 3.5-4.5 hours

    Objective

    Brand awareness is built over a long period of time and must be continuously monitored in several ways. Measuring and monitoring the effectiveness of your brand awareness activities will allow you to constantly adjust your tactics and continue to build awareness.

    Output

    This step will provide you with a snapshot of your current level of brand awareness and interactions with the brand, and allow you to set up the tools for ongoing monitoring and optimization.

    Participants

    • Head of branding
    • Digital marketing manager

    MarTech
    May require you to:

    • Register to an Online Survey Platform(free version or subscription), or
    • Use, setup, or installation of platforms like CRM and/or Marketing Automation Platform.
    • Use Google Analytics or other tracking tools.
    • Use social media and campaign management tools.

    Tools

    • Brand Awareness Strategy and Tactics Template

    2.2.2 Rollout Plan

    (60-120 min.)

    Measure

    Monitor and record the strategy performance metrics in slides 12 to 15 of the Brand Awareness Strategy and Tactics template, and gauge its performance against preset KPIs in slide 11. Make ongoing improvements to the strategy and assets.

    Communicate

    The same slides in which you monitor strategy performance can be used to report on the results of the current strategy to key stakeholders on a monthly or quarterly basis, as appropriate.

    Take this opportunity to inform stakeholders of any adjustments you plan to make to the existing plan to improve its performance. Since brand awareness is built over time, be sure to evaluate the results based on how long the strategy has been in place before making major changes.

    Consult SoftwareReviews website to find the best survey, brand monitoring and feedback, and MarTech platforms, or contact one of our analysts for more personalized assistance and guidance

    Measuring brand strategy performance
    There are two ways to measure and monitor your brand's performance on an ongoing basis.

    • By registering to brand monitoring and feedback platforms and tools like Meltwater, Hootsuite, Insights, Brand24, Qualtrics, and Wooltric.
    • Manually, using native analytics built in the platforms you're already using, such as Google and Social Media Analytics, or by gathering customer feedback through surveys, or calculating CAC, ROI, and more in spreadsheets.

    SoftwareReviews can help you choose the right platform for your need. We also equip you with manual tools, available with the Diagnose Brand Health to Improve Business Growthblueprint to measure:

    • Surveys and interviews questions and lists.
    • External and internal factor analysis.
    • Digital and financial metrics analysis.
    • Executive presentation to report on performance.

    Related SoftwareReviews research

    An image of the title page for SoftwareReviews Create a Buyer Persona and Journey. An image of the title page for SoftwareReviews Diagnose Brand Health to Improve Business Growth.

    Create a Buyer Persona and Journey

    Get deeper buyer understanding and achieve product-market fit, with easier access to market and sales

    • Reduce time and resources wasted chasing the wrong prospects.
    • Increase open and click-through rates.
    • Perform more effective sales discovery.
    • Increase win rate.

    Diagnose Brand Health to Improve Business Growth

    Have a significant and well-targeted impact on business success and growth by knowing how your brand performs, identifying areas of improvement, and making data-driven decisions to fix them.

    • Increase brand awareness and equity.
    • Build trust and improve customer retention and loyalty.
    • Achieve higher and faster growth.

    Bibliography

    Aaker, David. "Managing Brand Equity." Simon & Schuster, 1991.
    "6 Factors for Brands to Consider While Designing Their Communication." Lokus Design, 23 Sept. 2022.
    "20 Advocacy Marketing Statistics You Need to Know." Social Toaster, n.d.
    Bazilian, Emma. "How Millennials and Baby Boomers Consume User-Generated Content And what brands can learn from their preferences." Adweek, January 2, 2017.
    B2B International, a Gyro: company, B2B Blog - Why Human-To-Human Marketing Is the Next Big Trend in a Tech-Obsessed World.
    B2B International, a Gyro: company, The State of B2B Survey 2019 - Winning with Emotions: How to Become Your Customer's First Choice.
    Belyh, Anastasia. "Brand Ambassador 101:Turn Your Personal Brand into Cash." Founder Jar, December 6, 2022.
    Brand Master Academy.com.
    Businesswire, a Berkshire Hathaway Company, "Stackla Survey Reveals Disconnect Between the Content Consumers Want & What Marketers Deliver." February 20, 2019.
    Chamat, Ramzi. "Visual Design: Why First Impressions Matter." 8 Ways, June 5, 2019.
    Cognism. "21 Tips for Building a LinkedIn Personal Brand (in B2B SaaS)."
    Curleigh, James. "How to Enhance and Expand a Global Brand." TED.
    "2019 Edelman Trust Barometer." Edelman.
    Erskine, Ryan. "22 Statistics That Prove the Value of Personal Branding." Entrepreneur, September 13, 2016.
    Forbes, Steve. "Branding for Franchise Success: How To Achieve And Maintain Brand Consistency Across A Franchise Network?" Forbes, 9 Feb. 2020.
    Godin, Seth. "Define: Brand." Seth's Blog, 30 Dec. 2009,
    Houragan, Stephen. "Learn Brand Strategy in 7 Minutes (2023 Crash Course)." YouTube.
    Jallad, Revecka. "To Convert More Customers, Focus on Brand Awareness." Forbes, October 22, 2019.
    Kingsbury, Joe, et al. "2021 B2B Thought Leadership Impact Study." Edelman, 2021.
    Kunsman, Todd. "The Anatomy of an Employee Influencer." EveryoneSocial, September 8, 2022.
    Landor, Walter. A Brand New World: The Fortune Guide to the 21st Century. Time Warner Books, 1999.
    Liedke, Lindsay. "37+ Branding Statistics For 2023: Stats, Facts & Trends." Startup Bonsai, January 2, 2023.
    Millman, Debbie. "How Symbols and Brands Shape our Humanity." TED, 2019.
    Nenova, Velina. "21 Eye-Opening B2B Marketing Statistics to Know in 2023." Techjury, February 9, 2023.
    Perrey, Jesko et al., "The brand is back: Staying relevant in an accelerating age." McKinsey & Company, May 1, 2015.
    Schaub, Kathleen. "Social Buying Meets Social Selling: How Trusted Networks Improve the Purchase Experience." LinkedIn Business, April 2014.
    Sopadjieva, Emma et al. "A Study of 46,000 Shoppers Shows That Omnichannel Retailing Works." Harvard Business Review, January 3, 2017.
    Shaun. "B2B Brand Awareness: The Complete Guide 2023." B2B House. 2023.
    TopRank Marketing, "2020 State of B2B Influencer Marketing Research Report." Influencer Marketing Report.

    Assess Your Cybersecurity Insurance Policy

    • Buy Link or Shortcode: {j2store}255|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $33,656 Average $ Saved
    • member rating average days saved: 7 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations must adapt their information security programs to accommodate insurance requirements.
    • Organizations need to reduce insurance costs.
    • Some organizations must find alternatives to cyber insurance.

    Our Advice

    Critical Insight

    • Shopping for insurance policies is not step one.
    • First and foremost, we must determine what the organization is at risk for and how much it would cost to recover.
    • The cyber insurance market is still evolving. As insurance requirements change, effectively managing cyber insurance requires that your organization proactively manages risk.

    Impact and Result

    Perform an insurance policy comparison with scores based on policy coverage and exclusions.

    Assess Your Cybersecurity Insurance Policy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Your Cybersecurity Insurance Policy Storyboard - A step-by-step document that walks you through how to acquire cyber insurance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Use this blueprint to score your potential cyber insurance policies and develop skills to overcome common insurance pitfalls.

    • Assess Your Cybersecurity Insurance Policy Storyboard

    2. Acquire cyber insurance with confidence – Learn the essentials of the requirements gathering, policy procurement, and review processes.

    Use these tools to gather cyber insurance requirements, prepare for the underwriting process, and compare policies.

    • Threat and Risk Assessment Tool
    • DRP Business Impact Analysis Tool
    • Legacy DRP Business Impact Analysis Tool
    • DRP BIA Scoring Context Example
    • Cyber Insurance Policy Comparison Tool
    • Cyber Insurance Controls Checklist

    Infographic

    Prepare Your Application for PaaS

    • Buy Link or Shortcode: {j2store}181|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Architecture & Strategy
    • Parent Category Link: /architecture-and-strategy
    • The application may have been written a long time ago, and have source code, knowledge base, or design principles misplaced or lacking, which makes it difficult to understand the design and build.
    • The development team does not have a standardized practice for assessing cloud benefits and architecture, design principles for redesigning an application, or performing capacity for planning activities.

    Our Advice

    Critical Insight

    • An infrastructure-driven cloud strategy overlooks application specific complexities. Ensure that an application portfolio strategy is a precursor to determining the business value gained from an application perspective, not just an infrastructure perspective.
    • Business value assessment must be the core of your decision to migrate and justify the development effort.
    • Right-size your application to predict future usage and minimize unplanned expenses. This ensures that you are truly benefiting from the tier costing model that vendors offer.

    Impact and Result

    • Identify and evaluate what cloud benefits your application can leverage and the business value generated as a result of migrating your application to the cloud.
    • Use Info-Tech’s approach to building a robust application that can leverage scalability, availability, and performance benefits while maintaining the functions and features that the application currently supports for the business.
    • Standardize and strengthen your performance testing practices and capacity planning activities to build a strong current state assessment.
    • Use Info-Tech’s elaboration of the 12-factor app to build a clear and robust cloud profile and target state for your application.
    • Leverage Info-Tech’s cloud requirements model to assess the impact of cloud on different requirements patterns.

    Prepare Your Application for PaaS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a right-sized, design-driven approach to moving your application to a PaaS platform, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Prepare Your Application for PaaS – Phases 1-2

    1. Create your cloud application profile

    Bring the business into the room, align your objectives for choosing certain cloud capabilities, and characterize your ideal PaaS environment as a result of your understanding of what the business is trying to achieve. Understand how to right-size your application in the cloud to maintain or improve its performance.

    • Prepare Your Application for PaaS – Phase 1: Create Your Cloud Application Profile
    • Cloud Profile Tool

    2. Evaluate design changes for your application

    Assess the application against Info-Tech’s design scorecard to evaluate the right design approach to migrating the application to PaaS. Pick the appropriate cloud path and begin the first step to migrating your app – gathering your requirements.

    • Prepare Your Application for PaaS – Phase 2: Evaluate Design Changes for Your Application
    • Cloud Design Scorecard Tool

    [infographic]

     
     

    Position and Agree on ROI to Maximize the Impact of Data and Analytics

    • Buy Link or Shortcode: {j2store}341|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Because ROI is a financial concept, it can be difficult to apply ROI to anything that produces intangible value.
    • It is a lot harder to apply ROI to functions like data and analytics than it is to apply it to functions like sales without misrepresenting its true purpose.

    Our Advice

    Critical Insight

    • The standard ROI formula cannot be easily applied to data and analytics and other critical functions across the organization.
    • Data and analytics ROI strategy is based on the business problem being solved.
    • The ROI score itself doesn’t have to be perfect. Key decision makers need to agree on the parameters and measures of success.

    Impact and Result

    • Agreed-upon ROI parameters
    • Defined measures of success
    • Optimized ROI program effectiveness by establishing an appropriate cadence between key stakeholders

    Position and Agree on ROI to Maximize the Impact of Data and Analytics Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data and Analytics ROI Strategy Deck – A guide for positioning ROI to maximize the value of data and analytics.

    This research is meant to ensure that data and analytics executives are aligned with the key business decision makers. Focus on the value you are trying to achieve rather than perfecting the ROI score.

    • Position and Agree on ROI to Maximize the Impact of Data and Analytics Storyboard

    2. Data and Analytics Service to Business ROI Map – An aligned ROI approach between key decision makers and data and analytics.

    A tool to be used by business and data and analytics decision makers to facilitate discussions about how to approach ROI for data and analytics.

    • Data and Analytics Service to Business ROI Map
    [infographic]

    Further reading

    Position and Agree on ROI to Maximize the Impact of Data and Analytics

    Data and analytics ROI strategy is based on the business problem being solved and agreed-upon value being generated.

    Analyst Perspective

    Missing out on a significant opportunity for returns could be the biggest cost to the project and its sponsor.

    This research is directed to the key decision makers tasked with addressing business problems. It also informs stakeholders that have any interest in ROI, especially when applying it to a data and analytics platform and practice.

    While organizations typically use ROI to measure the performance of their investments, the key to determining what investment makes sense is opportunity cost. Missing out on a significant opportunity for return could be the biggest cost to the project and its sponsor. By making sure you appropriately estimate costs and value returned for all data and analytics activities, you can prioritize the ones that bring in the greatest returns.

    Ibrahim Abdel-Kader
    Research Analyst,
    Data & Analytics Practice
    Info-Tech Research Group
    Ben Abrishami-Shirazi
    Technical Counselor
    Info-Tech Research Group

    Executive Summary – ROI on Data and Analytics

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    Return on investment (ROI) is a financial term, making it difficult to articulate value when trying to incorporate anything that produces something intangible.

    The more financial aspects there are to a professional function (e.g. sales and commodity-related functions), the easier it is to properly assess the ROI.

    However, for functions that primarily enable or support business functions (such as IT and data and analytics), it is a lot harder to apply ROI without misrepresenting its true purpose.

    • Apples and oranges – There is no simple way to apply the standard ROI formula to data and analytics among other critical functions across the organization.
    • Boiling the ocean – Obsession with finding a way to calculate a perfect ROI on data and analytics.
    • Not getting the big picture – Data and analytics teams suffer a skill set deficit when it comes to commercial acumen.
    • Not seeing eye to eye – ROI does not account for time in its calculation, making it prone to misalignment between stakeholders.

    Approach ROI for data and analytics appropriately:

    • Answer the following questions:
      • What is the business problem?
      • Whose business problem is it?
      • What is the objective?
    • Define measures of success based on the answers to the questions above.
    • Determine an appropriate cadence to continuously optimize the ROI program for data and analytics in collaboration with business problem owners.

    Info-Tech Insight

    ROI doesn’t have to be perfect. Parameters and measures of success need to be agreed upon with the key decision makers.

    Glossary

    Return on Investment (ROI): A financial term used to determine how much value has been or will be gained or lost based on the total cost of investment. It is typically expressed as a percentage and is supported by the following formula:

    Payback: How quickly money is paid back (or returned) on the initial investment.
    Business Problem Owner (BPO): A leader in the organization who is accountable and is the key decision maker tasked with addressing a business problem through a series of investments. BPOs may use ROI as a reference for how their financial investments have performed and to influence future investment decisions.
    Problem Solver: A key stakeholder tasked with collaborating with the BPO in addressing the business problem at hand. One of the problem solver’s responsibilities is to ensure that there is an improved return on the BPO’s investments.
    Return Enhancers: A category for capabilities that directly or indirectly enhance the return of an investment.
    Cost Savers: A category for capabilities that directly or indirectly save costs in relation of an investment.
    Investment Opportunity Enablers: A category for capabilities that create or enable a new investment opportunity that may yield a potential return.
    Game Changing Components: The components of a capability that directly yield value in solving a business problem.

    ROI strategy on data and analytics

    The image contains a screenshot of a diagram that demonstrates the ROI strategy on data and analytics.

    ROI roles

    Typical roles involved in the ROI strategy across the organization

    CDOs and CAOs typically have their budget allocated from both IT and business units.

    This is evidenced by the “State of the CIO Survey 2023” reporting that up to 63% of CDOs and CAOs have some budget allocated from within IT; therefore, up to 37% of budgets are entirely funded by business executives.

    This signifies the need to be aligned with peer executives and to use mechanisms like ROI to maximize the performance of investments.

    Source: Foundry, “State of the CIO Survey 2023.”

    Staff the Service Desk to Meet Demand

    • Buy Link or Shortcode: {j2store}490|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $1,900 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Service Desk
    • Parent Category Link: /service-desk
    • With increasing complexity of support and demand on service desks, staff are often left feeling overwhelmed and struggling to keep up with ticket volume, resulting in long resolution times and frustrated end users.
    • However, it’s not as simple as hiring more staff to keep up with ticket volume. IT managers must have the data to support their case for increasing resources or even maintaining their current resources in an environment where many executives are looking to reduce headcount.
    • Without changing resources to match demand, IT managers will need to determine how to maximize the use of their resources to deliver better service.

    Our Advice

    Critical Insight

    • IT managers are stuck with the difficult task of determining the right number of service desk resources to meet demand to executives who perceive the service desk to be already effective.
    • Service desk managers often don’t have accurate historical data and metrics to justify their headcount, or don’t know where to start to find the data they need.
    • They often then fall prey to the common misperception that there is an industry standard ratio of the ideal number of service desk analysts to users. IT leaders who rely on staffing ratios or industry benchmarks fail to take into account the complexity of their own organization and may make inaccurate resourcing decisions.

    Impact and Result

    • There’s no magic, one-size-fits-all ratio to tell you how many service desk staff you need based on your user base alone. There are many factors that come into play, including the complexity of your environment, user profiles, ticket volume and trends, and maturity and efficiency of your processes.
    • If you don’t have historical data to help inform resourcing needs, start tracking ticket volume trends now so that you can forecast future needs.
    • If your data suggests you don’t need more staff, look to other ways to maximize your time and resources to deliver more efficient service.

    Staff the Service Desk to Meet Demand Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize service desk staffing, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine environment and operating model

    Define your business and IT environment, service desk operating model, and existing challenges to inform objectives.

    • Service Desk Staffing Stakeholder Presentation

    2. Determine staffing needs

    Understand why service desk staffing estimates should be based on your unique workload, then complete the Staffing Calculator to estimate your needs.

    • Service Desk Staffing Calculator

    3. Interpret data to plan approach

    Review workload over time to analyze trends and better inform your overall resourcing needs, then plan your next steps to optimize staffing.

    [infographic]

    2024 Tech Trends

    • Buy Link or Shortcode: {j2store}289|cart{/j2store}
    • member rating overall impact (scale of 10): 10
    • Parent Category Name: Innovation
    • Parent Category Link: /improve-your-core-processes/strategy-and-governance/innovation

    AI has revolutionized the landscape, placing the spotlight firmly on the generative enterprise.

    The far-reaching impact of generative AI across various sectors presents fresh prospects for organizations to capitalize on and novel challenges to address as they chart their path for the future. AI is more than just a fancy auto-complete. At this point it may look like that, but do not underestimate the evolutive power.

    In this year's Tech Trends report, we explore three key developments to capitalize on these opportunities and three strategies to minimize potential risks.

    Generative AI will take the lead.

    As AI transforms industries and business processes, IT and business leaders must adopt a deliberate and strategic approach across six key domains to ensure their success.

    Seize Opportunities:

    • Business models driven by AI
    • Automation of back-office functions
    • Advancements in spatial computing

    Mitigate Risks:

    • Ethical and responsible AI practices
    • Incorporating security from the outset
    • Ensuring digital sovereignty

    Modernize Enterprise Storage

    • Buy Link or Shortcode: {j2store}538|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • Current storage solutions are nearing end of life, performance or capacity limits.
    • Data continues to grow at an exponential rate, and management complexity is growing even faster. Some kinds of data, like unstructured data, are leading factors in the exponential growth of data.
    • Emerging storage technologies and storage software/automation are disrupting the market and redefining the role of disk arrays, including how storage aligns with people and process.
    • Storage infrastructure budgets are not satisfying the exponential growth of data.

    Our Advice

    Critical Insight

    • Start with the data, not storage. Answer what is being stored and why before investigating the where and how of storage solutions.
    • Governance and archiving are not IT projects. These can have tremendous benefits for managing data growth but must involve the larger business.
    • More capacity is not a long-term solution. Data is growing faster than decreasing storage costs. Data and capacity mitigation strategies will help in more effective and efficient infrastructure utilization and cost reduction.

    Impact and Result

    • It’s about the data. Start with what is being supported and why. Decide on what and how data is stored before you decide on where. Let the needs of your workloads and governance requirements of your business drive your storage infrastructure decisions and the technologies you adopt.
    • Identify current and future capacity needs for current and future data drivers. Evaluating the ability of current infrastructure to meet these needs will help you discover necessary additions to meet these requirements.
    • Identify governance requirements and constraints that exist across the organization and are specific to workloads. Technology has to conform to these requirements and constraints, not the other way around.
    • Align people and process with technology changes. To effectively utilize the changes in storage, appropriate changes must be made to existing people and process.

    Modernize Enterprise Storage Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize enterprise storage, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build the case for storage modernization

    Develop the business case for modernizing storage and assess your existing infrastructure for meeting data needs.

    • Modernize Enterprise Storage – Phase 1: Build the Case for Storage Modernization
    • Modernize Enterprise Storage Workbook

    2. Develop your storage technology needs and goals

    Review data governance, explore emerging storage technologies, and identify current and future storage needs.

    • Modernize Enterprise Storage – Phase 2: Develop Your Storage Technology Needs and Goals
    • Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap
    • Evaluate Software-Defined Storage Solutions for Your Infrastructure Roadmap
    • Evaluate All Flash in Primary Storage for Your Infrastructure Roadmap
    • Infrastructure Roadmap Technology Assessment Tool

    3. Develop and communicate the roadmap, TCO, and RFP

    Communicate the roadmap with people, process, and technology initiatives, develop an RFP, and conduct a TCO.

    • Modernize Enterprise Storage – Phase 3: Develop and Communicate the Roadmap and RFP
    • Modernize Enterprise Storage Communications Report
    [infographic]

    Workshop: Modernize Enterprise Storage

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Business Case and Assess Current State

    The Purpose

    Identify a business case and need for storage modernization by assessing current and future storage needs.

    Key Benefits Achieved

    A clear understanding of the business expectations and needs of storage infrastructure.

    Activities

    1.1 Identify current storage pain points.

    1.2 Discuss storage modernization drivers.

    1.3 Identify data growth drivers.

    1.4 Determine relative growth burden.

    Outputs

    Alignment of storage modernization with organizational pain points

    Desired outcomes of storage modernization

    An understanding of growth impact across drivers

    An understanding of capacity and expansion needs

    2 Review Governance and Emerging Technologies

    The Purpose

    Review existing data governance.

    Explore emerging technologies and trends in the storage space.

    Key Benefits Achieved

    Review data governance objectives that must be met.

    Identify a shortlist of storage technologies and trends that may be of interest.

    Activities

    2.1 Shortlist interest in storage technologies.

    2.2 Prioritize shortlist of storage technologies.

    2.3 Identify solutions that meet data and governance needs.

    Outputs

    A starting point for research into new and emerging storage technologies

    Expressed interest in adopting storage technologies

    A list of storage solutions needed to deliver on future data and governance needs

    3 Identify Storage Needs and Develop Initiatives

    The Purpose

    Identify the people, process, and technology initiatives required to adopt new storage technologies.

    Key Benefits Achieved

    Align your organizational people and process with new and disruptive technologies to best take advantage of what these new technologies have to offer.

    Activities

    3.1 Complete future storage structure planning tool.

    3.2 Identify storage modernization technology initiatives.

    3.3 Identify storage modernization people initiatives.

    3.4 Identify storage modernization process initiatives.

    Outputs

    A understanding of the future state of your storage infrastructure

    Technology initiatives needed to adopt storage structure

    People initiatives needed to adopt storage structure

    Process initiatives needed to adopt storage structure

    4 Build a Roadmap and RFP, Calculate TCO

    The Purpose

    Develop an executive communications report.

    Conduct a TCO analysis comparing on-premises and cloud storage solutions.

    Key Benefits Achieved

    Communicate storage modernization goals and plans to stakeholders.

    Activities

    4.1 Prioritize storage modernization initiatives.

    4.2 Complete project timeline and build roadmap.

    4.3 Compare TCO of on-premises and cloud storage solutions.

    Outputs

    Alignment of people, process, and technology with storage adoption

    Communicate storage modernization goals and plans to stakeholders and executives

    Compare cost of on-premises and cloud storage alternatives

    Reduce Manual Repetitive Work With IT Automation

    • Buy Link or Shortcode: {j2store}458|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $34,099 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • IT staff are overwhelmed with manual repetitive work.
    • You have little time for projects.
    • You cannot move as fast as the business wants.

    Our Advice

    Critical Insight

    • Optimize before you automate.
    • Foster an engineering mindset.
    • Build a process to iterate.

    Impact and Result

    • Begin by automating a few tasks with the highest value to score quick wins.
    • Define a process for rolling out automation, leveraging SDLC best practices.
    • Determine metrics and continually track the success of the automation program.

    Reduce Manual Repetitive Work With IT Automation Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why you should reduce manual repetitive work with IT automation.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify automation candidates

    Select the top automation candidates to score some quick wins.

    • Reduce Manual Repetitive Work With IT Automation – Phase 1: Identify Automation Candidates
    • IT Automation Presentation
    • IT Automation Worksheet

    2. Map and optimize process flows

    Map and optimize process flows for each task you wish to automate.

    • Reduce Manual Repetitive Work With IT Automation – Phase 2: Map & Optimize Process Flows

    3. Build a process for managing automation

    Build a process around managing IT automation to drive value over the long term.

    • Reduce Manual Repetitive Work With IT Automation – Phase 3: Build a Process for Managing Automation

    4. Build automation roadmap

    Build a long-term roadmap to enhance your organization's automation capabilities.

    • Reduce Manual Repetitive Work With IT Automation – Phase 4: Build Automation Roadmap
    • IT Automation Roadmap
    [infographic]

    Workshop: Reduce Manual Repetitive Work With IT Automation

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Automation Candidates

    The Purpose

    Identify top candidates for automation.

    Key Benefits Achieved

    Plan to achieve quick wins with automation for early value.

    Activities

    1.1 Identify MRW pain points.

    1.2 Drill down pain points into tasks.

    1.3 Estimate the MRW involved in each task.

    1.4 Rank the tasks based on value and ease.

    1.5 Select top candidates and define metrics.

    1.6 Draft project charters.

    Outputs

    MRW pain points

    MRW tasks

    Estimate of MRW involved in each task

    Ranking of tasks for suitability for automation

    Top candidates for automation & success metrics

    Project charter(s)

    2 Map & Optimize Processes

    The Purpose

    Map and optimize the process flow of the top candidate(s).

    Key Benefits Achieved

    Requirements for automation of the top task(s).

    Activities

    2.1 Map process flows.

    2.2 Review and optimize process flows.

    2.3 Clarify logic and finalize future-state process flows.

    Outputs

    Current-state process flows

    Optimized process flows

    Future-state process flows with complete logic

    3 Build a Process for Managing Automation

    The Purpose

    Develop a lightweight process for rolling out automation and for managing the automation program.

    Key Benefits Achieved

    Ability to measure and to demonstrate success of each task automation, and of the program as a whole.

    Activities

    3.1 Kick off your test plan for each automation.

    3.2 Define process for automation rollout.

    3.3 Define process to manage your automation program.

    3.4 Define metrics to measure success of your automation program.

    Outputs

    Test plan considerations

    Automation rollout process

    Automation program management process

    Automation program metrics

    4 Build Automation Roadmap

    The Purpose

    Build a roadmap to enhance automation capabilities.

    Key Benefits Achieved

    A clear timeline of initiatives that will drive improvement in the automation program to reduce MRW.

    Activities

    4.1 Build a roadmap for next steps.

    Outputs

    IT automation roadmap

    Further reading

    Reduce Manual Repetitive Work With IT Automation

    Free up time for value-adding jobs.

    ANALYST PERSPECTIVE

    Automation cuts both ways.

    Automation can be very, very good, or very, very bad.
    Do it right, and you can make your life a whole lot easier.
    Do it wrong, and you can suffer some serious pain.
    All too often, automation is deployed willy-nilly, without regard to the overall systems or business processes in which it lives.
    IT professionals should follow a disciplined and consistent approach to automation to ensure that they maximize its value for their organization.

    Derek Shank,
    Research Analyst, Infrastructure & Operations
    Info-Tech Research Group

    Executive summary

    Situation

    • IT staff are overwhelmed with manual repetitive work.
    • You have little time for projects.
    • You cannot move as fast as the business wants.

    Complication

    • Automation is simple to say, but hard to implement.
    • Vendors claim automation will solve all your problems.
    • You have no process for managing automation.

    Resolution

    • Begin by automating a few tasks with the highest value to score quick wins.
    • Define a process for rolling out automation, leveraging SDLC best practices.
    • Determine metrics and continually track the success of the automation program.

    Info-Tech Insight

    1. Optimize before you automate.The current way isn’t necessarily the best way.
    2. Foster an engineering mindset.Your team members may not be process engineers, but they should learn to think like one.
    3. Build a process to iterate.Effective automation can't be a one-and-done. Define a lightweight process to manage your program.

    Infrastructure & operations teams are overloaded with work

    • DevOps and digital transformation initiatives demand increased speed.
    • I&O is still tasked with security and compliance and audit.
    • I&O is often overloaded and unable to keep up with demand.

    Manual repetitive work (MRW) sucks up time

    • Manual repetitive work is a fact of life in I&O.
    • DevOps circles refer to this type of work simply as “toil.”
    • Toil is like treading water: it must be done, but it consumes precious energy and effort just to stay in the same place.
    • Some amount of toil is inevitable, but it's important to measure and cap toil, so it does not end up overwhelming your team's whole capacity for engineering work.

    Info-Tech Insight

    Follow our methodology to focus IT automation on reducing toil.

    Manual hand-offs create costly delays

    • Every time there is a hand-off, we lose efficiency and productivity.
    • In addition to the cost of performing manual work itself, we must also consider the impact of lost productivity caused by the delay of waiting for that work to be performed.

    Every queue is a tire fire

    Queues create waste and are extremely damaging. Like a tire fire, once you get started, they’re almost impossible to stamp out!

    Increase queues if you want

    • “More overhead”
    • “Lower quality”
    • “More variability”
    • “Less motivation”
    • “Longer cycle time”
    • “Increased risk”

    (Source: Edwards, citing Donald G. Reinersten: The Principles of Product Development Flow: Second Generation Lean Product Development )

    Increasing complexity makes I&O’s job harder

    Every additional layer of complexity multiplies points of failure. Beyond a certain level of complexity, troubleshooting can become a nightmare.

    Today, Operations is responsible for the outcomes of a full stack of a very complex, software-defined, API-enabled system running on infrastructure they may or may not own.
    – Edwards

    Growing technical debt means an ever-rising workload

    • Enterprises naturally accumulate technical debt.
    • All technology requires care and feeding.
    • I&O cannot control how much technology it’s expected to support.
    • I&O faces a larger and larger workload as technical debt accumulates.

    The systems built under each new technology paradigm never fully replace the systems built under the old paradigms. It’s not uncommon for an enterprise to have an accumulation of systems built over 10-15 years and have no budget, risk appetite, or even a viable path to replace them all. With each shift, who bares [SIC] the brunt of the responsibility for making sure the old and the new hang together? Operations, of course. With each new advance, Operations juggles more complexity and more layers of legacy technologies than ever before.
    – Edwards

    Most IT shops can’t have a dedicated engineering team

    • In most organizations, the team that builds things is best equipped to support them.
    • Often the knowledge to design systems and the knowledge to run those systems naturally co-exists in the same personnel resources.
    • When your I&O team is trying to do engineering work, they can end up frequently interrupted to perform operational tasks.
    A Venn Diagram is depicted which compares People who build things with People who run things. the two circles are almost completely overlapping, indicating the strong connection between the two groups.

    Personnel resources in most IT organizations overlap heavily between “build” and “run.”

    IT operations must become an engineering practice

    • Usually you can’t double your staff or double their hours.
    • IT professionals must become engineers.
    • We do this by automating manual repetitive work and reducing toil.
    Two scenarios are depicted. The first scenario is found at a hypothetical work camp, in which one employee performs the task of manually splitting firewood with an axe. In order to split twice as much firewood, the employee would need to spend twice the time. The second scenario is Engineering Operations. in this scenario, a wood processor is used to automate the task, allowing far more wood to be split in same amount of time.

    Build your Sys Admin an Iron Man suit

    Some CIOs see a Sys Admin and want to replace them with a Roomba. I see a Sys Admin and want to build them an Iron Man suit.
    – Deepak Giridharagopal, CTO, Puppet

    Two Scenarios are depicted. In one, an employee is replaced by automation, represented by a Roomba, reducing costs by laying off a single employee. In the second scenario, the single employee is given automated tools to do their job, represented by an iron-man suit, leading to a 10X boost in employee productivity.

    Use automation to reduce risk

    Consistency

    When we automate, we can make sure we do something the same way every time and produce a consistent result.

    Auditing and Compliance

    We can design an automated execution that will ship logs that provide the context of the action for a detailed audit trail.

    Change

    • Enterprise environments are continually changing.
    • When context changes, so does the procedure.
    • You can update your docs all you want, but you can't make people read them before executing a procedure.
    • When you update the procedure itself, you can make sure it’s executed properly.

    Follow Info-Tech’s approach: Start small and snowball

    • It’s difficult for I&O to get the staffing resources it needs for engineering work.
    • Rather than trying to get buy-in for resources using a “top down” approach, Info-Tech recommends that I&O score some quick wins to build momentum.
    • Show success while giving your team the opportunity to build their engineering chops.

    Because the C-suite relies on upwards communication — often filtered and sanitized by the time it reaches them — executives don’t see the bottlenecks and broken processes that are stalling progress.
    – Andi Mann

    Info-Tech’s methodology employs a targeted approach

    • You aren’t going to automate IT operations end-to-end overnight.
    • In fact, such a large undertaking might be more effort than it’s worth.
    • Info-Tech’s methodology employs a targeted approach to identify which candidates will score some quick wins.
    • We’ll demonstrate success, gain momentum, and then iterate for continual improvement.

    Invest in automation to reap long-term rewards

    • All too often people think of automation like a vacuum cleaner you can buy once and then forget.
    • The reality is you need to perform care and feeding for automation like for any other process or program.
    • To reap the greatest rewards you must continually invest in automation – and invest wisely.

    To get the full ROI on your automation, you need to treat it like an employee. When you hire an employee, you invest in that person. You spend time and resources training and nurturing new employees so they can reach their full potential. The investment in a new employee is no different than your investment in automation.– Edwards

    Measure the success of your automation program

    Example of How to Estimate Dollar Value Impact of Automation
    Metric Timeline Target Value
    Hours of manual repetitive work 12 months 20% reduction $48,000/yr.(1)
    Hours of project capacity 18 months 30% increase $108,000/yr.(2)
    Downtime caused by errors 6 months 50% reduction $62,500/yr.(3)

    1 15 FTEs x 80k/yr.; 20% of time on MRW, reduced by 20%
    2 15 FTEs x 80k/yr.; 30% project capacity, increased by 30%
    3 25k/hr. of downtime.; 5 hours per year of downtime caused by errors

    Automating failover for disaster recovery

    CASE STUDY

    Industry Financial Services
    Source Interview

    Challenge

    An IT infrastructure manager had established DR failover procedures, but these required a lot of manual work to execute. His team lacked the expertise to build automation for the failover.

    Solution

    The manager hired consultants to build scripts that would execute portions of the failover and pause at certain points to report on outcomes and ask the human operator whether to proceed with the next step.

    Results

    The infrastructure team reduced their achievable RTOs as follows:
    Tier 1: 2.5h → 0.5h
    Tier 2: 4h → 1.5h
    Tier 3: 8h → 2.5h
    And now, anyone on the team could execute the entire failover!

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Reduce Manual Repetitive Work With IT Automation – project overview

    1. Select Candidates 2. Map Process Flows 3. Build Process 4. Build Roadmap
    Best-Practice Toolkit

    1.1 Identify MRW pain points

    1.2 Drill down pain points into tasks

    1.3 Estimate the MRW involved in each task

    1.4 Rank the tasks based on value and ease

    1.5 Select top candidates and define metrics

    1.6 Draft project charters

    2.1 Map process flows

    2.2 Review and optimize process flows

    2.3 Clarify logic and finalize future-state process flows

    3.1 Kick off your test plan for each automation

    3.2 Define process for automation rollout

    3.3 Define process to manage your automation program

    3.4 Define metrics to measure success of your automation program

    4.1 Build automation roadmap

    Guided Implementations

    Introduce methodology.

    Review automation candidates.

    Review success metrics.

    Review process flows.

    Review end-to-end process flows.

    Review testing considerations.

    Review automation SDLC.

    Review automation program metrics.

    Review automation roadmap.

    Onsite Workshop Module 1:
    Identify Automation Candidates
    Module 2:
    Map and Optimize Processes
    Module 3:
    Build a Process for Managing Automation
    Module 4:
    Build Automation Roadmap
    Phase 1 Results:
    Automation candidates and success metrics
    Phase 2 Results:
    End-to-end process flows for automation
    Phase 3 Results:
    Automation SDLC process, and automation program management process
    Phase 4 Results:
    Automation roadmap

    Harness Configuration Management Superpowers

    • Buy Link or Shortcode: {j2store}303|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $12,999 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Configuration management databases (CMDB) are a lot of work to build and maintain. Starting down this process without the right tools, processes, and buy-in is a lot of work with very little reward.
    • If you decide to just build it and expect they will come, you may find it difficult to articulate the value, and you will be disappointed by the lack of visitors.
    • Relying on manual entry or automated data collection without governance may result in data you can’t trust, and if no one trusts the data, they won’t use it.

    Our Advice

    Critical Insight

    • The right mindset is just as important as the right tools. By involving everyone early, you can ensure the right data is captured and validated and you can make maintenance part of the culture. This is critical to reaching early and continual value with a CMDB.

    Impact and Result

    • Define your use cases: Identify the use cases and prioritize those objectives into phases. Define what information will be needed to meet the use cases and how that information will be populated.
    • Understand and design the CMDB data model: Define services and undiscoverable configuration items (CI) and map them to the discoverable CIs.
    • Operationalize configuration record updates: Define data stewards and governance processes and integrate your configuration management practice with existing practices and lifecycles.

    Harness Configuration Management Superpowers Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Harness Configuration Management Superpowers Deck – A step-by-step document that walks you through creating a configuration management program.

    Use this blueprint to create a configuration management program that provides immediate value.

    • Harness Configuration Management Superpowers – Phases 1-4

    2. Configuration Management Project Charter Template – A project charter template to help you build a concise document for communicating appropriate project details to stakeholders.

    Use this template to create a project charter to launch the configuration management project.

    • Configuration Management Project Charter

    3. Configuration Control Board Charter Template – A board charter template to help you define the roles and responsibilities of the configuration control board.

    Use this template to create your board charter for your configuration control board (CCB). Define roles and responsibilities and mandates for the CCB.

    • Configuration Control Board Charter

    4. Configuration Management Standard Operating Procedures (SOP) Template – An SOP template to describe processes and procedures for ongoing maintenance of the CMDB under the configuration management program.

    Use this template to create and communicate your SOP to ensure ongoing maintenance of the CMDB under the configuration management program.

    • Configuration Management Standard Operation Procedures

    5. Configuration Management Audit and Validation Checklist Template – A template to be used as a starting point to meet audit requirements under NIST and ITIL programs.

    Use this template to assess capability to pass audits, adding to the template as needed to meet internal auditors’ requirements.

    • Configuration Management Audit and Validation Checklist

    6. Configuration Management Policy Template – A template to be used for building out a policy for governance over the configuration management program.

    Use this template to build a policy for your configuration management program.

    • Configuration Management Policy

    7. Use Cases and Data Worksheet – A template to be used for validating data requirements as you work through use cases.

    Use this template to determine data requirements to meet use cases.

    • Use Cases and Data Worksheet

    8. Configuration Management Diagram Template Library – Examples of process workflows and data modeling.

    Use this library to view sample workflows and a data model for the configuration management program.

    • Configuration Management Diagram Template Library (Visio)
    • Configuration Management Diagram Template Library (PDF)

    9. Configuration Manager Job Description – Roles and responsibilities for the job of Configuration Manager.

    Use this template as a starting point to create a job posting, identifying daily activities, responsibilities, and required skills as you create or expand your configuration management program.

    • Configuration Manager

    Infographic

    Workshop: Harness Configuration Management Superpowers

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Configuration Management Strategy

    The Purpose

    Define the scope of your service configuration management project.

    Design the program to meet specific stakeholders needs

    Identify project and operational roles and responsibilities.

    Key Benefits Achieved

    Designed a sustainable approach to building a CMDB.

    Activities

    1.1 Introduction

    1.2 Define challenges and goals.

    1.3 Define and prioritize use cases.

    1.4 Identify data needs to meet these goals.

    1.5 Define roles and responsibilities.

    Outputs

    Data and reporting use cases based on stakeholder requirements

    Roles and responsibility matrix

    2 CMDB Data Structure

    The Purpose

    Build a data model around the desired use cases.

    Identify the data sources for populating the CMDB.

    Key Benefits Achieved

    Identified which CIs and relationships will be captured in the CMDB.

    Activities

    2.1 Define and prioritize your services.

    2.2 Evaluate CMDB default classifications.

    2.3 Test configuration items against existing categories.

    2.4 Build a data model diagram.

    Outputs

    List of CI types and relationships to be added to default settings

    CMDB data model diagram

    3 Processes

    The Purpose

    Key Benefits Achieved

    Built a right-sized approach to configuration record updates and data validation.

    Activities

    3.1 Define processes for onboarding, offboarding, and maintaining data in the CMDB.

    3.2 Define practices for configuration baselines.

    3.3 Build a data validation and auditing plan.

    Outputs

    Documented processes and workflows

    Data validation and auditing plan

    4 Communications & Roadmap

    The Purpose

    Key Benefits Achieved

    Metrics program defined

    Communications designed

    Activities

    4.1 Define key metrics for configuration management.

    4.2 Define metrics for supporting services.

    4.3 Build configuration management policies.

    4.4 Create a communications plan.

    4.5 Build a roadmap

    Outputs

    Policy for configuration management

    Communications documents

    Roadmap for next steps

    Further reading

    Harness Configuration Management Superpowers

    Create a configuration management practice that will provide ongoing value to the organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    A robust configuration management database (CMDB) can provide value to the business and superpowers to IT. It's time to invest smartly to reap the rewards.

    IT environments are becoming more and more complex, and balancing demands for stability and demands for faster change requires visibility to make the right decisions. IT needs to know their environment intimately. They need to understand dependencies and integrations and feel confident they are making decisions with the most current and accurate view.

    Solutions for managing operations rely on the CMDB to bring visibility to issues, calculate impact, and use predictive analytics to fix performance issues before they become major incidents. AIOps solutions need accurate data, but they can also help identify configuration drift and flag changes or anomalies that need investigation.

    The days of relying entirely on manual entry and updates are all but gone, as the functionality of a robust configuration management system requires daily updates to provide value. We used to rely on that one hero to make sure information was up to date, but with the volume of changes we see in most environments today, it's time to improve the process and provide superpowers to the entire IT department.

    This is a picture of Sandi Conrad

    Sandi Conrad, ITIL Managing Professional
    Principal Research Director, IT Infrastructure & Operations, Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Build a configuration management database (CMDB): You need to implement a CMDB, populate it with records and relationships, and integrate it with discovery and management tools.
    • Identify the benefits of a CMDB: Too many CMDB projects fail because IT tries to collect everything. Base your data model on the desired use cases.
    • Define roles and responsibilities: Keeping data accurate and updated is difficult. Identify who will be responsible for helping

    Common Obstacles

    • Significant process maturity is required: Service configuration management (SCM) requires high maturity in change management, IT asset management, and service catalog practices.
    • Large investment: Building a CMDB takes a large amount of effort, process, and expertise.
    • Tough business case: Configuration management doesn't directly provide value to the business, but it requires a lot of investment from IT.

    Info-Tech's Approach

    • Define your scope and objectives: Identify the use cases for SCM and prioritize those objectives into phases.
    • Design the CMDB data model: Align with your existing configuration management system's data model.
    • Operationalize configuration record updates: Integrate your SCM practice with existing practices and lifecycles.

    Start small

    Scope creep is a serial killer of configuration management databases and service configuration management practices.

    Insight summary

    Many vendors are taking a CMDB-first approach to enable IT operations or sometimes asset management. It's important to ensure processes are in place immediately to ensure the data doesn't go stale as additional modules and features are activated.

    Define processes early to ensure success

    The right mindset is just as important as the right tools. By involving everyone early, you can ensure the right data is captured and validated and you can make maintenance part of the culture. This is critical to reaching early and continual value with a CMDB.

    Identify use cases

    The initial use case will be the driving force behind the first assessment of return on investment (ROI). If ROI can be realized early, momentum will increase, and the team can build on the initial successes.

    If you don't see value in the first year, momentum diminishes and it's possible the project will never see value.

    Keep the initial scope small and focused

    Discovery can collect a lot of data quickly, and it's possible to be completely overwhelmed early in the process.

    Build expertise and troubleshoot issues with a smaller scope, then build out the process.

    Minimize customizations

    Most CMDBs have classes and attributes defined as defaults. Use of the defaults will enable easier implementation and faster time to value, especially where automations and integrations depend on standard terms for field mapping.

    Automate as much as possible

    In large, complex environments, the data can quickly become unmanageable. Use automation as much as possible for discovery, dependency mapping, validation, and alerts. Minimize the amount of manual work but ensure everyone is aware of where and how these manual updates need to happen to see continual value.

    Info-Tech's Harness Configuration Management Superpowers.

    Configuration management will improve functionality of all surrounding processes

    A well-functioning CMDB empowers almost all other IT management and governance practices.

    Service configuration management is about:

    • Building a system of record about IT services and the components that support those services.
    • Continuously reconciling and validating information to ensure data accuracy.
    • Ensuring the data lifecycle is defined and well understood and can pass data and process audits.
    • Accessing information in a variety of ways to effectively serve IT and the business.
    An image of Info-Tech's CMDB Configuration Management tree, breaking down aspects into the following six categories: Strategic Partner; Service Provider; Proactive; Stabilize; Core; and Foundational.

    Configuration management most closely impacts these practices

    Info-Tech Research Group sees a clear relationship.

    When an IT department reports they are highly effective at configuration management, they are much more likely to report they are highly effective at these management and governance processes:

    The following management and governance processes are listed: Quality Management; Asset Management; Performance Measurement; Knowledge Management; Release Management; Incident and Problem Management; Service Management; Change Management.

    The data is clear

    Service configuration management is about more than just doing change management more effectively.

    Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=684 organizations, 2019 to July 2022.

    Make the case to use configuration management to improve IT operations

    Consider the impact of access to data for informing innovations, optimization efforts, and risk assessments.

    75% of Uptime's 2021 survey respondents who had an outage in the past three years said the outage would have been prevented if they'd had better management or processes.(1)

    75%

    75% of Uptime's 2021 survey respondents who had an outage in the past three years said the outage would have been prevented if they'd had better management or processes.(1)

    42%

    of publicly reported outages were due to software or configuration issues. (1)

    58%

    of networking-related IT outages were due to configuration and change management failure.(1)

    It doesn't have to be that way!

    Enterprise-grade IT service management (ITSM) tools require a CMDB for the different modules to work together and to enable IT operations management (ITOM), providing greater visibility.

    Decisions about changes can be made with accurate data, not guesses.

    The CMDB can give the service desk fast access to helpful information about the impacted components, including a history of similar incidents and resolutions and the relationship between the impacted components and other systems and components.

    Turn your team into IT superheroes.

    CMDB data makes it easier for IT Ops groups to:

    • Avoid change collisions.
    • Eliminate poor changes due to lack of visibility into complex systems.
    • Identify problematic equipment.
    • Troubleshoot incidents.
    • Expand the services provided by tier 1 and through automation.

    Benefits of configuration management

    For IT

    • Configuration management will supercharge processes that have relied on inherent knowledge of the IT environment to make decisions.
    • IT will more quickly analyze and understand issues and will be positioned to improve and automate issue identification and resolution.
    • Increase confidence and reduce risks for decisions involving release and change management with access to accurate data, regardless of the complexity of the environment.
    • Reduce or eliminate unplanned work related to poor outcomes due to decisions made with incorrect or incomplete data.

    For the Business

    • Improve strategic planning for business initiatives involving IT solutions, which may include integrations, development, or security concerns.
    • More quickly deploy new solutions or updates due to visibility into complex environments.
    • Enable business outcomes with reliable and stable IT systems.
    • Reduce disruptions caused by planning without accurate data and improve resolution times for service interruptions.
    • Improve access to reporting for budgeting, showbacks, and chargebacks as well as performance metrics.

    Measure the value of this blueprint

    Fast-track your planning and increase the success of a configuration management program with this blueprint

    Workshop feedback
    8.1/10

    $174,000 savings

    30 average days saved

    Guided Implementation feedback

    8.7/10

    $31,496 average savings

    41 average days saved

    "The workshop was well run, with good facilitation, and gained participation from even the most difficult parts of the audience. The best part of the experience was that if I were to find myself in the same position in the future, I would repeat the workshop."

    – University of Exeter

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Prioritize services and use cases.

    Call #3: Identify data needed to meet goals.

    Call #4: Define roles and responsibilities.

    Call #5: Define and prioritize your services.

    Call #6: Evaluate and test CMDB default classifications.

    Call #7: Build a data model diagram.

    Call #8: Define processes for onboarding, offboarding, and maintaining data.

    Call #9: Discuss configuration baselines.

    Call #10: Build a data validation and audit plan.

    Call #11: Define key metrics.

    Call #12: Build a configuration management policy and communications plan.

    Call #13: Build a roadmap.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 9 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4

    Configuration Management Strategy

    CMDB Data Structure

    Process Design

    Communications & Roadmap

    Activities
    • Introduction
    • Define challenges and goals.
    • Define and prioritize use cases.
    • Identify data needed to meet goals.
    • Define roles and responsibilities.
    • Define and prioritize your services.
    • Evaluate CMDB default classifications.
    • Test configuration items against existing categories.
    • Build a data model diagram.
    • Define processes for onboarding, offboarding, and maintaining data in the CMDB.
    • Define practices for configuration baselines.
    • Build a data validation and auditing plan.
    • Define key metrics for configuration management.
    • Define metrics for supporting services.
    • Build configuration management policies.
    • Create a communications plan.
    • Build a roadmap.

    Deliverables

    • Roles and responsibility matrix
    • Data and reporting use cases based on stakeholder requirements
    • List of CI types and relationships to be added to default settings
    • CMDB data model diagram
    • Documented processes and workflows
    • Data validation and auditing plan
    • Policy for configuration management
    • Roadmap for next steps
    • Communications documents

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Configuration Management Project Charter

    Detail your approach to building an SCM practice and a CMDB.

    Screenshot from the Configuration Management Project Charter

    Use Cases and Data Worksheet

    Capture the action items related to your SCM implementation project.

    Screenshot from the Use Cases and Data Worksheet

    Configuration Manager Job Description

    Use our template for a job posting or internal job description.

    Screenshot from the Configuration Manager Job Description

    Configuration Management Diagram Template Library

    Use these diagrams to simplify building your SOP.

    Screenshot from the Configuration Management Diagram Template Library

    Configuration Management Policy

    Set expectations for configuration control.

    screenshot from the Configuration Management Policy

    Configuration Management Audit and Validation Checklist

    Use this framework to validate controls.

    Screenshot from the Configuration Management Audit and Validation Checklist

    Configuration Control Board Charter

    Define the board's responsibilities and meeting protocols.

    Screenshot from the Configuration Management Audit and Validation Checklist

    Key deliverable:

    Configuration Management Standard Operating Procedures Template

    Outlines SCM roles and responsibilities, the CMDB data model, when records are expected to change, and configuration baselines.

    Four Screenshots from the Configuration Management Standard Operating Procedures Template

    Phase 1

    Configuration Management Strategy

    Strategy Data Structure Processes Roadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • Scope
    • Use Cases
    • Reports and Analytics

    This phase involves the following participants:

    • IT and business service owners
    • Business/customer relationship managers
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager
    • SCM project sponsor

    Harness Service Configuration Management Superpowers

    Establish clear definitions

    Ensure everyone is using the same terms.

    Term Definition
    Configuration Management

    The purpose of configuration management is to:

    • "Ensure that accurate and reliable information about the configuration of services, and the CIs that support them, is available when and where it is needed. This includes information on how CIs are configured and the relationships between them" (AXELOS).
    • "Provide sufficient information about service assets to enable the service to be effectively managed. Assess the impact of changes and deal with service incidents" (ISACA, 2018).
    Configuration Management System (CMS) A set of tools and databases used to manage, update, and present data about all configuration items and their relationships. A CMS may maintain multiple federated CMDBs and can include one or many discovery and dependency mapping tools.
    Configuration Management Database (CMDB) A repository of configuration records. It can be as simple as a spreadsheet or as complex as an integrated database populated through multiple autodiscovery tools.
    Configuration Record Detailed information about a configuration item.
    Configuration Item (CI)

    "Any component that needs to be managed in order to deliver an IT service" (AXELOS).

    These components can include everything from IT services and software to user devices, IT infrastructure components, and documents (e.g. maintenance agreements).
    Attributes Characteristics of a CI included in the configuration record. Common attributes include name, version, license expiry date, location, supplier, SLA, and owner.
    Relationships Information about the way CIs are linked. A CI can be part of another CI, connect to another CI, or use another CI. A CMDB is significantly more valuable when relationships are recorded. This information allows CMDB users to identify dependencies between components when investigating incidents, performing root-cause analysis, assessing the impact of changes before deployment, and much more.

    What is a configuration management database (CMDB)?

    The CMDB is a system of record of your services and includes a record for everything you need to track to effectively manage your IT services.

    Anything that is tracked in your CMDB is called a configuration item (CI). Examples of CIs include:

    • User-Facing Services
    • IT-Facing Services
    • Business Capabilities
    • Relationships
    • IT Infrastructure Components
    • Enterprise Software
    • End-User Devices
    • Documents

    Other systems of record can refer to CIs, such as:

    • Ticket database: Tickets can refer to which CI is impacted by an incident or provided as part of a service request.
    • Asset management database (AMDB): An IT asset is often also a CI. By associating asset records with CI records, you can leverage your IT asset data in your reporting.
    • Financial systems: If done well, the CMDB can supercharge your IT financial cost model.

    CMDBs can allow you to:

    • Query multiple databases simultaneously (so long as you have the CI name field in each database).
    • Build automated workflows and chatbots that interact with data across multiple databases.
    • More effectively identify the potential impact of changes and releases.

    Do not confuse asset with configuration

    Asset and configuration management look at the same world through different lenses

    • IT asset management (ITAM) tends to focus on each IT asset in its own right: assignment or ownership, lifecycle, and related financial obligations and entitlements.
    • Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations with other CIs.
    • ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they may use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
    • Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.

    A comparison between Asset and Configuration Management Databases

    *Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.

    Start with ITIL 4 guiding principles to make your configuration management project valuable and realistic

    Focus on where CMDB data will provide value and ensure the cost of bringing that data in will be reasonable for its purpose. Your end goal should be not just to build a CMDB but to use a CMDB to manage workload and workflows and manage services appropriately.

    Focus on value

    Include only the relevant information required by stakeholders.

    Start where you are

    Use available sources of information. Avoid adding new sources and tools unless they are justified.

    Progress iteratively with feedback

    Regularly review information use and confirm its relevance, adjusting the CMDB scope if needed.

    Collaborate and promote visibility

    Explain and promote available sources of configuration information and the best ways to use them, then provide hints and tips for more efficient use.

    Think and work holistically

    Consider other sources of data for decision making. Do not try to put everything in the CMDB.

    Keep it simple and practical

    Provide relevant information in the most convenient way; avoid complex interfaces and reports.

    Optimize and automate

    Continually optimize resource-consuming practice activities. Automate CDMB verification, data collection, relationship discovery, and other activities.

    ITIL 4 guiding principles as described by AXELOS

    Step 1.1

    Identify use cases and desired benefits for service configuration management

    Activities

    1.1.1 Brainstorm data collection challenges

    1.1.2 Define goals and how you plan to meet them

    1.1.3 Brainstorm and prioritize use cases

    1.1.4 Identify the data needed to reach your goals

    1.1.5 Record required data sources

    This step will walk you through the following aspects of a configuration management system:

    • Scope
    • Use cases

    This phase involves the following participants:

    • IT and business service owners
    • Business/customer relationship managers
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project sponsor
    • Project manager

    Identify potential obstacles in your organization to building and maintaining a CMDB

    Often, we see multiple unsuccessful attempts to build out a CMDB, with teams eventually losing faith and going back to spreadsheets. These are common obstacles:

    • Significant manual data collection, which is rarely current and fully accurate.
    • Multiple discovery solutions creating duplicate records, with no clear path to deduplicate records.
    • Manual dependency mapping that isn't accurate because it's not regularly assessed and updated.
    • Hybrid cloud and on-premises environment with discovery solutions only partially collecting as the right discovery and dependency mapping solutions aren't in place.
    • Dynamic environments (virtual, cloud, or containers) that may exist for a very short time, but no one knows how they should be managed.
    • Lack of expertise to maintain and update the CMDB or lack of an assigned owner for the CMDB. If no one owns the process and is assigned as a steward of data, it will not be maintained.
    • Database that was designed with other purposes in mind and is heavily customized, making it difficult to use and maintain.

    Understanding the challenges to accessing and maintaining quality data will help define the risks created through lack of quality data.

    This knowledge can drive buy-in to create a configuration management practice that benefits the organization.

    1.1.1 Brainstorm data collection challenges

    Involve stakeholders.
    Allot 45 minutes for this discussion.

    1. As a group, brainstorm the challenges you have with data:
    2. Accuracy and trustworthiness: What challenges do you have with getting accurate data on IT services and systems?
      1. Access: Where do you have challenges with getting data to people when they need it?
      2. Manually created data: Where are you relying on data that could be automatically collected?
      3. Data integration: Where do you have issues with integrating data from multiple sources?
      4. Impact: What is the result of these challenges?
    3. Group together these challenges into similar issues and identify what goals would help overcome them.
    4. Record these challenges in the Configuration Management Project Charter, section 1.2: Project Purpose.

    Download the Configuration Management Project Charter

    Input

    Output

    • None
    • List of high-level desired benefits for SCM
    Materials Participants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Configuration Management Project Charter
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Info-Tech Maturity Ladder

    Identify your current and target state

    INNOVATOR

    • Characteristics of business partner
    • Integration with orchestration tools

    BUSINESS PARTNER

    Data collection and validation is fully automated

    Integrated with several IT processes

    Meets the needs of IT and business use cases

    TRUSTED OPERATOR

    • Data collection and validation is partially or fully automated
    • Trust in data accuracy is high, meets the needs of several IT use cases

    FIREFIGHTER

    • Data collection is partially or fully automated, validation is ad hoc
    • Trust in data accuracy is variable, used for decision making

    UNSTABLE

    INNOVATOR

    • Characteristics of business partner
    • Integration with orchestration tools

    BUSINESS PARTNER

    • Data collection and validation is fully automated
    • Integrated with several IT processes
    • Meets the needs of IT and business use cases

    TRUSTED OPERATOR

    • Data collection and validation is partially or fully automated
    • Trust in data accuracy is high, meets the needs of several IT use cases

    FIREFIGHTER

    • Data collection is partially or fully automated, validation is ad hoc
    • Trust in data accuracy is variable, used for decision making

    UNSTABLE

    A tower is depicted, with arrows pointing to Current (orange) and Target(blue)

    Define goals for your CMDB to ensure alignment with all stakeholders

    • How are business or IT goals being hindered by not having the right data available?
    • If the business isn't currently asking for service-based reporting and accountability, start with IT goals. This will help to develop goals that will be most closely aligned to the IT teams' needs and may help incentivize the right behavior in data maintenance.
    • Configuration management succeeds by enabling its stakeholders to achieve their outcomes. Set goals for configuration management based on the most important outcomes expected from this project. Ask your stakeholders:
      1. What are the business' or IT's planned transformational initiatives?
      2. What are your highest priority goals?
      3. What should the priorities of the configuration management practice be?
    • The answers to these questions will shape your approach to configuration management. Direct input from your leadership and executives, or their delegates, will help ensure you're setting a solid foundation for your practice.
    • Identify which obstacles will need to be overcome to meet these goals.

    "[T]he CMDB System should be viewed as a 'system of relevance,' rather than a 'single source of truth.' The burdens of relevance are at once less onerous and far more meaningful in terms of action, analysis, and automation. While 'truth' implies something everlasting or at least stable, relevance suggests a far more dynamic universe."

    – CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al

    Identify stakeholders to discuss what they need from a CMDB; business and IT needs will likely differ

    Define your audience to determine who the CMDB will serve and invite them to these conversations. The CMDB can aid the business and IT and can be structured to provide dashboards and reports for both.

    Nondiscoverable configuration items will need to be created for both audiences to organize CIs in a way that makes sense for all uses.

    Integrations with other systems may be required to meet the needs of your audience. Note integrations for future planning.

    Business Services

    Within the data sets, service configuration models can be used for:

    • Impact analysis
    • Cause and effect analysis
    • Risk analysis
    • Cost allocation
    • Availability analysis and planning

    Technical Services

    Connect to IT Finance for:

    • Service-based consumption and costing
    • Financial awareness through showback
    • Financial recovery through chargeback
    • Support IT strategy through financial transparency
    • Cost optimization
    • Reporting for depreciation, location-related taxation, and capitalization (may also use asset management for these)

    Intersect with IT Processes to:

    • Reduce time to restore services through incident management
    • Improve stability through change management
    • Reduce outages through problem management
    • Optimize assets through IT asset management
    • Provide detailed reporting for audit/governance, risk, and compliance

    1.1.2 Define goals and how you plan to meet them

    Involve stakeholders.

    Allot 45 minutes for this discussion.

    As a group, identify current goals for building and using a CMDB.

    Why are we doing this?

    • How do you hope to use the data within the CMDB?
    • What processes will be improved through use of this data and what are the expected outcomes?

    How will we improve the process?

    • What processes will be put in place to ensure data integrity?
    • What tools will be put in place to improve the methods used to collect and maintain data?

    Record these goals in the Configuration Management Project Charter, section 1.3: Project Objectives.

    Input

    Output

    • None
    • List of high-level desired benefits for SCM
    Materials Participants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Configuration Management Project Charter
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    It's easy to think that if you build it, they will come, but CMDBs rarely succeed without solid use cases

    Set expectations for your organization that defined and fulfilled use cases will factor into prioritization exercises, functional plans, and project milestones to achieve ROI for your efforts.

    A good use case:

    • Justifies resource allocation
    • Gains funding for the right tools
    • Builds stakeholder support
    • Drives interest and excitement
    • Gains support from anyone in a position to help build out and validate the data
    • Helps to define success

    In the book CMDB Systems, Making Change Work in the Age of Cloud and Agile, authors Drogseth, Sturm, and Twing describe the secrets of success:

    A documented evaluation of CMDB System vendors showed that while most "best case" ROI fell between 6 and 9 months for CMDB deployments, one instance delivered ROI for a significant CMDB investment in as little as 2 weeks!

    If there's a simple formula for quick time to value for a CMDB System, it's the following:

    Mature levels of process awareness
    + Strong executive level support
    + A ready and willing team with strongly supportive stakeholders
    + Clearly defined and ready phase one use case
    + Carefully selected, appropriate technologies

    All this = Powerful early-phase CMDB System results

    Define and prioritize use cases for how the CMDB will be used to drive value

    The CMDB can support several use cases and may require integration with various modules within the ITSM solution and integration with other systems.

    Document the use cases that will drive your CMDB to relevance, including the expected benefits for each use case.

    Identify the dependencies that will need to be implemented to be successful.

    Define "done" so that once data is entered, verified, and mapped, these use cases can be realized.

    "Our consulting experience suggests that more than 75% of all strategic initiatives (CMDB or not) fail to meet at least initial expectations across IT organizations. This is often due more to inflated expectations than categorical failure."

    – CMDB Systems, Making Change Work in the Age of Cloud and Agile, Drogseth et al.

    This image demonstrates how CMBD will be used to drive value.

    After identifying use cases, determine the scope of configuration items required to feed the use cases

    On-premises software and equipment will be critical to many use cases as the IT team and partners work on network and data-center equipment, enterprise software, and integrations through various means, including APIs and middleware. Real-time and near real-time data collection and validation will ensure IT can act with confidence.

    Cloud use can include software as a service (SaaS) solutions as well as infrastructure and platform as a service (IaaS and PaaS), and this may be more challenging for data collection. Tools must be capable of connecting to cloud environments and feeding the information back into the CMDB. Where on-premises and cloud applications show dependencies, you might need to validate data if multiple discovery and dependency mapping solutions are used to get a complete picture. Tagging will be crucial to making sense of the data as it comes into the CMDB.

    In-house developed software would be beneficial to have in the CMDB but may require more manual work to identify and classify once discovered. A combination of discovery and tagging may be beneficial to input and classification.

    Highly dynamic environments may require data collection through integration with a variety of solutions to manage and record continuous deployment models and verifications, or they may rely on tags and activity logs to record historical activity. Work with a partner who specializes in CI/CD to help architect this use case.

    Containers will require an assessment of the level of detail required. Determine if the container is a CI and if the content will be described as attributes. If there is value to your use case to map the contents of each container as separate CIs within the container CI, then you can map to that level of detail, but don't map to that depth unless the use case calls for it.

    Internet of Things (IoT) devices and applications will need to match a use case as well. IoT device asset data will be useful to track within an asset database but may have limited value to add to a CMDB. If there are connections between IoT applications and data warehouses, the dependencies should likely be mapped to ensure continued dataflow.

    Out of scope

    A single source of data is highly beneficial, but don't make it a catchall for items that are not easily stored in a CMDB.

    Source code should be stored in a definitive media library (DML). Code can be linked to the CMDB but is generally too big to store in a CMDB and will reduce performance for data retrieval.

    Knowledge articles and maintenance checklists are better suited to a knowledge base. They can also be linked to the CDMB if needed but this can get messy where many-to-many relationships between articles and CIs exist.

    Fleet (transportation) assets and fixed assets should be in fleet management systems and accounting systems, respectively. Storing these types of data in the CMDB doesn't provide value to the support process.

    1.1.3 Brainstorm and prioritize use cases

    Which IT practices will you supercharge?

    Focus on improving both operations and strategy.

    1. Brainstorm the list of relevant use cases. What do you want to do with the data from the CMDB? Consider:
      1. ITSM management and governance practices
      2. IT operations, vendor orchestration, and service integration and management (SIAM) to improve vendor interactions
      3. IT finance and business service reporting needs
    2. Identify which use cases are part of your two- to three-year plan, including the purpose for adding configuration data into that process. Prioritize one or two of these use cases to accomplish in your first year.
    3. Identify dependencies to manage as part of the solution and define a realistic timeline for implementing integrations, modules, or data sources.
    4. Document this table in the Configuration Management Project Charter, section 2.2: Use Cases.
    Audience Use Case Goal/Purpose Project/Solution Dependencies Proposed Timeline Priority
    • IT
    • Change Management

    Stabilize the process by seeing:

    Change conflict reporting

    Reports of CI changes without change records

    System availability

    RFC mapping requires discovered CIs

    RFC review requires criticality, technical and business owners

    Conflict reporting requires dependency mapping

    • Discovery and manual information entered by October
    • Dependency mapping implemented by December

    High

    Determine what additional data will be needed to achieve your use cases

    Regardless of which use cases you are planning to fulfill with the CMDB, it is critical to not add data and complexity with the plan of resolving every possible inquiry. Ensure the cost and effort of bringing in the data and maintaining it is justified. The complexity of the environment will impact the complexity of data sources and integrations for discovery and dependency mapping.

    Before bringing in new data, consider:

    • Is this information available in other maintained databases now?
    • Will this data be critical for decision making? If it is nice to have or optional, can it be automatically moved into the database and maintained using existing integrations?
    • Is there a cost to bringing the data into the CMDB and maintaining it? Is that cost reasonable for its purpose?
    • How frequently will this information be accessed, and can it be updated in an adequate cadence to meet these needs?
    • When does this information need to be available?

    Info-Tech Insight

    If data will be used only occasionally upon request, determine if it will be more efficient to maintain it or to retrieve it from the CMDB or another data source as needed.

    Remember, within the data sets, service configuration models can be used for:

    • Impact analysis
    • Cause and effect analysis
    • Risk analysis
    • Cost allocation
    • Availability analysis and planning

    1.1.4 Expand your use cases by identifying the data needed to reach your goals

    Involve stakeholders.

    Allot 60 minutes for this discussion.

    Review use cases and their goals.

    Identify what data will be required to meet those goals and determine whether it will be mandatory or optional/nice-to-have information.

    Identify sources of data for each type of data. Color code or sort.

    Italicize data points that can be automatically discovered.

    Gain consensus on what information will be manually entered.

    Record the data in the Use Cases and Data Worksheet.

    Download the Use Cases and Data Worksheet

    Input

    Output

    • None
    • List of data requirements
    MaterialsParticipants
    • Whiteboard/flip charts
    • Sticky notes
    • Markers/pens
    • Use Cases and Data Worksheet
    • IT and business service owners
    • Business/customer relationship managers
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Use discovery and dependency mapping tools to automatically update the CMDB

    Avoid manual data entry whenever possible.

    Consider these features when looking at tools:

    • Application dependency mapping: Establishing and tracking the relationships and dependencies between system components, applications, and IT services. The ideal tool will be able to generate maps automatically.
    • Agentless and agent discovery: Scanning systems with both agent and agentless approaches. Agent-based scanning provides comprehensive information on applications used in individual endpoints, which is helpful in minimizing its IT footprint. However, agents require endpoint access. Agentless-based scanning provides a broader and holistic view of deployed applications without the need to install an agent on end devices, which can be good enough for inventory awareness.
    • Data export capability: Easy exporting of application inventory information to be used in reports and other tools.
    • Dashboards and chart visualization: Detailed list of the application inventory, including version number, number of users, licenses, deployment location, and other application details. These details will inform decision makers of each application's health and its candidacy for further rationalization activities.
    • Customizable scanning scripts: Tailor your application discovery approach by modifying the scripts used to scan your systems.
    • Integration with third-party tools: Easy integration with other systems with out-of-the-box plugins or customizable APIs.

    Determine which data collection methods will be used to populate the CMDB

    The effort-to-value ratio is an important factor in populating a CMDB. Manual efforts require a higher process focus, more intensive data validation, and a constant need to remind team members to act on every change.

    Real-Time Data AIOps continual scans Used for event and incident management
    Near Real-Time Data Discovery and dependency mapping run on a regular cycle Used for change and asset management
    Historical Data Activity log imports, manual data entry Used for IT finance, audit trail
    • Determine what amount of effort is appropriate for each data grouping and use case. As decisions are made to expand data within the CMDB, the effort-to-value ratio should always factor in. To be usable, data must be accurate, and every piece of data that needs to be manually entered runs the risk of becoming obsolete.
    • Identify which data sources will bring in each type of data. Where there is a possibility of duplicate records being created, one of the data sources will need to be identified as the primary.
    • If the decision is to manually enter configuration items early in the process, be aware that automation may create duplicates of the CIs that will need to be deduplicated at some point in the process to make the information more usable.
    • Typically, items are discovered, validated, then mapped, but there will be variations depending on the source.
    • Active Directory or LDAP may be used to bring users and technicians into the CMDB. Data may be imported from spreadsheets. Identify efforts where data cleanup may have to happen before transferring into the CMDB.
    • Identify how often manual imports will need to be conducted to make sure data is usable.

    Identify other nondiscoverable data that will need to be added to or accessed by the CMDB

    Foundational data, such as technicians, end users and approvers, roles, location, company, agency, department, building, or cost center, may be added to tables that are within or accessed by the CMDB. Work with your vendor to understand structure and where this information resides.

    • These records can be imported from CSV files manually, but this will require manual removal or edits as information changes.
    • Integration with the HRIS, Active Directory, or LDAP will enable automatic updates through synchronization or scheduled imports.
    • If synchronization is fully enabled, new data can be added and removed from the CMDB automatically.
    • Identify which nondiscoverable attributes will be needed, such as system criticality, support groups, groups it is managed by, location.
    • If partially automating the process, identify where manual updates will need to occur.
    • If fully automating the process, notifications will need to be set up when business owner or product or technical owner fields become empty to prompt defining a replacement within the CMDB.
    • Determine who will manage these updates.
    • Work with your CMDB implementation vendor to determine the best option for bringing this information in.

    1.1.5 Record required data sources

    Allot 15 minutes for this discussion.

    1. Where do you track the work involved in providing services? Typically, your ticket database tracks service requests and incidents. Additional data sources can include:
      • Enterprise resource planning tools for tracking purchase orders
      • Project management information system for tracking tasks
    2. What trusted data sources exist for the technology that supports these services? Examples include:
      • Management tools (e.g. Microsoft Endpoint Configuration Manager)
      • Architectural diagrams and network topology diagrams
      • IT asset management database
      • Spreadsheets
      • Other systems of record
    3. What other data sources can help you gather the data you identified in activity 1.1.4?
    4. Record the relevant data sources for each use case in the Configuration Management Standard Operating Procedures, section 6: Data Collection and Updates.

    Info-Tech Insight

    Improve the trustworthiness of your CMDB as a system of record by relying on data that is already trusted.

    Input

    Output

    • Use cases
    • List of data requirements
    MaterialsParticipants
    • Use Cases and Data Worksheet
    • Configuration Management Standard Operating Procedures
    • IT and business service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Step 1.2

    Define roles and responsibilities

    Activities

    1.2.1 Record the project team and stakeholders

    1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    This step will walk you through the following aspects of a configuration management system:

    • Roles and responsibilities

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager

    Identify the roles you need in your SCM project

    Determine which roles will need to be involved in the initial project and how to source these roles.

    Leadership Roles
    Oversee the SCM implementation

    1. Configuration Manager – The practice owner for SCM. This is a long-term role.
    2. Configuration Control Board (CCB) Chair – An optional role that oversees proposed alterations to configuration plans. If a CCB is implemented, this is a long-term role.
    3. Project Sponsor or Program Sponsor – Provides the necessary resources for building the CMDB and SCM practices.
    4. Architecture Roles
      Plan the program to build strong foundation
      1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
      2. Requirements Analyst – Gathers and manages the requirements for CM.
      3. Process Engineer – Defines, documents, and implements the entire process.

    Architecture Roles
    Plan the program to build strong foundation

    1. Configuration Management Architect – Technical leader who defines the overall CM solution, plans the scope, selects a tool, and leads the technical team that will implement the solution.
    2. Requirements Analyst – Gathers and manages the requirements for CM.
    3. Process Engineer – Defines, documents, and implements the entire process.

    Engineer Roles
    Implement the system

    1. Logical Database Analyst (DBA) Designs the structure to hold the configuration management data and oversees implementation.
    2. Communications and Trainer – Communicates the goals and functions of CM and teaches impacted users the how and why of the process and tools.

    Administrative Roles
    Permanent roles involving long-term ownership

    1. Technical Owner – The system administrator responsible for their system's uptime. These roles usually own the data quality for their system.
    2. Configuration Management Integrator – Oversees regular transfer of data into the CMDB.
    3. Configuration Management Tool Support – Selects, installs, and maintains the CM tool.
    4. Impact Manager – Analyzes configuration data to ensure relationships between CIs are accurate; conducts impact analysis.

    1.2.1 Record the project team and stakeholders

    Allocate 25 minutes to this discussion.

    1. Record the project team.
      1. Identify the project manager who will lead this project.
      2. Identify key personnel that will need to be involved in design of the configuration management system and processes.
      3. Identify where vendors/outsourcers may be required to assist with technical aspects.
      4. Document the project team in the Configuration Management Project Charter, section 1.1: Project Team.
    1. Record a list of stakeholders.
      1. Identify stakeholders internal and external to IT.
      2. Build the stakeholder profile. For each stakeholder, identify their role, interest in the project, and influence on project success. You can score these criteria high/medium/low or score them out of ten.
      3. If managed service providers will need to be part of the equation, determine who will be the liaison and how they will provide or access data.
    Input

    Output

    • Project team members
    • Project plan resources
    MaterialsParticipants
    • Configuration Management Project Charter
    • List of project stakeholders and participants
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Even with full automation, this cannot be a "set it and forget it" project if it is to be successful long-term

    Create a team to manage the process and data updates and to ensure data is always usable.

    • Services may be added and removed.
    • Technology will change as technical debt is reduced.
    • Vendors may change as contract needs develop.
    • Additional use cases may be introduced by IT and the business as approaches to management evolve.
    • AIOps can reduce the level of effort and improve visibility as configuration items change from the baseline and notifications are automated.
    • Changes can be checked against requests for changes through automated reconciliations, but changes will still need to be investigated where they do not meet expectations.
    • Manual data changes will need to be made regularly and verified.

    "We found that everyone wanted information from the CMDB, but no one wanted to pay to maintain it. People pointed to the configuration management team and said, 'It's their responsibility.'

    Configuration managers, however, cannot own the data because they have no way of knowing if the data is accurate. They can own the processes related to checking accuracy, but not the data itself."
    – Tim Mason, founding director at TRM Associates
    (Excerpt from Viewpoint: Focus on CMDB Leadership)

    Include these roles in your CMDB practice to ensure continued success and continual improvement

    These roles can make up the configuration control board (CCB) to make decisions on major changes to services, data models, processes, or policies. A CCB will be necessary in complex environments.

    Configuration Manager

    This role is focused on ensuring everyone works together to build the CMDB and keep it up to date. The configuration manager is responsible to:

    • Plan and manage the standards, processes, and procedures and communicate all updates to appropriate staff. Focused on continual improvement.
    • Plan and manage population of the CMDB and ensure data included meets criteria for cost effectiveness and reasonable effort for the value it brings.
    • Validate scope of services and CIs to be included and controlled within the CMDB and manage exceptions.
    • Audit data quality to ensure it is valid, is current, and meets defined standards.
    • Evaluate and recommend tools to support processes, data collection, and integrations.
    • Ensure configuration management processes interface with all other service and business management functions to meet use cases.
    • Report on configuration management performance and take appropriate action on process adherence and quality issues.

    Configuration Librarian

    This role is most important where manual data entry is prevalent and where many nonstandard configurations are in place. The librarian role is often held by the tool administrator. The librarian focuses specifically on data within the CMDB, including:

    • Manual updates to configuration data.
    • CMDB data verification on a regular schedule.
    • Processing ad hoc requests for data.

    Product/Service/Technical Owners

    The product or technical owner will validate information is correctly updating and reflects the existing data requirements as new systems are provisioned or as existing systems change.

    Interfacing Practice Owners

    All practice owners, such as change manager, incident manager, or problem manager, must work with the configuration team to ensure data is usable for each of the use cases they are responsible for.

    Download the Configuration Manager job description

    Assign configuration management responsibilities and accountabilities

    Align authority and accountability.

    • A RACI exercise will help you discuss and document accountability and responsibility for critical configuration management activities.
    • When responsibility and accountability are not well documented, it's often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
    • The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
    • In the future, you may need to define roles in more detail as you change your configuration management procedures.

    Responsible: The person who actually gets the job done.
    Different roles may be responsible for different aspects of the activity relevant to their role.

    Accountable: The one role accountable for the activity (in terms of completion, quality, cost, etc.)
    Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

    Consulted: Those who need the opportunity to provide meaningful input at certain points in the activity; typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you'll add to a process.

    Informed: Those who receive information regarding the task but do not need to provide feedback.
    Information might relate to process execution, changes, or quality.

    Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    Determine what roles will be in place in your organization and who will fulfill them, and create your RACI chart to reflect what makes sense for your organization. Additional roles may be involved where there is complexity.

    R = responsible, A = accountable, C = consulted, I = informed CCB Configuration Manager Configuration Librarian Technical Owner(s) Interfacing Practice Owners Tool Administrator
    Plan and manage the standards, processes, and procedures and communicate all updates to appropriate staff. Focused on continual improvement. A R
    Plan and manage population of the CMDB and ensure data included meets criteria for cost effectiveness and reasonable effort for the value it brings. A R
    Validate scope of services and CIs to be included and controlled within the CMDB and manage exceptions. A R
    Audit data quality to ensure it is valid, is current, and meets defined standards. A,R
    Evaluate and recommend tools to support processes, data collection, and integrations. A,R
    Ensure configuration management processes interface with all other service and business management functions to meet use cases. A
    Report on configuration management performance and take appropriate action on process adherence and quality issues. A
    Make manual updates to configuration data. A
    Conduct CMDB data verification on a regular schedule. A
    Process ad hoc requests for data. A
    Enter new systems into the CMDB. A R
    Update CMDB as systems change. A R
    Identify new use cases for CMDB data. R A
    Validate data meets the needs for use cases and quality. R A
    Design reports to meet use cases. R
    Ensure integrations are configured as designed and are functional. R

    1.2.2 Complete a RACI chart to define who will be accountable and responsible for configuration tasks

    Allot 60 minutes for this discussion.

    1. Open the Configuration Management Standard Operating Procedures, section 4.1: Responsibility Matrix. In the RACI chart, review the top row of roles. Smaller organizations may not need a configuration control board, in which case the configuration manager may have more authority.
    2. Modify or expand the process tasks in the left column as needed.
    3. For each role, identify what that person is responsible for, accountable for, consulted on, or informed of. Fill out each column.
    4. Document in the SOP. Schedule a time to share the results with organization leads.
    5. Distribute the chart among all teams in your organization.
    6. Describe additional roles as needed in the documentation.
    7. Add accountabilities and responsibilities for the CCB into the Configuration Control Board Charter.
    8. If appropriate, add auxiliary roles to the Configuration Management Standard Operating Procedures, section 4.2: Configuration Management Auxiliary Role Definitions.

    Notes:

    1. Assign one Accountable for each task.
    2. Have one or more Responsible for each task.
    3. Avoid generic responsibilities such as "team meetings."
    4. Keep your RACI definitions in your documents for quick reference.

    Refer back to the RACI chart when building out the communications plan to ensure accountable and responsible team members are on board and consulted and informed people are aware of all changes.

    Input

    Output

    • Task assignments
    • RACI chart with roles and responsibilities
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures, RACI chart
    • Configuration Control Board Charter, Responsibilities section
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Phase 2

    Configuration Management Data Model

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • Data Model
    • Customer-Facing and Supporting Services
    • Business Capabilities
    • Relationships
    • IT Infrastructure Components
    • Enterprise Software
    • End-User Devices
    • Documents

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • CM practice manager
    • CM project manager

    Step 2.1

    Build a framework for CIs and relationships

    Activities

    Document services:

    2.1.1 Define and prioritize your services

    2.1.2 Test configuration items against existing categories

    2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

    This step will walk you through the following aspects of a configuration management system:

    • Data model
    • Configuration items
    • Relationships

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • CM practice manager
    • Project manager

    Making sense of data daily will be key to maintaining it, starting with services

    As CIs are discovered and mapped, they will automatically map to each other based on integrations, APIs, queries, and transactions. However, CIs also need to be mapped to a conceptional model or service to present the service and its many layers in an easily consumable way.

    These services will need to be manually created or imported into the CMDB and manually connected to the application services. Services can be mapped to technical or business services or both.

    If business services reporting has been requested, talk to the business to develop a list of services that will be required. Use terms the business will be expecting and identify which applications and instances will be mapped to those services.

    If IT is using the CMDB to support service usage and reporting, develop the list of IT services and identify which applications and instances will be mapped to those services.

    This image show the relationship between Discoverable and Nondiscoverable CIs. The discoverable CIs are coloured in purple, and the nondiscoverables are blue.

    Work with your stakeholders to ensure catalog items make sense to them

    There isn't a definitive right or wrong way to define catalog items. For example, the business and IT could both reference application servers, but only IT may need to see technical services broken down by specific locations or device types.

    Refer back to your goals and use cases to think through how best to meet those objectives and determine how to categorize your services.

    Define the services that will be the top-level, nondiscoverable services, which will group together the CIs that make up the complete service. Identify which application(s) will connect into the technical service.

    When you are ready to start discovery, this list of services will be connected to the discovered data to organize it in a way that makes sense for how your stakeholders need to see the data.

    While working toward meeting the goals of the first few use cases, you will want to keep the structure simple. Once processes are in place and data is regularly validated, complexities of different service types and names can be integrated into the data.

    This image show the relationship between Discoverable and Nondiscoverable CIs. Both Discoverable and nondiscoverable CIs are blue.

    Application Service(blue); Technical Service(Purple); IT Shared Services(Orange); Billable Services(green); Service Portfolio(red)

    Define the service types to manage within the CMDB to logically group CIs

    Determine which method of service groupings will best serve your audience for your prioritized use cases. This will help to name your service categories. Service types can be added as the CMDB evolves and as the audience changes.

    Application Service

    Technical Service

    IT Shared Services

    Billable Services

    Service Portfolio

    A set of interconnected applications and hosts configured to offer a service to the organization.

    Example: Financial application service, which may include email, web server, application server, databases, and middleware.

    A logical grouping of CIs based on common criteria.

    Example: Toronto web services, which may include several servers, web applications, and databases.

    A logical grouping of IT and business services shared and used across the organization.

    Example: VoIP/phone services or networking or security services.

    A group of services that will be billed out to departments or customers and would require logical groupings to enable invoicing.

    A group of business and technical service offerings with specific performance reporting levels. This may include multiple service levels for different customer audiences for the same service.

    2.1.1 Define and prioritize your services

    Prioritize your starting point. If multiple audiences need to be accommodated, work with one group at a time.

    Timing: will vary depending on number of services, and starting point

    1. Create your list of services, referencing an existing service catalog, business continuity or disaster recovery plan, list of applications, or brainstorming sessions. Use the terminology that makes the most sense for the audience and their reporting requirements.
    2. If this list is already in place, assess for relevance and reduce the list to only those services that will be managed through the CMDB.
    3. Determine what data will be relevant for each service based on the exercises done in 1.1.4 and 1.1.5. For example, if priority was a required attribute for use case data, ensure each service lists the priority of that service.
    4. For each of these, identify the supporting services. These items can come from your technical service catalog or list of systems and software.
    5. Document this table in the Use Cases and Data Worksheet, tab 3: Service Catalog.

    Service Record Example

    Service: Email
    Supporting Services: M365, Authentication Services

    Service Attributes

    Availability: 24/7 (99.999%)
    Priority: Critical
    Users: All
    Used for: Collaboration
    Billable: Departmental
    Support: Unified Support Model, Account # 123456789

    The CMDB will be organized by services and will enable data analysis through multiple categorization schemes

    To extract maximum service management benefit from a CMDB, the highest level of CI type should be a service, as demonstrated below. While it is easier to start at the system or single-asset level, taking the service mapping approach will provide you with a useful and dynamic view of your IT environment as it relates to the services you offer, instead of a static inventory of components.

    Level 1: Services

    • Business Service Offering: A business service is an IT service that supports a business process, or a service that is delivered to business customers. Business service offerings typically are bound by service-level agreements.
    • IT Service Offering: An IT service supports the customer's business processes and is made up of people, processes, and technology. IT service offerings typically are bound by service-level agreements.

    Level 2: Infrastructure CIs

    • IT Component Set: An IT service offering consists of one of more sets of IT components. An IT component set allows you to group or bundle IT components with other components or groupings.
    • IT Component: An IT system is composed of one or more supporting components. Many components are shared between multiple IT systems.

    Level 3: Supporting CIs

    • IT Subcomponent: Any IT asset that is uniquely identifiable and a component of an IT system.
    • IT components can have subcomponents, and those components can have subcomponents, etc.

    Two charts, showing Enterprise Architect Model and Configuration Service Model. Each box represents a different CI.

    Assess your CMDB's standard category offerings against your environment, with a plan to minimize customization

    Standard categorization schemes will allow for easier integration with multiple tools and reporting and improve results if using machine learning to automate categorization. If the CMDB chosen includes structured categories, use that as your starting point and focus only on gaps that are not addressed for CIs unique to your environment.

    There is an important distinction between a class and a type. This concept is foundational for your configuration data model, so it is important that you understand it.

    • Types are general groupings, and the things within a type will have similarities. For attributes that you want to collect on a type, all children classes and CIs will have those attribute fields.
    • Classes are a more specific grouping within a type. All objects within a class will have specific similarities. You can also use subclasses to further differentiate between CIs.
    • Individual CIs are individual instances of a class or subclass. All objects in a class will have the same attribute fields and behave the same, although the values of their attributes will likely differ.
    • Attributes may be discovered or nondiscoverable and manually added to CIs. The attributes are properties of the CI such as serial number, version, memory, processor speed, or asset tag.

    Use inheritance structures to simplify your configuration data model.

    An example CM Data Model is depicted.

    Assess the list of classes of configuration items against your requirements

    Types are general groupings, and the things within a type will have similarities. Each type will have its own table within the CMDB. Classes within a type are a more specific grouping of configuration items and may include subclasses.

    Review your vendor's CMDB documentation. Find the list of CI types or classes. Most CMDBs will have a default set of classes, like this standard list. If you need to build your own, use the table below as a starting point. Define anything required for unique classes. Create a list and consult with your installation partner.

    Sample list of classes organized by type

    Types Services Network Hardware Storage Compute App Environment Documents
    Classes
    • Application Service
    • Technical Service
    • IT Shared Service
    • Billable Service
    • Service Portfolio
    • Switch
    • Router
    • Firewall
    • Modem
    • SD-WAN
    • Load Balancer
    • UPS
    • Computer
    • Laptop
    • Server
    • Tablet
    • Database
    • Network-Attached Storage
    • Storage Array Network
    • Blob
    • Operating System
    • Hypervisor
    • Virtual Server
    • Virtual Desktop
    • Appliance
    • Virtual Application
    • Enterprise Application
    • Line of Business Application Software
    • Development
    • Test
    • Production
    • Contract
    • Business Impact Analysis
    • Requirements

    Review relationships to determine which ones will be most appropriate to map your dependencies

    Your CMDB should include multiple relationship types. Determine which ones will be most effective for your environment and ensure everyone is trained on how to use them. As CIs are mapped, verify they are correct and only manually map what is incorrect or not mapping through automation.

    Manually mapping CMDB relationships may be time consuming and prone to error, but where manual mapping needs to take place, ensure the team has a common view of the dependency types available and what is important to map.

    Use automated mapping whenever possible to improve accuracy, provide functional visualizations, and enable dynamic updates as the environment changes.

    Where a dependency maps to external providers, determine where it makes sense to discover and map externally provided CIs.

    • Only connect where there is value in mapping to vendor-owned systems.
    • Only connect where data and connections can be trusted and verified.

    Most common dependency mapping types

    A list of the most common dependency mapping types.

    2.1.2 Test configuration items against existing categories

    Time to complete: 1-2 hours

    1. Select a service to test.
    2. Identify the various components that make up the service, focusing on configuration items, not attributes
    3. Categorize configuration items against types and classes in the default settings of the CMDB.
    4. Using the default relationships within the CMDB, identify the relationships between the configuration items.
    5. Identify types, classes, and relationships that do not fit within the default settings. Determine if there are common terms for these items or determine most appropriate name.
    6. Validate these exceptions with the publisher.
    7. Document exceptions in the Configuration Management Standard Operating Procedures, Appendix 2: Types and Classes of Configuration Items
    Input

    Output

    • List of default settings for classes, types, and relationships
    • Small list of services for testing
    • List of CIs to map to at least one service
    • List of categories to add to the CMDB solution.
    MaterialsParticipants
    • Use Cases and Data Worksheet
    • Configuration Management Standard Operating Procedures
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    2.1.3 Create a configuration control board charter to define the board's responsibilities and protocols

    A charter will set the tone for meetings, ensure purpose is defined and meeting cadence is set for regular reviews.

    1. Open the Configuration Control Board Charter. Review the document and modify as appropriate for your CCB. This will include:
      • Purpose and mandate of the committee – Reference objectives from the project charter.
      • Team composition – Determine the right mix of team members. A team of six to ten people can provide a good balance between having a variety of opinions and getting work done.
      • Voting option – Determine the right quorum to approve changes.
      • Responsibilities – List responsibilities, starting with RACI chart items.
      • Authority – Define the control board's span of control.
      • Governing laws and regulations – List any regulatory requirements that will need to be met to satisfy your auditors.
      • Meeting preparation – Set expectations to ensure meetings are productive.
    2. Distribute the charter to CCB members.
    Input

    Output

    • Project team members
    • Project plan resources
    MaterialsParticipants
    • Configuration Control Board Charter
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Assess the default list of statuses for each state

    Align this list with your CMDB

    Minimize the number of customizations that will make it difficult to update the platform.

    1. Review the default status list within the tool.
    2. Identify which statuses will be most used. Write a definition for each status.
    3. Update this list as you update process documentation in Step 3.1. After initial implementation, this list should only be modified through change enablement.
    4. Record this list of statuses in the Configuration Management Standard Operating Procedures, Appendix 4: Statuses
    State Status Description
    Preparation Ordered Waiting delivery from the vendor
    In Planning Being created
    Received Vendor has delivered the item, but it is not ready for deployment
    Production In Stock Available to be deployed
    In Use Deployed
    On Loan Deployed to a user on a temporary basis
    For Removal Planning to be phased out but still deployed to an end user
    Offline In Transit Moving to a new location
    Under Maintenance Temporarily offline while a patch or change is applied
    Removed Decommissioned Item has been retired and is no longer in production
    Disposed Item has been destroyed and we are no longer in possession of it
    Lost Item has been lost
    Stolen Item has been stolen

    Step 2.2

    Document statuses, attributes, and data sources

    Activities

    2.2.1 Follow the packet and map out the in-scope services and data centers

    2.2.2 Build data model diagrams

    2.2.3 Determine access rights for your data

    This step will walk you through the following aspects of a configuration management system:

    • Statuses
    • Attributes for each class of CI

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager

    Outcomes of this step

    • Framework for approaching CI statuses
    • Attributes for each class of CI
    • Data sources for those attributes

    Service mapping approaches

    As you start thinking about dependency mapping, it's important to understand the different methods and how they work, as well as your CMDB's capabilities. These approaches may be all in the same tool, or the tool may only have the top-down options.

    Top down, most common

    Pattern-based

    Most common option, which includes indicators of connections such as code, access rights, scripting, host discovery, and APIs.

    Start with pattern-based, then turn on traffic-based for more detail. This combination will provide the most accuracy.

    Traffic-based

    Map against traffic patterns involving connection rules to get more granular than pattern-based.

    Traffic-based can add a lot of overhead with extraneous data, so you may not want to run it continuously.

    Tag-based

    Primarily used for cloud, containers, and virtual machines and will attach the cloud licenses to their dependent services and any related CIs.

    Tags work well with cloud but will not have the same hierarchical view as on-premises dependency mapping.

    Machine learning

    Machine learning will look for patterns in the traffic-based connections, match CIs to categories and help organize the data.

    Machine learning (ML) may not be in every solution, but if you have it, use it. ML will provide many suggestions to make the life of the data manager easier.

    Model hierarchy

    Automated data mapping will be helpful, but it won't be foolproof. It's critical to understand the data model to validate and map nondiscoverable CIs correctly.

    The framework consists of the business, enterprise, application, and implementation layers.

    The business layer encodes real-world business concepts via the conceptual model.

    The enterprise layer defines all enterprise data assets' details and their relationships.

    The application layer defines the data structures as used by a specific application.

    The implementation layer defines the data models and artifacts for use by software tools.

    An example of Model Hierarchy is depicted.

    Learn how to create data models with Info-Tech's blueprint Create and Manage Enterprise Data Models

    2.2.1 Follow the packet and map out the in-scope services and data centers

    Reference your network topology and architecture diagrams.

    Allot 1 hour for this activity.

    1. Start with a single service that is well understood and documented.
    2. Identify the technical components (hardware and applications) that make up the service.
    3. Determine if there is a need to further break down services into logical service groupings. For example, the email service to the right is broken down into authentication and mail flow.
    4. If you don't have a network diagram to follow, create a simple one to identify workflows within the service and components the service uses.
    5. Record the apps and underlying components in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

    This information will be used for CM project planning and validating the contents of the CMDB.

    an example of a Customer-facing service is shown, for Email sample topology.

    Download the Configuration Management Diagram Template Library to see an example.

    Build your configuration data model

    Rely on out-of-the-box functionality where possible and keep a narrow focus in the early implementation stages.

    1. If you have an enterprise architecture, then your configuration management data model should align with it.
    2. Keep a narrow focus in the early implementation stages. Don't fill up your CMDB until you are ready to validate and fix the data.
    3. Rely on out-of-the-box (OOTB) functionality where possible. If your configuration management database (CMDB) and platform do not have a data model OOTB, then rely on a publicly available data model.
    4. Map your business or IT service offering to the first few layers.

    Once this is built out in the system, you can let the automated dependency mapping take over, but you will still need to validate the accuracy of the automated mapping and investigate anything that is incorrect.

    Sample Configuration Data Model

    Every box represents a CI, and every line represents a relationship

    A sample configuration Data model is shown.

    Example: Data model and CMDB visualization

    Once the data model is entered into the CMDB, it will provide a more dynamic and complex view, including CIs shared with other services.

    An example of a Data Model Exercise

    CMDB View

    An example of a CMDB View of the Data Model Exercise

    2.2.2 Build data model diagrams

    Visualize the expected CI classes and relationships.

    Allot 45 minutes.

    1. Identify the different data model views you need. Use multiple diagrams to keep the information simple to read and understand. Common diagrams include:
      1. Network level: Outline expected CI classes and relationships at the network level.
      2. Application level: Outline the expected components and relationships that make up an application.
      3. Services level: Outline how business capability CIs and service CIs relate to each other and to other types of CIs.
    1. Use boxes to represent CI classes.
    2. Use lines to represent relationships. Include details such as:
      1. Relationship name: Write this name on the arrow.
      2. Direction: Have an arrow point to each child.

    Review samples in Configuration Management Diagram Template Library.
    Record these diagrams in the Configuration Management Standard Operating Procedures, Appendix 1: Configuration Data Model Structure.

    Input

    Output

    • List of default settings for classes, types, and relationships
    • Small list of services for testing
    • List of CIs to map to at least one service
    • List of additions of categories to add to the CMDB solution.
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Download the Configuration Management Diagram Template Library to see examples.

    Determine governance for data security, access, and validation

    Align CMDB access to the organization's access control policy to maintain authorized and secure access for legitimate staff performing their role.

    Data User Type Access Role
    Data consumers
    • View-only access
    • Will need to view and use the data but will not need to make modifications to it
    • Service desk
    • Change manager
    • Major incident manager
    • Finance
    CMDB owner
    • Read/write access with the ability to update and validate data as needed
    • Configuration manager
    Domain owner
    • Read/write access for specific domains
    • Data owner within their domain, which includes validating that data is in the database and that it is correctly categorized.
    • Enterprise architect
    • Application owner
    Data provider
    • Read/write access for specific domains
    • Ensures automated data has been added and adds nondiscoverable assets and attributes as needed
    • Server operations
    • Database management
    • Network teams
    CMDB administrator
    • View-only access for data
    • Will need to have access for modifying the structure of the product, including adding fields, as determined by the CCB
    • ITSM tool administrator

    2.2.3 Determine access rights for your data

    Allot 30 minutes for this discussion.

    1. Open the Configuration Management Standard Operating Procedures, section 5: Access Rights.
    2. Review the various roles from an access perspective.
      1. Who needs read-only access?
      2. Who needs read/write access?
      3. Should there be restrictions on who can delete data?
    1. Fill in the chart and communicate this to your CMDB installation vendor or your CMDB administrator.
    Input

    Output

    • Task assignments
    • Access rights and roles
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • IT service owners
    • Practice owners and managers
    • SCM practice manager
    • SCM project sponsor

    Phase 3

    Configuration Record Updates

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspects of a configuration management system:

    • ITSM Practices and Workflows
    • Discovery and Dependency Mapping Tools
    • Auditing and Data Validation Practices

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager
    • IT audit

    Harness Service Configuration Management Superpowers

    Step 3.1

    Keep CIs and relationships up to date through lifecycle process integrations

    Activities

    3.1.1 Define processes to bring new services into the CMDB

    3.1.2 Determine when each type of CI will be created in the CMDB

    3.1.3 Identify when each type of CI will be retired in the CMDB

    3.1.4 Record when and how attributes will change

    3.1.5 Institute configuration control and configuration baselines

    This step will walk you through the following aspects of a configuration management system:

    1. ITSM Practices and Workflows
    2. Discovery and Dependency Mapping Tools

    This phase involves the following participants:

    1. IT service owners
    2. Enterprise architects
    3. Practice owners and managers
    4. SCM practice manager
    5. Project manager

    Outcomes of this step

    • List of action items for updating interfacing practices and processes
    • Identification of where configuration records will be manually updated

    Incorporate CMDB updates into IT operations

    Determine which processes will prompt changes to the CMDB data

    Onboard new services - Offboard Redundant Services. Onboard new CIs - Offboard Redundant CIs; Maintain CIs - Update Attributes.

    Change enablement

    Identify which process are involved in each stage of data input, maintenance, and removal to build out a process for each scenario.

    Project management

    Change enablement

    Asset management

    Security controls

    Project management

    Incident management

    Deployment management

    Change enablement

    Asset management

    Security controls

    Project management

    Incident management

    Service management

    Formalize the process for adding new services to the CMDB

    As new services and products are introduced into the environment, you can improve your ability to correctly cost the service, design integrations, and ensure all operational capabilities are in place, such as data backup and business continuity plans.
    In addition, attributes such as service-level agreements (SLAs), availability requirements, and product, technical, and business owners should be documented as soon as those new systems are made live.

    • Introduce the technical team and CCB to the product early to ensure the service record is created before deployment and to quickly map the services once they are moved into the production environment.
    • Engage with project managers or business analysts to define the process to include security and technical reviews early.
    • Engage with the security and technical reviewers to start documenting the service as soon as it is approved.
    • Determine which practices will be involved in the creation and approval of new services and formalize the process to streamline entry of the new service, onboarding corresponding CIs and mapping dependencies.

    an example of the review and approval process for new service or products is shown.

    3.1.1 Define processes to bring new services into the CMDB

    Start with the most frequent intake methods, and if needed, use this opportunity to streamline the process.

    1. Discuss the methods for new services to be introduced to the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the creation of services in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Complete the Configuration Management Standard Operating Procedures, section 8.1: Introduce New Service and Data Model.

    Possible intake opportunities:

    • Business-driven project intake process
    • IT-driven project intake process
    • Change enablement reviews
    • Vendor-driven product changes
    Input

    Output

    • Discussion
    • Intake processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Identify scenarios where CIs are added and removed in the configuration management database

    New CIs may be introduced with new services or may be introduced and removed as part of asset refreshes or through service restoration in incident management. Updates may be done by your own services team or a managed services provider.
    Determine the various ways the CIs may be changed and test with various CI types.
    Review attributes such as SLAs, availability requirements, and product, technical, and business owners to determine if changes are required.

    • Identify what will be updated automatically or manually. Automation could include discovery and dependency mapping or synchronization with AMDB or AIOps tools.
    • Engage with relevant program managers to define and validate processes.
    • Identify control points and review audit requirements.

    An example of New or refresh CI from Procurement.

    Info-Tech Insight

    Data deemed no longer current may be archived or deleted. Retained data may be used for tracing lifecycle changes when troubleshooting or meeting audit obligations. Determine what types of CIs and use cases require archived data to meet data retention policies. If none do, deletion of old data may be appropriate.

    3.1.2 Identify when each type of CI will be created in the CMDB

    Allot 45 minutes for discussion.

    1. Discuss the various methods for new CIs to be introduced to the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the creation of CIs in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Complete Configuration Management Standard Operating Procedures, section 8.2: Introduce New Configuration Items to the CMDB

    Possible intake opportunities:

    • Business-driven project intake process
    • IT-driven project intake process
    • Change enablement reviews
    • Vendor-driven product changes
    • Incident management
    • Asset management, lifecycle refresh
    Input

    Output

    • Discussion
    • Retirement processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    3.1.3 Identify when each type of CI will be retired in the CMDB

    Allot 45 minutes for discussion.

    1. Discuss the various methods for CIs to be removed from the IT environment.
    2. Critique existing methods to assess consistency and identify issues that could prevent the retirement of CIs in the CMDB in a timely manner.
    3. Create a workflow for the existing processes, with an eye to improvement. Identify any changes that will need to be introduced and managed appropriately.
    4. Identify where additional groups may need to be engaged to ensure success. For example, if project managers are not interfacing early with IT, discuss process changes with them.
    5. Discuss the validation process and determine where control points are. Document these on the workflows.
    6. Discuss data retention. How long will retired information need to be archived? What are the potential scenarios where legacy information may be needed for analysis?
    7. Complete the Configuration Management Standard Operating Procedures, section 8.4: Retire and Archive Configuration Records.

    Possible retirement scenarios:

    • Change enablement reviews
    • Vendor-driven product changes
    • Incident management
    • Asset management, lifecycle refresh
    Input

    Output

    • Discussion
    • Intake processes
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration Management Diagram Template Library
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Determine appropriate actions for detecting new or changed CIs through discovery

    Automated detection will provide the most efficient way of recording planned changes to CIs as well as detected unplanned changes. Check with the tool to determine what reports or notifications are available for the configuration management process and define what actions will be appropriate.

    As new CIs are detected, identify the process by which they should have been introduced into configuration management and compare against those records. If your CMDB can automatically check for documentation, this may be easier. Weekly reporting will allow you to catch changes quickly, and alerts on critical CIs could enable faster remediation, if the tool allows for alerting. AIOps could identify, notify of, and process many changes in a highly dynamic environment.

    Type of Change

    Impacted Process

    Validation

    Findings

    Actions

    Configuration change to networking equipment or software

    Change management

    Check for request for change

    No RFC

    Add to CAB agenda, notify technical owner

    Configuration change to end-user device or software

    Asset management

    Check for service ticket

    No ticket

    Escalate to asset agenda, notify service manager

    New assets coming into service

    Security incident and event management

    Check for SIEM integration

    No SIEM integration

    Notify security operations team to investigate

    The configuration manager may not have authority to act but can inform the process owners of unauthorized changes for further action. Once the notifications are forwarded to the appropriate process owner, the configuration manager will note the escalation and follow up on data corrections as deemed appropriate by the associated process owner.

    3.1.4 Record when and how attributes will change

    These lists will help with configuration control plans and your implementation roadmap.

    1. List each attribute that will change in that CI type's life.
    2. Write all the times that each attribute will change. Identify:
      1. The name of the workflow, service request, process, or practice that modifies the attribute.
      2. Whether the update is made automatically or manually.
      3. The role or tool that updates the CMDB.
    1. Update the relevant process or procedure documentation. Explicitly identify when the configuration records are updated.

    Document these tables in Configuration Management Standard Operation Procedures, Section 8.7: Practices That Modify CIs.

    Network Equipment
    Attributes

    Practices That Modify This Attribute

    Status
    • Infra Deployment (updated manually by Network Engineering)
    • Change Enablement (updated manually by CAB or Network Engineering)
    Assigned User
    • IT Employee Offboarding or Role Change (updated manually by Network Engineering)
    Version
    • Patch Deployment (updated automatically by SolarWinds)
    End-User Computers
    Attributes
    Practices That Modify This Attribute
    Status
    • Device Deployment (updated manually by Desktop Support)
    • Device Recovery (updated manually by Desktop Support)
    • Employee Offboarding and Role Change (updated manually by Service Desk)
    Assigned User
    • Device Deployment (updated manually by Desktop Support)
    • Device Recovery (updated manually by Desktop Support)
    • Employee Offboarding and Role Change (updated manually by Service Desk)
    Version
    • Patch Deployment (updated automatically by ConfigMgr)

    Institute configuration control and configuration baselines where appropriate

    A baseline enables an assessment of one or more systems against the desired state and is useful for troubleshooting incidents or problems and validating changes and security settings.

    Baselines may be used by enterprise architects and system engineers for planning purposes, by developers to test their solution against production copies, by technicians to assess configuration drift that may be causing performance issues, and by change managers to assess and verify the configuration meets the target design.

    Configuration baselines are a snapshot of configuration records, displaying attributes and first-level relationships of the CIs. Standard configurations may be integral to the success of automated workflows, deployments, upgrades, and integrations, as well as prevention of security events. Comparing current CIs against their baselines will identify configuration drift, which could cause a variety of incidents. Configuration baselines are updated through change management processes.
    Configuration baselines can be used for a variety of use cases:

    • Version control – Management of software and hardware versions, https://dj5l3kginpy6f.cloudfront.net/blueprints/harness-configuration-management-superpowers-phases-1-4/builds, and releases.
    • Access control – Management of access to facilities, storage areas, and the CMS.
    • Deployment control – Take a baseline of CIs before performing a release so you can use this to check against actual deployment.
    • Identify accidental changes Everyone makes mistakes. If someone installs software on the wrong server or accidentally drops a table in a database, the CMS can alert IT of the unauthorized change (if the CI is included in configuration control).

    Info-Tech Insight

    Determine the appropriate method for evaluating and approving changes to baselines. Delegating this to the CCB every time may reduce agility, depending on volume. Discuss in CCB meetings.

    A decision tree for deploying requested changes.

    3.1.5 Institute configuration control and configuration baselines where appropriate

    Only baseline CIs and relationships that you want to control through change enablement.

    1. Determine criteria for capturing configuration baselines, including CI type, event, or processes.
    2. Identify who will use baselines and how they will use the data. Identify their needs.
    3. Identify CIs that will be out of scope and not have baselines created.
    4. Document requirements in the SOP.
    5. Ensure appropriate team members have training on how to create and capture baselines in the CMDB.
    6. Document in the Configuration Management Standard Operating Procedures, section 8.5: Establish and Maintain Configuration Baselines.
    Process Criteria Systems
    Change Enablement & Deployment All high-risk changes must have the baseline captured with version number to revert to stable version in the event of an unsuccessful change
    • Servers (physical and virtual)
    • Enterprise software
    • IaaS
    • Data centers
    Security Identify when configuration drift may impact risk mitigation strategies
    • Servers (physical and virtual)
    • Enterprise software
    • IaaS
    • Data centers
    Input

    Output

    • Discussion
    • Baseline configuration guidelines
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Step 3.2

    Validate data within the CMDB

    Activities

    3.2.1 Build an audit plan and checklist

    This step will walk you through the following aspects of a configuration management system:

    • Data validation and audit

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • Project manager
    • IT audit

    Outcomes of this step

    • Updates to processes for data validation
    • Plan for auditing and validating the data in the CMDB

    Audit and validate the CMDB

    Review the performance of the supporting technologies and processes to validate the accuracy of the CMDB.

    A screenshot of the CM Audit Plan.

    CM Audit Plan

    • CM policies
    • CM processes and procedures
    • Interfacing processes
    • Content within the CMDB

    "If the data in your CMDB isn't accurate, then it's worthless. If it's wrong or inaccurate, it's going to drive the wrong decisions. It's going to make IT worse, not better."
    – Valence Howden, Research Director, Info-Tech Research Group

    Ensure the supporting technology is working properly

    Does the information in the database accurately reflect reality?

    Perform functional tests during audits and as part of release management practices.

    Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
    The audit should cover three areas:

    • Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
    • Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
    • Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

    Build auditing and validation of processes whenever possible

    When technicians and analysts are working on a system, they should check to make sure the data about that system is correct. When they're working in the CMDB, they should check that the data they're working with is correct.

    More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

    • Watch for data duplication from multiple discovery tools.
    • Review mapping to ensure all relevant CIs are attached to a product or service.
    • Ensure report data is logical.

    Ensure the supporting technology is working properly

    Does the information in the database accurately reflect reality?

    Perform functional tests during audits and as part of release management practices.

    Audit results need to have a clear status of "compliant," "noncompliant," or "compliant with conditions," and conditions need to be noted. The conditions will generally offer a quick win to improve a process, but don't use these audit results to quickly check off something as "done." Ensure the fix is useful and meaningful to the process.
    The audit should cover three areas:

    • Process: Are process requirements for the program well documented? Are the processes being followed? If there were updates to the process, were those updates to the process documented and communicated? Has behavior changed to suit those modified processes?
    • Physical: Physical configuration audits (PCAs) are audits conducted to verify that a configuration item, as built, conforms to the technical documentation that defines and describes it.
    • Functional: Functional configuration audits (FCAs) are audits conducted to verify that the development of a configuration item has been completed satisfactorily, the item has achieved the functional attributes specified in the functional or allocated baseline, and its technical documentation is complete and satisfactory.

    More frequent audits, especially in the early days, may help move toward process adoption and resolving data quality issues. If audits are happening more frequently, the audits can include a smaller scope, though it's important to vary each one to ensure many different areas have been audited through the year.

    • Watch for data duplication from multiple discovery tools.
    • Review mapping to ensure all relevant CIs are attached to a product or service.
    • Ensure report data is logical.

    Identify where processes break down and data is incorrect

    Once process stops working, data becomes less accurate and people find workarounds to solve their own data needs.

    Data within the CMDB often becomes incorrect or incomplete where human work breaks down

    • Investigate processes that are performed manually, including data entry.
    • Investigate if the process executors are performing these processes uniformly.
    • Determine if there are opportunities to automate or provide additional training.
    • Select a sample of the corresponding data in the CMS. Verify if the data is correct.

    Non-CCB personnel may not be completing processes fully or consistently

    • Identify where data in the CMS needs to be updated.
    • Identify whether the process practitioners are uniformly updating the CMS.
    • Discuss options for improving the process and driving consistency for data that will benefit the whole organization.

    Ensure that the data entered in the CMDB is correct

    • Confirm that there is no data duplication. Data duplication is very common when there are multiple discovery tools in your environment. Confirm that you have set up your tools properly to avoid duplication.
    • Build a process to respond to baseline divergence when people make changes without following change processes and when updates alter settings.
    • Audit the system for accuracy and completeness.

    3.2.1 Build an audit plan and checklist

    Use the audit to identify areas where processes are breaking down.

    Audits present you with the ability to address these pain points before they have greater negative impact.

    1. Identify which regulatory requirements and/or auditing bodies will be relevant to audit processes or findings.
    2. Determine frequency of practice audits and how they relate to internal audits or external audits.
    3. Determine audit scope, including requirements for data spot checks.
    4. Determine who will be responsible for conducting audits and validate this is consistent with the RACI chart.
    5. Record audit procedures in the Configuration Management Standard Operating Procedures section 8.6: Verify and Review the Quality of Information Through Auditing.
    6. Review the Configuration Management Audit and Validation Checklist and modify to suit your needs.

    Download the Configuration Management Audit and Validation Checklist

    Input

    Output

    • Discussion
    • Baseline configuration guidelines
    MaterialsParticipants
    • Configuration Management Standard Operating Procedures
    • Configuration control board
    • Configuration manager
    • Project sponsor
    • IT stakeholders

    Phase 4

    Service Configuration Roadmap

    StrategyData StructureProcessesRoadmap
    • Challenges and Goals
    • Use Cases and Data
    • Roles and Responsibilities
    • Services
    • Classifications
    • Data Modeling
    • Lifecycle Processes
    • Baselines
    • Audit and Data Validation
    • Metrics
    • Communications Plan
    • Roadmap

    This phase will walk you through the following aspect of a configuration management system:
    Roadmap
    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    Harness Service Configuration Management Superpowers

    Step 4.1

    Define measures of success

    Activities

    4.1.1 Identify key metrics to define configuration management success
    4.1.2 Brainstorm and record desired reports, dashboards, and analytics
    4.1.3 Build a configuration management policy

    This phase will walk you through the following aspects of a configuration management system:

    • Metrics
    • Policy

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    The value of metrics can be found in IT efficiency increases

    When determining metrics for configuration management, be sure to separate metrics needed to gauge configuration management success and those that will use data from the CMDB to provide metrics on the success of other practices.

    • Metrics provide accurate indicators for IT and business decisions.
    • Metrics help you identify IT efficiencies and problems and solve issues before they become more serious.
    • Active metrics tracking makes root cause analysis of issues much easier.
    • Proper application of metrics helps IT services identification and prioritization.
    • Operational risks can be prevented by identifying and implementing metrics.
    • Metrics analysis increases the confidence of the executive team and ensures that IT is working well.

    A funnel is shown. The output is IT Performance. The inputs are: Service Desk Metrics; Incident Metrics; Asset Mgmt. Metrics; Release Mgmt. Metrics; Change Mgmt. Metrics; Infra. Metrics

    4.1.1 Identify key metrics to define configuration management success

    Determine what metrics are specifically related to the practice and how and when metrics will be accessed.

    Success factors

    Key metrics

    Source

    Product and service configuration data is relevant

    • Stakeholder satisfaction with data access, accuracy, and usability
    • Stakeholder satisfaction with service configuration management interface, procedures, and reports

    Stakeholder discussions

    • Number of bad decisions made due to incorrect or insufficient data
    • Impact of bad decisions made due to incorrect or insufficient data

    Process owner discussions

    • Number and impact of data identified as incorrect
    • % of CMDB data verified over the period

    CMDB

    Cost and effort are continually optimized

    • Effort devoted to service configuration management
    • Cost of tools directly related to the process

    Resource management or scheduling

    ERP

    Progress reporting

    • Communication execution
    • Process
    • Communications and feedback

    Communications team and stakeholder discussions

    Data – How many products are in the CMDB and are fully and accurately discovered and mapped?

    CMDB

    Ability to meet milestones on time and with appropriate quality

    Project team

    Document metrics in the Configuration Management Standard Operating Procedures, section 7: Success Metrics

    Use performance metrics to identify areas to improve service management processes using CMDB data

    Metrics can indicate a problem with service management processes but cannot provide a clear path to a solution on their own.

    • The biggest challenge is defining and measuring the process and people side of the equation.
    • Expected performance may also need to be compared to actual performance in planning, budgeting, and improvements.
    • The analysis will need to include critical success factors (CSFs), data collection procedures, office routines, engineering practices, and flow diagrams including workflows and key relationships.
    • External benchmarking may also prove useful in identifying how similar organizations are managing aspects of their infrastructure, processing transactions/requests, or staffing. If using external benchmarking for actual process comparisons, clearly defining your internal processes first will make the data collection process smoother and more informative.

    Info-Tech Insight

    Using a service framework such as ITIL, COBIT, or ISO 20000 may make this job easier, and subscribing to benchmarking partners will provide some of the external data needed for comparison.

    4.1.2 Brainstorm and record desired reports, dashboards, and analytics with related practices

    The project team will use this list as a starting point

    Allot 45 minutes for this discussion.

    1. Create a table for each service or business capability.
      1. Have one column for each way of consuming data: reports, dashboards, and ad hoc analytics.
      2. Have one row for each stakeholder group that will consume the information.
    2. Use the challenges and use cases to brainstorm reports, dashboards, and ad hoc analytic capabilities that each stakeholder group will find useful.
    3. Record these results in your Configuration Management Standard Operating Procedures, section 7: Aligned Processes' Desired Analytical Capabilities.
    Stakeholder Groups Reports Dashboards
    Change Management
    • CI changes executed without an RFC
    • RFCs grouped by service
    • Potential collisions in upcoming changes
    Security
    • Configuration changes that no longer match the baseline
    • New configuration items discovered
    Finance
    • Service-based costs
    • Service consumption by department

    Download the blueprint Take Control of Infrastructure and Operations Metrics to create a complete metrics program.

    Create a configuration management policy and communicate it

    Policies are important documents to provide definitive guidelines and clarity around data collection and use, process adherence, and controls.

    • A configuration management policy will apply to IT as the audience, and participants in the program will largely be technical.
    • Business users will benefit from a great configuration management program but will not participate directly.
    • The policy will include objectives and scope, use of data, security and integrity of data, data models and criteria, and baseline configurations.
    • Several governing regulations and practices may intersect with configuration management, such as ITIL, COBIT, and NIST frameworks, as well as change enablement, quality management, asset management, and more.
    • As the policy is written, review processes to ensure policies and processes are aligned. The policy should enable processes, and it may require modifications if it hinders the collection, security, or use of data required to meet proposed use cases.
    • Once the policy is written and approved, ensure all stakeholders understand the importance, context, and repercussions of the policy.

    The approvals process is about appropriate oversight of the drafted policies. For example:

    • Do the policies satisfy compliance and regulatory requirements?
    • Do the policies work with the corporate culture?
    • Do the policies address the underlying need?

    If the draft is approved:

    • Set the effective date and a review date.
    • Begin communication, training, and implementation.

    Employees must know that there are new policies and understand the steps they must take to comply with the policies in their work.

    Employees must be able to interpret, understand, and know how to act upon the information they find in the policies.

    Employees must be informed on where to get help or ask questions and who to request policy exceptions from.

    If the draft is rejected:

    • Acquire feedback and make revisions.
    • Resubmit for approval.

    4.1.3 Build a configuration management policy

    This policy provides the foundation for configuration control.

    Use this template as a starting point.

    The Configuration Management Policy provides the foundation for a configuration control board and the use of configuration baselines.
    Instructions:

    1. Review and modify the policy statements. Ensure that the policy statements reflect your organization and the expectations you wish to set.
    2. If you don't have a CCB: The specified responsibilities can usually be assigned to either the configuration manager or the governing body for change enablement.
    3. Determine if you should apply this policy beyond SCM. As written, this policy may provide a good starting point for practices such as:
      • Secure baseline configuration management
      • Software configuration management

    Two screenshots from the Configuration Management Policy template

    Download the Configuration Management Policy template

    Step 4.2

    Build communications and a roadmap

    Activities

    4.2.1 Build a communications plan
    4.2.2 Identify milestones

    This phase will walk you through the following aspects of a configuration management system:

    • Communications plan
    • Roadmap

    This phase involves the following participants:

    • IT service owners
    • Enterprise architects
    • Practice owners and managers
    • SCM practice manager
    • SCM project manager

    Outcomes of this step

    • Documented expectations around configuration control
    • Roadmap and action items for the SCM project

    Do not discount the benefits of a great communications plan as part of change management

    Many configuration management projects have failed due to lack of organizational commitment and inadequate communications.

    • Start at the top to ensure stakeholder buy-in by verifying alignment and use cases. Without a committed project sponsor who believes in the value of configuration management, it will be difficult to draw the IT team into the vision.
    • Clearly articulate the vision, strategy, and goals to all stakeholders. Ensure the team understands why these changes are happening, why they are happening now, and what outcomes you hope to achieve.
    • Gain support from technical teams by clearly expressing organizational and departmental benefits – they need to know "what's in it for me."
    • Clearly communicate new responsibilities and obligations and put a feedback process in place to hear concerns, mitigate risk, and act on opportunities for improvement. Be prepared to answer questions as this practice is rolled out.
    • Be consistent in your messaging. Mixed messages can easily derail progress.
    • Communicate to the business how these efforts will benefit the organization.
    • Share documents built in this blueprint or workshop with your technical teams to ensure they have a clear picture of the entire configuration management practice.
    • Share your measures and view of success and communicate wins throughout building the practice.

    30%

    When people are truly invested in change, it is 30% more likely to stick.
    McKinsey

    82%

    of CEOs identify organizational change management as a priority.
    D&B Consulting

    6X

    Initiatives with excellent change management are six times more likely to meet objectives than those with poor change management.
    Prosci

    For a more detailed program, see Drive Technology Adoption

    Formulate a communications plan to ensure all stakeholders and impacted staff will be aware of the plan

    Communication is key to success in process adoption and in identifying potential risks and issues with integration with other processes. Engage as often as needed to get the information you need for the project and for adoption.

    Identify Messages

    Distinct information that needs to be sent at various times. Think about:

    • Who will be impacted and how.
    • What the goals are for the project/new process.
    • What the audience needs to know about the new process and how they will interface with each business unit.
    • How people can request configuration data.

    Identify Audiences

    Any person or group who will be the target of the communication. This may include:

    • Project sponsors and stakeholders.
    • IT staff who will be involved in the project.
    • IT staff who will be impacted by the project (i.e. who will benefit from it or have obligations to fulfill because of it).
    • Business sponsors and product owners.

    Document and Track

    Document messaging, medium, and responsibility, working with the communications team to refine messages before executing.

    • Identify where people can send questions and feedback to ensure they have the information they need to make or accept the changes.
    • Document Q&A and share in a central location.

    Determine Timing

    Successful communications plans consider timing of various messages:

    • Advanced high-level notice of improvements for those who need to see action.
    • Advanced detailed notice for those who will be impacted by workload.
    • Advanced notice for who will be impacted (i.e. who will benefit from it or have obligations to fulfill because of it) once the project is ready to be transitioned to daily life.

    Determine Delivery

    Work with your communications team, if you have one, to determine the best medium, such as:

    • Meeting announcement for stakeholders and IT.
    • Newsletter for those less impacted.
    • Intranet announcements: "coming soon!"
    • Demonstrations with vendors or project team.

    4.2.1 Build a communications plan

    The communications team will use this list as a starting point.

    Allot 45 minutes for this discussion.

    Identify stakeholders.

    1. Identify everyone who will be affected by the project and by configuration management.

    Craft key messages tailored to each stakeholder group.

    1. Identify the key messages that must be communicated to each group.

    Finalize the communication plan.

    1. Determine the most appropriate timing for communications with each group to maximize receptivity.
    2. Identify any communication challenges you anticipate and incorporate steps to address them into your communication plan.
    3. Identify multiple methods for getting the messages out (e.g. newsletters, emails, meetings).
    1. Identify how feedback will be collected (i.e. through interviews or surveys) to measure whether the changes were communicated well.
    Audience Message Medium Timing Feedback Mechanism
    Configuration Management Team Communicate all key processes, procedures, policies, roles, and responsibilities In-person meetings and email communications Weekly meetings Informal feedback during weekly meetings
    Input

    Output

    • Discussion
    • Rough draft of messaging for communications team
    MaterialsParticipants
    • Project plan
    • Configuration manager
    • Project sponsor
    • IT director
    • Communications team

    Build a realistic, high-level roadmap including milestones

    Break the work into manageable pieces

    1. Plan to have multiple phases with short-, medium-, and long-term goals/timeframes. Building a CMDB is not easy and should be broken into manageable sections.
    2. Set reasonable milestones. For each phase, document goals to define "done" and ensure they're reasonable for the resources you have available. If working with a vendor, include them in your discussions of what's realistic.
    3. Treat the first phase as a pilot. Focus on items you understand well:
      1. Well-understood user-facing and IT services
      2. High-maturity management and governance practices
      3. Trusted data sources
    4. Capture high-value, high-criticality services early. Depending on the complexity of your systems, you may need to split this phase into multiple phases.

    Document this table in the Configuration Management Project Charter, section 3.0: Milestones

    Timeline/Owner Milestone/Deliverable Details
    First four weeks Milestone: Plan defined and validated with ITSM installation vendor Define processes for intake, maintenance, and retirement.
    Rebecca Roberts Process documentation written, approved, and ready to communicate Review CI categories

    4.2.2 Identify milestones

    Build out a high-level view to inform the project plan

    Open the Configuration Management Project Charter, section 3: Milestones.
    Instructions:

    1. Identify high-level milestones for the implementation of the configuration management program. This may include tool evaluation and implementation, assignment of roles, etc.
    2. Add details to fill out the milestone, keeping to a reasonable level of detail. This may inform vendor discussion or further development of the project plan.
    3. Add target dates to the milestones. Validate they are realistic with the team.
    4. Add notes to the assumptions and constraints section.
    5. Identify risks to the plan.

    Two Screenshots from the Configuration Management Project Charter

    Download the Configuration Management Project Charter

    Workshop Participants

    R = Recommended
    O = Optional

    Participants Day 1 Day 2 Day 3 Day 4
    Configuration Management Strategy CMDB Data Structure Processes Communications & Roadmap
    Morning Afternoon Morning Afternoon Morning Afternoon Morning Afternoon
    Head of IT R O
    Project Sponsor R R O O O O O O
    Infrastructure, Enterprise Apps Leaders R R O O O O O O
    Service Manager R R O O O O O O
    Configuration Manager R R R R R R R R
    Project Manager R R R R R R R R
    Representatives From Network, Compute, Storage, Desktop R R R R R R R R
    Enterprise Architecture R R R R O O O O
    Owner of Change Management/Change Control/Change Enablement R R R R R R R R
    Owner of In-Scope Apps, Use Cases R R R R R R R R
    Asset Manager R R R R R R R R

    Related Info-Tech Research

    Research Contributors and Experts

    Thank you to everyone who contributed to this publication

    Brett Johnson, Senior Consultant, VMware

    Yev Khovrenkov, Senior Consultant, Solvera Solutions

    Larry Marks, Reviewer, ISACA New Jersey

    Darin Ohde, Director of Service Delivery, GreatAmerica Financial Services

    Jim Slick, President/CEO, Slick Cyber Systems

    Emily Walker, Sr. Digital Solution Consultant, ServiceNow

    Valence Howden, Principal Research Director, Info-Tech Research Group

    Allison Kinnaird, Practice Lead, IT Operations, Info-Tech Research Group

    Robert Dang, Principal Research Advisor, Security, Info-Tech Research Group

    Monica Braun, Research Director, IT Finance, Info-Tech Research Group

    Jennifer Perrier, Principal Research Director, IT Finance, Info-Tech Research Group

    Plus 13 anonymous contributors

    Bibliography

    An Introduction to Change Management, Prosci, Nov. 2019.
    BAI10 Manage Configuration Audit Program. ISACA, 2014.
    Bizo, Daniel, et al, "Uptime Institute Global Data Center Survey 2021." Uptime Institute, 1 Sept. 2021.
    Brown, Deborah. "Change Management: Some Statistics." D&B Consulting Inc. May 15, 2014. Accessed June 14, 2016.
    Cabinet Office. ITIL Service Transition. The Stationery Office, 2011.
    "COBIT 2019: Management and Governance Objectives. ISACA, 2018.
    "Configuration Management Assessment." CMStat, n.d. Accessed 5 Oct. 2022.
    "Configuration Management Database Foundation." DMTF, 2018. Accessed 1 Feb. 2021.
    Configuration Management Using COBIT 5. ISACA, 2013.
    "Configuring Service Manager." Product Documentation, Ivanti, 2021. Accessed 9 Feb. 2021.
    "Challenges of Implementing configuration management." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 1." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 2." CMStat, n.d. Accessed 5 Oct. 2022.
    "Determining if configuration management and change control are under management control, part 3." CMStat, n.d. Accessed 5 Oct. 2022.
    "CSDM: The Recipe for Success." Data Content Manager, Qualdatrix Ltd. 2022. Web.
    Drogseth, Dennis, et al., 2015, CMDB Systems: Making Change Work in the Age of Cloud and Agile. Morgan Kaufman.
    Ewenstein, B, et al. "Changing Change Management." McKinsey & Company, 1 July 2015. Web.
    Farrell, Karen. "VIEWPOINT: Focus on CMDB Leadership." BMC Software, 1 May 2006. Web.
    "How to Eliminate the No. 1 Cause of Network Downtime." SolarWinds, 4 April 2014. Accessed 9 Feb. 2021.
    "ISO 10007:2017: Quality Management -- Guidelines for Configuration Management." International Organization for Standardization, 2019.
    "IT Operations Management." Product Documentation, ServiceNow, version Quebec, 2021. Accessed 9 Feb. 2021.
    Johnson, Elsbeth. "How to Communicate Clearly During Organizational Change." Harvard Business Review, 13 June 2017. Web.
    Kloeckner, K. et al. Transforming the IT Services Lifecycle with AI Technologies. Springer, 2018.
    Klosterboer, L. Implementing ITIL Configuration Management. IBM Press, 2008.
    Norfolk, D., and S. Lacy. Configuration Management: Expert Guidance for IT Service Managers and Practitioners. BCS Learning & Development Limited, revised ed., Jan. 2014.
    Painarkar, Mandaar. "Overview of the Common Data Model." BMC Documentation, 2015. Accessed 1 Feb. 2021.
    Powers, Larry, and Ketil Been. "The Value of Organizational Change Management." Boxley Group, 2014. Accessed June 14, 2016.
    "Pulse of the Profession: Enabling Organizational Change Throughout Strategic Initiatives." PMI, March 2014. Accessed June 14, 2016.
    "Service Configuration Management, ITIL 4 Practice Guide." AXELOS Global Best Practice, 2020
    "The Guide to Managing Configuration Drift." UpGuard, 2017.

    Build a Zero Trust Roadmap

    • Buy Link or Shortcode: {j2store}253|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $48,932 Average $ Saved
    • member rating average days saved: 42 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
    • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.
    • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
    • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

    Our Advice

    Critical Insight

    Apply zero trust to key protect surfaces. A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Impact and Result

    Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined. Our unique approach:

    • Assess resources and determine zero trust readiness.
    • Prioritize initiatives and build out roadmap.
    • Deploy zero trust and monitor with zero trust progress metrics.

    Build a Zero Trust Roadmap Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Zero Trust Roadmap Deck – The purpose of the storyboard is to provide a detailed description of the steps involving in building a roadmap for implementing zero trust.

    The storyboard contains five easy-to-follow steps on building a roadmap for implementing zero trust, from aligning initiatives to business goals to establishing metrics for measuring the progress and effectiveness of a zero trust implementation.

    • Build a Zero Trust Roadmap – Phases 1-5

    2. Zero Trust Protect Surface Mapping Tool – A tool to identify key protect surfaces and map them to business goals.

    Use this tool to develop your zero trust strategy by having it focus on key protect surfaces that are aligned to the goals of the business.

    • Zero Trust Protect Surface Mapping Tool

    3. Zero Trust Program Gap Analysis Tool – A tool to perform a gap analysis between the organization's current implementation of zero trust controls and its desired target state and to build a roadmap to achieve the target state.

    Use this tool to develop your zero trust strategy by creating a roadmap that is aligned with the current state of the organization when it comes to zero trust and its desired target state.

    • Zero Trust Program Gap Analysis Tool

    4. Zero Trust Candidate Solutions Selection Tool – A tool to identify and evaluate solutions for identified zero trust initiatives.

    Use this tool to develop your zero trust strategy by identifying the best solutions for zero trust initiatives.

    • Zero Trust Candidate Solutions Selection Tool

    5. Zero Trust Progress Monitoring Tool – A tool to identify metrics to measure the progress and efficiency of the zero trust implementation.

    Use this tool to develop your zero trust strategy by identifying metrics that will allow the organization to monitor how the zero trust implementation is progressing, and whether it is proving to be effective.

    • Zero Trust Progress Monitoring Tool

    6. Zero Trust Communication Deck – A template to present the zero trust template to key stakeholders.

    Use this template to present the zero trust strategy and roadmap to ensure all key elements are captured.

    • Zero Trust Communication Deck

    Infographic

    Workshop: Build a Zero Trust Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Business Goals and Protect Surfaces

    The Purpose

    Align business goals to protect surfaces.

    Key Benefits Achieved

    A better understanding of how business goals can map to key protect surfaces and their associated DAAS elements.

    Activities

    1.1 Understand business and IT strategy and plans.

    1.2 Define business goals.

    1.3 Identify five critical protect surfaces and their associated DAAS elements.

    1.4 Map business goals and protect surfaces.

    Outputs

    Mapping of business goals to key protect surfaces and their associated DAAS elements.

    2 Begin Gap Analysis

    The Purpose

    Identify and define zero trust initiatives.

    Key Benefits Achieved

    A list of zero trust initiatives to be prioritized and set into a roadmap.

    Activities

    2.1 Assess current security capabilities and define the zero trust target state for a set of controls.

    2.2 Identify tasks to close maturity gaps.

    2.3 Assign tasks to zero trust initiatives.

    Outputs

    Security capabilities current state assessment

    Zero trust target state

    Tasks to address maturity gaps

    3 Complete Gap Analysis

    The Purpose

    Complete the zero trust gap analysis and prioritize zero trust initiatives.

    Key Benefits Achieved

    A prioritized list of zero trust initiatives aligned to business goals and key protect surfaces.

    Activities

    3.1 Align initiatives to business goals and key protect surfaces.

    3.2 Conduct cost/benefit analysis on zero trust initiatives.

    3.3 Prioritize initiatives.

    Outputs

    Zero trust initiative list mapped to business goals and key protect surfaces

    Prioritization of zero trust initiatives

    4 Finalize Roadmap and Formulate Policies

    The Purpose

    Finalize the zero trust roadmap and begin to formulate zero trust policies for roadmap initiatives.

    Key Benefits Achieved

    A zero trust roadmap of prioritized initiatives.

    Activities

    4.1 Define solution criteria.

    4.2 Identify candidate solutions.

    4.3 Evaluate candidate solutions.

    4.4 Finalize roadmap.

    4.5 Formulate policies for critical DAAS elements.

    4.6 Establish metrics for high-priority initiatives.

    Outputs

    Zero trust roadmap

    Zero trust policies for critical protect surfaces

    Method for defining zero trust policies for candidate solutions

    Metrics for high-priority initiatives

    Further reading

    Build a Zero Trust Roadmap

    Leverage an iterative and repeatable process to apply zero trust to your organization.

    EXECUTIVE BRIEF

    Analyst Perspective

    Internet is the new corporate network.

    For the longest time we have focused on reducing the attack surface to deter malicious actors from attacking organizations, but I dare say that has made these actors scream “challenge accepted.” With sophisticated tools, time, and money in their hands, they have embarrassed even the finest of organizations. A popular hybrid workforce and rapid cloud adoption have introduced more challenges for organizations, as the security and network perimeter have shifted and the internet is now the corporate network. Suffice it to say that a new mindset needs to be adopted to stay on top of the game.

    The success of most attacks is tied to denial of service, data exfiltration, and ransom. A shift from focusing on the attack surface to the protect surface will help organizations implement an inside-out architecture that protects critical infrastructure, prevents the success of any attack, makes it difficult to gain access, and links directly to business goals.

    Zero trust principles aid that shift across several pillars (Identity, Device, Application, Network, and Data) that make up a typical infrastructure; hence, the need for a zero trust roadmap to accomplish that which we desire for our organization.

    Victor Okorie
    Senior Research Analyst, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Many IT and security leaders struggle to understand zero trust and how best to deploy it with their existing IT resources.
    • The need to move from a perimeter-based approach to security toward an “Always Verify” approach is clear. The path to getting there is complex and expensive.

    Common Obstacles

    • Zero trust as a principle is a moving target due to competing definitions and standards. A strategy that adapts evolving best practices must be supported by business stakeholders.
    • Full zero trust includes many components. Performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.

    Info-Tech’s Approach

    • Every organization should have a zero trust strategy and the roadmap to deploy it must always be tested and refined.
    • Our unique approach:
      • Assess resources and determine zero trust readiness.
      • Address barriers and identify enablers.
      • Prioritize initiatives and build out roadmap.
      • Identify most appropriate vendors via vendor selection framework.
      • Deploy zero trust and monitor with zero trust progress metrics.

    Info-Tech Insight

    A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Your challenge

    This research is designed to help organizations:

    • Understand what zero trust is and decide how best to deploy it with their existing IT resources. Zero trust is a set of principles that defaults to the highest level of security; a failed implementation can easily disrupt the business. A pragmatic zero trust implementation must be flexible and adaptable yet maintain a consistent level of protection.
    • Move from a perimeter-based approach to security toward an “Always Verify” approach. The path to getting there is complex without a clear understanding of desired outcomes. Focusing efforts on key protection gaps and leveraging capable controls in existing architecture allows for a repeatable process that carries IT, security, and the business along on the journey.

    On this zero trust journey, identify your valuable assets and zero trust controls to protect them.

    Top three reasons for building a zero trust strategy

    44%

    Reduce attacker’s ability to move laterally

    44%

    Enforce least privilege access to critical resources

    41%

    Reduce enterprise attack surface

    Common obstacles

    These barriers make this challenge difficult to address for many organizations:

    • Due to zero trust’s many components, performing an accurate assessment of readiness and benefits to adopt zero trust can be extremely difficult when you don’t know where to start.
      • To feel ready to implement and to understand the benefits of zero trust, IT must first understand what zero trust means to the organization.
    • Zero trust as a set of principles is a moving target, with many developing standards and competing technology definitions. A strategy built around evolving best practices must be supported by related business stakeholders.
      • To ensure support, IT must be able to “sell” zero trust to business stakeholders by illustrating the value zero trust can bring to business objectives.

    43%

    Organizations with a full implementation of zero trust saved 43% on the costs of data breaches.
    (Source: Teramind, 2021)

    96%

    Zero trust is considered key to the success of 96% of organizations in a survey conducted by Microsoft.
    (Source: Microsoft, 2021)

    What is zero trust?

    It depends on who you ask…

    • Vendors use zero trust as a marketing buzzword.
    • Organizations try to comprehend zero trust in their own limited views.
    • Zero trust regulations/standards are still developing.

    “A cybersecurity paradigm focused on resource protection and the premise that trust is never granted implicitly but must be continually evaluated.”

    Source: NIST, SP 800-207: Zero Trust Architecture, 2020

    “An evolving set of cybersecurity paradigms that move defenses from static, network-based perimeters to focus on users, assets, and resources.”

    Source: DOD, Zero Trust Reference Architecture, 2021

    “A security model, a set of system design principles, and a coordinated cybersecurity and system management strategy based on an acknowledgement that threats exist both inside and outside traditional network boundaries.”

    Source: NSA, Embracing a Zero Trust Security Model, 2021

    “Zero trust provides a collection of concepts and ideas designed to minimize uncertainty in enforcing accurate, least privilege per-request access decisions in information systems and services in the face of a network viewed as compromised.”

    Source: CISA, Zero Trust Maturity Model, 2021

    “The foundational tenet of the zero trust model is that no actor, system, network, or service operating outside or within the security perimeter is trusted.”

    Source: OMB, Moving the U.S. Government Toward Zero Trust Cybersecurity Principles, 2022

    What is zero trust?

    From Theoretical to Practical

    Zero trust is an ideal in the literal sense of the word, because it is a standard defined by its perfection. Just as nothing in life is perfect, there is no measure that determines an organization is absolutely zero trust. The best organizations can do is improve their security iteratively and get as close to ideal as possible.

    In the most current application of zero trust in the enterprise, a zero trust strategy applies a set of principles, including least-privilege access and per-request access enforcement, to minimize compromise to critical assets. A zero trust roadmap is a plan that leverages zero trust concepts, considers relationships between technical elements as well as security solutions, and applies consistent access policies to minimize areas of exposure.

    Zero Trust; Identity; Workloads & Applications; Network; Devices; Data

    Info-Tech Insight

    Solutions offering zero trust often align with one of five pillars. A successful zero trust implementation may involve a combination of solutions, each protecting the various data, application, assets, and/or services elements in the protect surface.

    Zero trust business benefits

    Reduce business and organizational risk

    Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organizations practice.

    36% of data breaches involved internal actors.
    Source: Verizon, 2021

    Reduce CapEx and OpEx

    Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
    Source: SecurityBrief - Australia, 2020.

    Reduce scope and cost of compliance

    Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.

    Scope of compliance reduced due to segmentation.

    Reduce risk of data breach

    Reduced risk of data breach in any instance of a malicious attack as there’s no lateral movement, secure segment, and improved visibility.

    10% Increase in data breach costs; costs went from $3.86 million to $4.24 million.
    Source: IBM, 2021

    This is an image of a thought map detailing Info-Tech's Build A Zero Trust Roadmap.  The main headings are: Define; Design; Develop; Monitor

    Info-Tech’s methodology for Building a Zero Trust Roadmap

    1. Define Business Goals and Protect Surfaces

    2. Assess Key Capabilities and Identify Zero Trust Initiatives

    3. Evaluate Candidate Solutions and Finalize Roadmap

    4. Formulate Policies for Roadmap Initiatives

    5. Monitor the Zero Trust Roadmap Deployment

    Phase Steps

    Define business goals

    Identify critical DAAS elements

    Map business goals to critical DAAS elements

    1. Review the Info-Tech framework
    2. Assess current capabilities and define the zero trust target state
    3. Identify tasks to close gaps
    4. Define tasks and initiatives
    5. Align initiatives to business goals and protect surfaces
    1. Define solution criteria
    2. Identify candidate solutions
    3. Evaluate candidate solutions
    4. Perform cost/benefit analysis
    5. Prioritize initiatives
    6. Finalize roadmap
    1. Formulate policies for critical DAAS elements
    2. Formulate policies to secure a path to access critical DAAS elements
    1. Establish metrics for roadmap tasks
    2. Track and report metrics
    3. Build a communication deck

    Phase Outcomes

    Mapping of business goals to protect surfaces

    Gap analysis of security capabilities

    Evaluation of candidate solutions and a roadmap to close gaps

    Method for defining zero trust policies for candidate solutions

    Metrics for measuring the progress and efficiency of the zero trust implementation

    Protect what is relevant

    Apply zero trust to key protect surfaces

    A successful zero trust strategy should evolve through an iterative and repeatable process by assessing the full spectrum of available technologies to apply zero trust principles to the most relevant protect surfaces.

    Align protect surfaces to business objectives

    Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

    Identify zero trust capabilities

    Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

    Roadmap first, not solution first

    Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

    Create enforceable policies

    The success of a zero trust implementation relies on consistent enforcement. Applying the Kipling methodology to each protect surface is the best way to design zero trust policies.

    Success should benefit the organization

    To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Zero Trust Communication Deck

    Present your zero trust strategy in a prepopulated document that summarizes the work you have completed as a part of this blueprint.

    Zero Trust Protect Surface Mapping Tool

    Identify critical and vulnerable DAAS elements to protect and align them to business goals.

    Zero Trust Program Gap Analysis Tool

    Perform a gap analysis between current and target states to build a zero trust roadmap.

    Zero Trust Candidate Solutions Selection Tool

    Determine and evaluate candidate solutions based on defined criteria.

    Zero Trust Progress Monitoring Tool

    Develop metrics to track the progress and efficiency of the organization’s zero trust implementation.

    Blueprint benefits

    IT Benefits

    • A mapped transaction flow of critical and vulnerable assets and visibility of where to implement security controls that aligns with the principle of zero trust.
    • Improved security posture across the digital attack surface while focusing on the protect surface.
    • An inside-out architecture that leverages current existing architecture to tighten security controls, is automated, and gives granular visibility.

    Business Benefits

    • Reduced business risks as continuous verification of identity, devices, network, applications, and data is embedded in the organization’s practice.
    • Reduced CapEx and OpEx due to the scalability, low staffing requirement, and improved time-to-respond to threats.
    • Helps achieve compliance with several privacy standards and regulations, improves maturity for cyber insurance premium, and fewer gaps during audits.
    • Reduced risk of data breach in any instance of a malicious attack.

    Measure the value of this blueprint

    Save an average of $1.76 million dollars in the event of a data breach

    • This research set seeks to help organizations develop a mature zero trust implementation which, according to IBM’s “Cost of a Data Breach 2021 Report,” saves organizations an average of $1.76 million in the event of a data breach.
    • Leverage phase 5 of this research to develop metrics to track the implementation progress and efficacy of zero trust tasks.

    43%

    Organizations with a mature implementation of zero trust saved 43%, or $1.76 million, on the costs of data breaches.
    Source: IBM, 2021

    In phase 2 of this blueprint, we will help you establish zero trust implementation tasks for your organization.

    In phase 3, we will help you develop a game plan and a roadmap for implementing those tasks.

    This image contains a screenshot info-tech's methodology for building a zero-trust roadmap, discussed earlier in this blueprint

    Executive Brief Case Study

    National Aeronautics and Space Administration (NASA)

    INDUSTRY: Government

    SOURCE: Zero Trust Architecture Technical Exchange Meeting

    NASA recognized the potential benefits of both adopting a zero trust architecture (including aligning with OMB FISMA and DHS CDM DEFEND) and improving NASA systems, especially those related to user experience with dynamic access, application security with sole access from proxy, and risk-based asset management with trust score. The trust score is continually evaluated from a combination of static factors, such as credential and biometrics, and dynamic factors, such as location and behavior analytics, to determine the level of access. The enhanced access mechanism is projected on use-case flows of users and external partners to analyze the required initiatives.

    The lessons learned in adapting zero trust were:

    • Focus on access to data, assets, applications, and services; and don’t select solutions or vendors too early.
    • Provide support for mobile and external partners.
    • Complete zero trust infrastructure and services design with holistic risk-based management, including network access control with software-defined networking and an identity management program.
    • Develop a zero trust strategy that aligns with mission objectives.

    Results

    NASA implemented zero trust architecture by leveraging the agency existing components on a roadmap with phases related to maturity. The initial development includes privileged access management, security user behavior analytics, and a proof-of-concept lab for evaluating the technologies.
    Case Study Source: NASA, “Planning for a Zero Trust Architecture Target State,” 2019

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3 Phase 4 Phase 5
    Call #1:
    Scope requirements, objectives, and your specific challenges.

    Call #3:
    Define current security capabilities and zero trust target state.

    Call #5:

    Identify and evaluate solution criteria.

    Call #7:
    Create a process for formulating zero trust policies.

    Call #8:
    Establish metrics for assessing the implementation and effectiveness of zero trust.

    Call #2:
    Identify business goals and protect surfaces.

    Call #4:
    Identify gap-closing tasks and assign to zero trust initiatives.

    Call #6:
    Prioritize zero trust initiatives.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.
    A typical GI is between 8 to 12 calls over the course of 2 to 4 months.

    Workshop Overview

    Contact your account representative for more information.workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4 Day 5

    Define Business Goals and Protect Surfaces

    Begin Gap Analysis

    Complete Gap Analysis

    Finalize Roadmap and Formulate Policies

    Next Steps and
    Wrap-Up (offsite)

    Activities

    1.1 Understand business and IT strategy and plans.

    1.2 Define business goals.

    1.3 Identify five critical protect surfaces and their associated DAAS elements.

    1.4 Map business goals and protect surfaces.

    2.1 Assess current security capabilities and define the zero Trust target state for a set of controls.

    2.2 Identify tasks to close maturity gaps.

    2.3 Assign tasks to zero trust initiatives.

    3.1 Align initiatives to business goals and key protect surfaces.

    3.2 Conduct cost/benefit analysis on zero trust initiatives.

    3.3 Prioritize initiatives.

    4.1 Define solution criteria.

    4.2 Identify candidate solutions.

    4.3 Evaluate candidate solutions.

    4.4 Finalize roadmap.

    4.5 Formulate policies for critical DAAS elements.

    4.6 Establish metrics for high-priority initiatives.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. 1.Mapping of business goals to key protect surfaces and their associated DAAS elements
    1. Security capabilities current state assessment
    2. Zero trust target state
    3. Tasks to address maturity gaps
    1. Zero trust initiative list mapped to business goals and key protect surfaces
    2. Prioritization of zero trust initiatives
    1. Zero trust roadmap
    2. Zero trust policies for critical protect surfaces
    3. Method for defining zero trust policies for candidate solutions
    4. Metrics for high-priority initiatives
    1. Zero trust roadmap documentation
    2. Mapping of Info-Tech resources against individual initiatives

    Phase 1

    Define Business Objectives and Protect Surfaces

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Identify and define the business goals.
    • Identify the critical DAAS elements and protect surface.
    • Align the business goals to the protect surface and critical DAAS elements.

    This phase involves the following participants:

    • Security Team
    • Business Executives
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management

    Analyze your business goals

    Identifying business goals is the first step in aligning your zero trust roadmap with your business’ vision.

    • Security leaders need to understand the direction the business is headed in.
    • Wise security investments depend on aligning your security initiatives to business objectives.
    • Zero trust, and information security at large, should contribute to your organization’s business objectives by supporting operational performance, ensuring brand protection and shareholder value.
      • For example, if the organization is working on a new business initiative that requires the handling of credit card payments, the security organization needs to know as soon as possible to ensure the zero trust architecture will be extended to protect the PCI data and enable the organization to be PCI compliant.

      Info-Tech Insight

      Security and the business need to be in alignment when implementing zero trust. Defining the business goal helps rationalize the need for a zero trust implementation.

    1.1 Define your organization’s business goals

    Estimated time 1-3 hours

    1. As a group, brainstorm the business goals of the organization.
    2. Review relevant business and IT strategies.
    3. Review the business goal definitions in tab “2. Business Objectives” of the Zero Trust Protect Surface Mapping Tool, including the key goal indicator metrics.
    4. Record the most important business goals in the Business Goal column on tab “3. Protect Surfaces” of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary goals. This limitation will be critical to help map the protect surface and the zero trust roadmap later.

    Input

    • Business and IT strategies

    Output

    • Prioritized list of business objectives

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Zero Trust Protect Surface Mapping Tool

    Info-Tech Insight

    Developing a zero trust roadmap collaboratively with business stakeholders enables alignment with upcoming business priorities and industry trends.

    What does zero trust mean for you?

    For a successful implementation, focus on your zero trust outcome.

    This image describes the Who, What, When, Where, Why, and How for Zero Trust.

    Regardless of whether the user is accessing resources internally or externally, zero trust is posed to authenticate, authorize, and continuously verify the security policies and posture before access is granted or denied. Many network architecture can be local, cloud based, or hybrid and with users working from any location, there is no network perimeter as we knew it and the internet is now the corporate network.

    Zero trust framework seeks to extend the perimeter-less security to the present digital transformation.

    Understand protect surface

    Data, Application, Asset, and Services

    A protect surface can be described as what’s critical, most vulnerable, or most valuable to your organization. This protect surface could include at least one of the following – data, assets, applications, and services (DAAS) – that requires protection. This is also the area that zero trust policy is aimed to protect. Understanding what your protect surface is can help channel the required energy into protecting that which is crucial to the business, and this aligns with the shift from focusing on the attack surface to narrowing it down to a smaller and achievable area of protection.

    Anything and everything that connects to the internet is a potential attack surface and pursuing every loophole will leave us one step behind due to lack of resources. Since a protect surface contains one or more DAAS element, the micro-perimeter is created around it and the appropriate protection is applied around it. As a team, we can ask ourselves this question when thinking of our protect surface: to what degree does my organization want me to secure things? The knowledge of the answer to this question can be tied to the risk tolerance level of the organization and it is only fair for us to engage the business in identifying what the protect surface should be.

    Components of a protect surface

    • Data
    • Application
    • Asset
    • Services

    Info-Tech Insight

    The protect surface is a shift from focusing on the attack surface. DAAS elements show where the initiatives and controls associated with the zero trust pillars (Identity, Devices, Network, Application, and Data) need to be applied.

    Sample Scenario

    INDUSTRY: Healthcare

    SOURCE: Info-Tech Research Group

    Illustration

    A healthcare provider would consider personal health information a critical resource worthy of being protected against data exfiltration due to a host of reasons including but not limited to privacy regulations, loss of revenue, legal, and reputational loss; hence, this would be considered a protect surface.

    • What is the data that can’t be risked exfiltrated?
    • What application(s) is used to access this data?
    • What assets are used to generate and store the data?
    • What are the services we rely on to be able to access the data?

    DAAS Element

    • The data here is the patient information.
    • The application used to access the personal health information would be EPIC, OR list, and any other application used in that organization.
    • The assets used to store the data and generate the PHI would include physical workstations, medical scanners, etc.
    • The services that can be exploited to disrupt the operation or used to access the data would include active directory, single sign-on, etc.

    DAAS and Zero Trust Pillar

    This granular identification provides an opportunity to not only see what the protect surface and DAAS elements are but also understand where to apply security controls that align with the principle of zero trust as well as how the transaction flows. The application pillar initiatives will provide protection to the EPIC application and the device pillar initiatives will provide protection to the workstations and physical scanners. The identity pillar initiatives will apply protection to the active directory, and single sign-on services. The zero trust pillar initiatives align with the protection of the DAAS elements.

    Shift from attack surface to protect surface

    This image contains a screenshot of the thought map: Shift from attack surface to protect surface.  Go from complex to a micro perimeter approach.

    Info-Tech Insight

    The protect surface is a shift from focusing on the attack surface as it creates a micro-perimeter for the application of zero trust policies on the system. This drastically reduces the success of an attack whether internally or externally, reduces the attack surface, and is also repeatable.

    1.2 Identify critical DAAS elements

    Estimated time 1-3 hours

    1. As a group, brainstorm and identify critical, valuable, sensitive assets or resources requiring high availability in the organization. Each DAAS element is part of a protect surface, or sometimes, the DAAS element itself is a protect surface.
    • Data – The sensitive data that poses the greatest risk if exfiltrated or misused. What data needs to be protected?
    • Applications – The applications that use sensitive data or control critical assets. Which applications are critical for your business functions?
    • Assets – Physical or virtual assets, including an organization’s information technology (IT), operational technology (OT), or Internet of Things devices.
    • Services – The services an organization most depends on. Services that can be exploited to disrupt normal IT or business operations.
  • Record the critical DAAS elements and protect surface in their respective columns of the Zero Trust Protect Surface Mapping Tool. Try to limit the number of business goals to no more than five primary protect surfaces to match with the business goals.
  • Download the Zero Trust Protect Surface Mapping Tool

    Input

    • Critical resources to protect
    • Understanding of how they interoperate or connect

    Output

    • Protect surfaces

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • Security Team
    • IT Leadership
    • Business Stakeholders

    1.3 Map business goals to critical DAAS elements

    Estimated time 1-2 hours

    1. The protect surface will be generated from the critical DAAS elements as a standalone protect surface or a group of interconnected DAAS elements merged into one.
    • Each protect surface can be tied back to a business objective.
  • Select from the drop-down list of business objectives the option that fits the identified protect surface as it relates to the organization.
    • Type in your business objectives if the drop-down list does not apply.

    Download the Zero Trust Protect Surface Mapping Tool

    This image contains a screenshot from the Zero Trust Protect Surface Mapping Tool, with the following columns highlighted: Business Goal Name; Protect Surface Name

    Phase 2

    Assess Key Capabilities and Identify Zero Trust Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Assess the organization’s current capabilities.
    • Define the zero trust target state.
    • Identify tasks to close gaps
    • Define zero trust initiatives and align zero trust initiatives to business goals and protect surfaces.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    The Info-Tech Zero Trust Framework

    Info-Tech’s Zero Trust Framework aligns with zero trust references, including:

    • ACT Zero Trust Cybersecurity Current Trends. 2019
    • NIST SP 800-207: Zero Trust Architecture. 2020
    • DOD Zero Trust Reference Architecture. 2021
    • NSA Embracing a Zero Trust Security Model. 2021
    • CISA Zero Trust Maturity Model. 2021
    • Executive Order (EO) 14028: Improving the Nation’s Cybersecurity, The White House. 2021
    • OMB Moving the U.S. Government Toward Zero Trust Cybersecurity Principles. 2022
    • NSTAC Zero Trust and Trusted Identity Management. 2022
    • NIST SP 800-53 r5: Security and Privacy Controls for Information Systems and Organizations

    Identity

    • Authentication
    • Authorization
    • Privileged Access Management

    Applications

    • Software Defined Compute
    • DevSecOps
    • Software Supply Chain

    Devices

    • Authentication
    • Authorization
    • Compliance

    Networks

    • Software Defined Networking
    • Macro Segmentations
    • Micro Segmentation

    Data

    • Software Defined Storage
    • Data Loss Prevention
    • Data Rights Management

    Info-Tech Insight

    A best-of-breed approach ensures holistic coverage of your zero trust program while refraining from locking you into a specific reference.

    2.1 Review the Info-Tech framework

    Estimated time 30-60 minutes

    1. As a group, have the team review the framework within the Zero Trust Program Gap Analysis Tool.
    2. Customize the tool as required using the instructions in tab “2. Setup”:
    • Define costing criteria
    • Define benefits criteria
    • Configure full-time equivalent hours and start year
    • Input business goals as mapped to protect surfaces (see next slide)

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives

    Output

    • Customized framework

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    2.1.1 Input business goals as mapped to protect surfaces

    Refer to the Protect Surface Mapping Tool, copy the following elements from the Protect Surface tab.

    1. Enter Business Goals.
    2. Enter Protect Surfaces.
    3. Enter Data.
    4. Enter Application.
    5. Enter Assets.
    6. Enter Services.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool.  The Column headings are labeled as follows: 1: Business Goal Name; 2: Protect Surface; 3: DATA; 4: APPLICATION; 5: ASSETS; 6: SERVICES

    Info-Tech Insight

    Deriving protect surface elements from business goals reframes how security controls are applied. Assess control effectiveness in this context and identify zero trust capabilities to close any gaps.

    2.2 Assess current capabilities and define zero trust target state

    Estimated time 6-12 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to complete your current-state and target-state assessment.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Protect surfaces mapped to business objectives
    • Information on current state of controls, including sources such as audit findings, vulnerability and penetration test results, and risk registers

    Output

    • Current-state and target-state assessment for gap analysis

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    Understanding security target states

    Maturity models are very effective for determining target states. This table provides general descriptions for each maturity level. As a group, consider which description most accurately reflects the ideal target state in your organization.

    AD HOC 01

    Initial/ad hoc security programs are reactive. Lacking strategic vision, these programs are less effective and less responsive to the needs of the business.

    DEVELOPING 02

    Developing security programs can be effective at what they do but are not holistic. Governance is largely absent. These programs tend to rely on the talents of individuals rather than a cohesive plan.

    DEFINED 03

    A defined security program is holistic, documented, and proactive. At least some governance is in place; however, metrics are often rudimentary and operational in nature. These programs still often rely on best practices rather than strong risk management.

    MANAGED 04

    Managed security programs have robust governance and metrics processes. Management and board-level metrics for the overall program are produced. These are reviewed by business leaders and drive security decisions. More mature risk management practices take the place of best practices.

    OPTIMIZED 05

    An optimized security program is based on strong risk management practices, including the production of key risk indicators (KRIs). Individual security services are optimized using key performance indicators (KPIs) that continually measure service effectiveness and efficiency.

    2.2.1 Conduct current-state assessment

    1. Carefully review each of the controls in the Gap Analysis tab that are needed for the protect surfaces. For each control, indicate the current maturity level of the organization. The tool uses the maturity levels of the CMMI model to score maturity.
    • Only use “N/A” if you are confident that the control is not required in your protect surfaces. For example, if the protect surfaces do not require or use software-defined computing, select “N/A” for any controls related to software-defined computing.
  • Provide comments to describe your current state. This step is optional but recommended as it may be important to record this information for future reference.
  • Select the target maturity for the control.
  • This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column headings highlighted and numbered: 1: Current Maturity; 2: Current State Comments (optional); Target Maturity

    Make sure that the gap between target state and current state is achievable for the current zero trust roadmap. For instance, if you set your current maturity to 1 – Ad Hoc, then having a target maturity of 4 – Managed or 5 – Optimized is not recommended due to the big jump.

    2.2.2 Review the Gap Analysis Dashboard

    1. Use the Dashboard to map your progress on assessing current- and future-state maturities. As you fill out the Zero Trust Program Gap Analysis Tool, check with the Dashboard to see the difference between your current and target state.
    2. Use the color-coded legend to see the size of the gap between your current and target state.
    3. Zero trust processes that appear white have not yet been assessed or are rated as “N/A.”
    this image contains a screenshot of Info-tech's Zero-Trust framework discussed earlier in this blueprint, with the addition of a legend demonstrating how to use the gap analysis tool to identify the size of the gap between current and target states

    2.3 Identify tasks to close gaps

    Estimated time 5 hours

    1. Using the Zero Trust Program Gap Analysis Tool, review each of the controls in the Gap Analysis tab.
    2. Follow the instructions on the next slides to identify gap closure tasks for each control that requires improvement.
    3. For most organizations, multiple internal subject matter experts will need to be consulted to complete the assessment.

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Zero trust controls gap information

    Output

    • Gap closure task list

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management

    2.3 Identify tasks to close gaps (cont.)

    1. For each of the controls where there is a gap between the current and target state, a gap closure task should be identified:
    • Review the example tasks and copy one or more of them if appropriate. Otherwise, enter your own gap closure task.
  • Considerations for identifying gap closure tasks:
    • In small groups, have participants ask, “what would we have to do to achieve the target state?” Document these in the Gap Closure Tasks column.
    • The example gap closure tasks may be appropriate for your organization, but do not simply copy them without considering whether they are right for you.
    • Not all gaps require their own task. You can enter one task that may address multiple gaps.
    • Be aware that tasks that are along the lines of “investigate and make recommendations” may not fully close maturity gaps.
    this image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, with the following column heading highlighted and numbered: 1: Gap Closure Tasks

    Make sure that the Gap Closure Tasks are SMART (Specific, Measurable, Achievable, Realistic, Timebound).

    2.4 Define tasks and initiatives

    Estimated time 2-4 hours

    1. As a group, review the gap tasks identified in the Gap Analysis tab.
    2. Using the instructions on the following slides, finalize your tab “5. Task List.”
    3. Using the instructions on the following slides, review and consolidate your tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • Gap analysis

    Output

    • Refined list of tasks
    • List of zero trust initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.4.1 Finalize your task list

    1. Define the gap closure task list in tab “5. Task List”:
      1. Obtain a list of all your tasks from Gap Closure Tasks column in tab “3. Gap Analysis.”
      2. Paste the list into the table in tab “5. Task List,” Task column.
    • Use Paste Values to retain the table formatting.
  • Consolidate tasks into initiatives when:
      • They have costs associated with them.
      • They require initial effort to implement and ongoing effort to maintain.
      • They must be accomplished dependently of other tasks.
    1. For each new initiative, create the initiative name on Initiative Name column in the tab “6. Initiative List.”
  • For tasks which are not incorporated into initiatives, enter a task owner and due date for each task.
  • this image contains a screenshot from Info-Tech's Zero Trust Gap analysis Tool with the following column headings highlighted and numbered: 1: Task; 2: Initiative Name; 3: (Task Owner; Due Date)

    Example: Initiative consolidation

    In the example below, we see three gap closure tasks within the Authentication process for the Identity pillar being consolidated into a single initiative “IAM modernization.”

    We can also see three gap closure tasks within the Micro Segmentation process for the Network pillar being grouped into another initiative “Network segmentation.”

    This image contains an example of Initiative Consolidation

    Info-Tech Insight

    As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.

    2.4.2 Finalize your initiative list

    1. As you go through this exercise, you may find that some tasks that you previously defined could be consolidated into an initiative.
    2. Review your final list of initiatives in tab “6. Initiative List” and make any required updates.
      1. Optionally, add a description or paste in a list of the individual gap closure actions that are associated with the initiative. This will make it easier to perform the cost and benefit analysis.
    3. Obtain a list of all gap closure tasks associated with an initiative by filtering the Initiative Name column in the Task List tab.
    4. Indicate the most appropriate pillar alignment for each initiative using the drop-down list.
      1. Refer to tab “5. Task List” for the pillar associated with an initiative under the Initiative Name column.

    This image contains a screenshot from Info-Tech's Zero Trust Program Gap Analysis Tool, the following column headings are numbered and highlighted: 1: Initiative Name; 2: Description; 3: Pillar

    If the list of tasks is too long for the Description column, then you can also shorten the name of the tasks or group several tasks to a more general task.

    2.5 Align initiatives to business goals and protect surfaces

    Estimated time 30-60 minutes

    1. Using the instructions on the following slides, align initiatives to business goals in tab “6. Initiative List.”
    2. Using the instructions on the following slides, align initiatives to protect surfaces in tab “6. Initiative List.”

    Download the Zero Trust Program Gap Analysis Tool

    Input

    • List of zero trust initiatives
    • Protect surfaces mapped to business objectives

    Output

    • List of zero trust initiatives aligned to business goals and protect surfaces

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    2.5.1 Align initiatives to business goals

    1. Indicate the most appropriate business goal(s) alignment for each initiative using the drop-down list in “Selection for Business Goal(s)” column.
      1. Use the legend to determine the most appropriate business goal(s).
    2. After that copy the selected business goal(s) to Business Goal(s) Alignment column.
    3. Then reset the selection using the blank cell in Selection for Business Goal(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Selection for Business Goal(s); Business Goals Alignment; 3: Selection for Business Goals

    2.5.2 Align initiatives to protect surfaces

    1. Indicate the most appropriate protect surface(s) for each initiative using the drop-down list in Selection for Protect Surface(s) column.
      1. Use the legend to determine the most appropriate protect surface(s).
    2. After that copy the selected protect surface(s) to Protect Surface(s) Coverage column.
    3. Reset the selection using the blank cell in Selection for Protect Surface(s) column.
    This image contains a screenshot from the Zero Trust Program Gap Analysis Tool, with the following column headings numbered: 1: Description; 2: Protect Surfaces Covered; 3: Selection for Protect Surfaces

    Phase 3

    Evaluate Candidate Solutions and Finalize Roadmap

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Define solution criteria.
    • Identify candidate solutions.
    • Evaluate candidate solutions.
    • Perform cost/benefit analysis.
    • Prioritize initiatives and build roadmap.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, Finance, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    3.1 Define solution criteria

    Estimated time 30-60 minutes

    1. As a group, review the scoring system within the Zero Trust Candidate Solutions Selection Tool.
    2. Customize the tool as required using the instructions on the following slides.

    Info-Tech Insight

    Don’t let your solution dictate your roadmap. Define your zero trust solution criteria before engaging in vendor selection.

    Download the Zero Trust Candidate Solutions Selection Tool

    Input

    • Zero trust initiative list

    Output

    • Zero trust candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    3.1.1 Define compliance and solution evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the compliance score and the solution score, which are the overall evaluation:
    • Compliance score consists of tenets score, pillar score, threat protection score, and trust algorithm score.
    • Solution score consists of features score, usability score, affordability score, and architecture score.
    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, which demonstrates how to define compliance and solution evaluation criteria.

    3.1.2 Define remaining evaluation criteria

    On the Setup tab, provide a weight for each evaluation criterion to evaluate the candidate solutions. You can use “0%” weight if that criterion is not required in your solution selection.

    1. Verify that the Description for each criterion is accurate.
    2. Provide weights for the remaining evaluation criteria:
    • Tenets: Considers how well each initiative aligns with zero trust principles.
    • Pillars: Considers how well each initiative aligns with zero trust pillars.
    • Threats: Considers what zero trust threats are relevant with the candidate solution.
    • Trust Algorithm: Considers trust evaluation factors, trust evaluation process score, and input coverage.
    • Cost Estimation: Considers initial costs, which are one-time, upfront capital investments (e.g. hardware and software costs), and ongoing cost, which is any annually recurring operating expenses that are new budgetary costs (e.g. licensing, maintenance, subscription fees).
    • Deployment Architecture: Considers the solutions deployment architecture capabilities.

    This image contains a screenshot from the Zero Trust Candidate Solutions Selection Tool, and demonstrates where to define additional evaluation data

    Review available candidate solutions

    this image contains a list of available candidate Solutions.  This list includes: Zero Trust Identity; Zero-Trust Application & Workloads; Zero-Trust Networks; Zero-Trust Devices; and Zero-Trust Data

    The Rapid Application Selection Framework is a comprehensive yet fast-moving approach to help you select the right software for your organization

    Five key phases sequentially add rigor to your selection efforts while giving you a clear, swift-flowing methodology to follow.

    Awareness Education & Discovery Evaluation Selection Negotiation & Configuration
    1.1 Proactively Lead Technology Optimization & Prioritization 2.1 Understand Marketplace Capabilities & Trends 3.1 Gather & Prioritize Requirements & Establish Key Success Metrics 4.1 Create a Weighted Vendor Selection Decision Model 5.1 Initiate Price Negotiation With Top
    1.2 Scope & Define the Selection Process for Each Selection Request Action 2.2 Discover Alternative Solutions & Conduct Market Education 3.2 Conduct a Data-Driven Comparison of Vendor Features & Capabilities 4.2 Conduct Investigative Interviews Focused on Mission Critical Priorities With Top 2-4 Vendors 5.2 Negotiate Contract Terms & Product Configuration Two Vendors Selected
    1.3 Conduct an Accelerated Business Needs Assessment 2.3 Evaluate Enterprise Architecture & Application Portfolio 3.3 Narrow the Field to Four Top Contenders 4.3 Validate Key Issues With Deep Technical Assessments, Trial Configuration & Reference Checks 5.3 Finalize Budget Approval & Project Implementation Timeline
    1.4 Align Stakeholder Calendars to Reduce Elapsed Time & Asynchronous Evaluation 2.4 Validate the Business Case 5.4 Invest in Training & Onboarding Assistance

    Download the Rapid Application Selection Framework research

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    The Data Quadrant Report

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    Vendors ranked by their Composite Score

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Emotional Footprint

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Vendors ranked by their Customer Experience (CX) Score

    Sample whiteboard activity

    • Place sticky notes on the zero trust tenet that matches with the identified candidate solution to produce “solution requirements” that can be used to develop an RFP.
    • A sample sticky note is provided below for privileged access management.

    This image contains a screenshot of a sample whiteboard activity which can be done using sticky notes.

    • The PAM solution should support MFA
    • Live session monitoring, audit, and reporting
    • Should have password vaulting to prevent privileged users from knowing the passwords to critical systems and resources

    3.2 Identify candidate solutions

    Estimated time 2 hours

    1. As a group, have the team review the candidate solutions within the Zero Trust Program Gap Analysis Tool.
    2. On tab 3 in the Zero Trust Candidate Solutions Selection Tool:
    • Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.

    Input

    • Candidate solutions for zero trust tasks and initiatives

    Output

    • Suitability evaluation of candidate solutions

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Info-Tech Insight

    Add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.

    Download the Zero Trust Candidate Solutions Selection Tool

    3.2.1 Review candidate solutions

    1. Review the candidate solutions within the Zero Trust Program Gap Analysis Tool. For example, the candidate solutions with multifactor authentication (MFA) options are authenticators with SMS, mobile application, smartcard, or token.
    2. Enter candidate solutions to the Compliance Data Entry tab on the Solution column within the Zero Trust Candidate Solutions Selection Tool.
    3. Optionally, add a description associated with the candidate solution, e.g. reference link to vendors or manufacturers. This will make it easier to perform the evaluation.
    this image contains a screenshot of a sample candidate solution, which can be done using Info-Tech's Zero Trust Program Gap Analysis Tool

    3.3 Evaluate candidate solutions

    Estimated time 3 hours

    On the Scoring tab, evaluate solution features, usability, affordability, and architecture using the instructions on the following slides. This activity will produce a solution score that can be used to identify the suitability of a solution.

    Input

    • Candidate solutions

    Output

    • Candidate solutions scored

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT

    Download the Zero Trust Candidate Solutions Selection Tool

    3.3.3 Evaluate solution scores

    After all candidate solutions are evaluated, the Solution Score column can be sorted to rank the candidate solutions. After sorting, the top solutions can be used on prioritization of initiatives on Zero Trust Program Gap Analysis Tool.

    1. On Features
      1. Enter Coverage.
      2. Enter Quality.
    2. Enter Usability.
    3. On Affordability
      1. Enter Initial Cost.
      2. Enter Ongoing Cost (annual).
    4. Enter Architecture.
    this image contains a screenshot of how you can sort the solution score column in Info-Tech's Zero Trust Program Gap Analysis Tool

    3.4 Perform cost/benefit analysis

    Estimated time 1-2 hours

    1. Assign costing and benefits information for each initiative, following the instructions on the next slide.
    2. Define dependencies or business impacts if they will help with prioritization.

    Input

    • Ranked candidate solutions
    • Gap analysis
    • Initiative list

    Output

    • Completed cost/benefit analysis for initiative list

    Materials

    • Zero Trust Program Gap Analysis Tool
    • Zero Trust Candidate Solutions Selection Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, Facilities, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.4.1 Complete the cost/benefit analysis

    Use Zero Trust Program Gap Analysis Tool.

    1. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • Use the result from candidate selection to define the estimated costs.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.
  • This image contains a screenshot of a cost/benefit analysis table which can be found in the Zero Trust Program Gap Analysis Tool

    The Cost / Effort Rating is calculated based on the weight defined on step 2.1.1. The Benefit Rating is calculated based on the weight defined on step 2.1.2.

    3.4.2 Optionally enter detailed cost estimates

    Use Zero Trust Program Gap Analysis Tool.

    1. For each initiative, the tool will automatically populate the Detailed Cost Estimates and Detailed Staffing Estimates columns using the averages that you provided in step 2.1.1. However, if you have more detailed data about the costs and effort requirements for an initiative, you can override the calculated data by manually entering it into these columns. For example:
    • You are planning to subscribe to a security awareness vendor, and you have a quote from them specifying that the initial cost will be $75,000.
    • You have defined your “Medium” cost range as being “$10-100K,” so you select medium as your initial cost for this initiative in step 3.4.1. As you defined the average for medium costs as being $50,000, this is what the tool will put into the detailed cost estimate.
    • You can override this average by entering $75,000 as the initial cost in the detailed cost estimate column.

    This image contains a screenshot of a sample cost/benefit table found in the Zero Trust Program Gap Analysis Tool.

    The Benefits-Cost column will give results after comparing the cost and the benefit. Negative value means that the cost outweighs the benefit. Positive value means that the benefit outweighs the cost. Zero value means that the cost equals the benefit.

    3.5 Prioritize initiatives

    Estimated time 2-3 hours

    1. As a group, review the results of the cost/benefit analysis. Optionally, complete the Other Considerations columns in the Prioritization tab:
    • Dependencies can refer to other initiatives on the list or any other dependency that relates to activities or projects within the organization.
    • Business impacts can be helpful to document as they may require additional planning and communication that could impact initiative timelines.
  • Follow step 3.5.1 to create a visual effort map for your organization.
  • Follow step 3.5.2 and 3.5.3 to refine the effort map’s visual output.
  • Input

    • Gap analysis
    • Initiative list
    • Cost/benefit analysis

    Output

    • Prioritized list of initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.5.1 Create a visual effort map for your organization

    1 hour

    An effort map is a tool used for the visualization of a cost and benefit analysis. It is a quadrant output that visually shows how your gap initiatives were prioritized based on tab 7 in the Zero Trust Program Gap Analysis Tool.

    1. Establish the axes and colors for your effort map:
      1. X-axis represents the Benefit value from column J
      2. Y-axis represents the Cost/Effort value from column H
      3. Sticky note color is determined using the Alignment to Business value from column I
    2. Create sticky notes for each initiative and place them on the effort map or whiteboard based on the axes you have created with the help of your team.
    3. As you place initiatives on the visual effort map, discuss and modify rankings based on team member input.

    this image contains a sample visual effort map which can be found in the Zero Trust Program Gap Analysis Tool.

    Input

    • Outputs from activities 3.4.1 and 3.4.2

    Output

    • High-level prioritization for each of the gap-closing initiatives
    • Visual representation of quantitative values

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.2 Refine the effort map’s visual output

    1 hour

    Once the effort map is complete, work to further simplify the visual output by categorizing initiatives based on the quadrant in which they have been placed.

    1. Before moving forward with the initiative wave prioritization (activity 3.7), identify any initiatives listed across all quadrants that are required as a part of compliance and mark with a sticky dot.
    2. Document these initiatives as Execution Wave 1.

    this image contains a screenshot of a refined visual effort map, which can be done by following the instructions in this section.

    Input

    • Outputs from activity 3.5.1

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    3.5.3 Refine the effort map’s visual output

    30 minutes

    1. Use a separate area of the whiteboard to draw out four to five Execution Wave columns.
    2. Group initiatives into each Execution Wave column based on their placement within the quadrant from activities 3.5.1 and 3.5.2.
      1. Ensure that all identified mandatory activities as per governing privacy law fall within the first wave.
      2. Leverage the following 0-4 Execution Wave scale:
        1. Underway –Initiatives that are already underway
        2. Must Do – Initiatives that must happen right away
        3. Should Do – Initiatives that should happen but need more time/support
        4. Could Do – Initiatives that are not a priority
        5. Won’t Do – Initiatives that likely won’t be carried out
    3. Indicate the granular level for each execution wave using the a-z scale.
    • Use the lettering to track dependencies between initiatives.
      • If one must take place before another, ensure that its letter comes first alphabetically.
      • If multiple initiatives must take place at the same time, use the same letter to show they will take place in tandem.

    This image depicts the sample output for a refined visual effort map

    Input

    • Outputs from activity 3.5.2

    Output

    • Prioritization for each of the gap-closing initiatives
    • First execution wave of gap-closing initiatives

    Materials

    • Zero Trust Program Gap Analysis Tool (tab 7)
    • Sticky notes
    • Sticky dots
    • Markers
    • Whiteboard

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Wave assignment example

    In the example below, we see “IAM modernization” was assessed as 9 on cost/effort rating and 5 on benefit rating and its Benefits-Cost has a positive value of 1. We can label this as SHOULD DO (wave 2).

    We can also see “Network segmentation” was assessed as 6 on cost/effort rating and 4 on benefit rating and its Benefits-Cost has a positive value of 2. We can label this as MUST DO (wave 1).

    We can also see “Unified Endpoints Management” was assessed as 8 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a negative value of -4. We can label this as WON’T DO (no wave).

    We can also see “Data Protection” was assessed as 4 on cost/effort rating and 2 on benefit rating and its Benefits-Cost has a zero value. We can label this as COULD DO (wave 3).

    This image depicts a sample wave assignment output, discussed in this section.

    It is recommended to define the threshold of each wave based on the value of Benefits-Cost before assigning waves.

    3.6 Build roadmap

    Estimated time 2-3 hours

    1. As a group, follow step 3.6.1 to create your roadmap by scheduling initiatives into the Gantt chart within the Zero Trust Program Gap Analysis Tool.
    2. Review the roadmap for resourcing conflicts and adjust as required.
    3. Review the final cost and effort estimates for the roadmap.

    Input

    • Gap analysis
    • Cost/benefit analysis
    • Prioritized initiative list

    Output

    • Zero trust roadmap

    Materials

    • Zero Trust Program Gap Analysis Tool

    Participants

    • Security Team
    • IT Leadership
    • Project Management Office

    Download the Zero Trust Program Gap Analysis Tool

    3.6.1 Schedule initiatives using the Gantt chart

    1. On the Gantt Chart tab for each initiative, enter an owner (the role who will be primarily responsible for execution).
    2. Additionally, enter a start month and year for the initiative and the expected duration in months.
    • You can filter the Wave column to only see specific waves at any one time to assist with the scheduling.
    • You do not need to schedule Wave 4 initiatives as the expectation is that these initiatives will not be done.
    • This Image contains a screenshot of the Gantt Chart, with the following column headings highlighted and numbered: 1: Owner; 2: Expected Duration

    3.6.2 Review your roadmap

    1. When you have completed the Gantt chart, as a group review the overall roadmap to ensure that it is reasonable for your organization. Consider the following:
    • Do you have other IT or business projects planned during this time frame that may impact your resourcing or scheduling?
    • Does your organization have regular change freezes throughout the year that will impact the schedule?
    • Do you have over-subscribed resources? You can filter the list on the Owner column to identify potential over-subscription of resources.
    • Have you considered any long vacations, sabbaticals, parental leaves, or other planned longer-term absences?
    • Are your initiatives adequately aligned to your budget cycle? For instance, if you have an initiative that is expected to make recommendations for capital expenditure, it must be completed prior to budget planning.

    This image depicts an example roadmap which can be created following the use of the Gantt Chart

    3.6.3 Review your cost/effort estimates table

    1. Once you have completed your roadmap, review the total cost/effort estimates. This can be found in a table on the Results tab. This table will provide initial and ongoing costs and staffing requirements for each wave. This also includes the total three-year investment. In your review consider:
    • Is this investment realistic? Will completion of your roadmap require adding more staff or funding than you otherwise expected?
    • If the investment seems unrealistic, you may need to revisit some of your assumptions, potentially reducing target levels or increasing the amount of time to complete the strategy.

    This table provides you with the information to have important conversations with management and stakeholders.

    This image contains an example of the Zero Trust Roadmap Cost/Effort Estimates.  The column headings are as follows: Wave; Number of Initiatives; Initial Implementation - Cost; Initial Implementation - Effort; Ongoing Maintenance - Cost; Ongoing Maintenance - Effort.  A separate table is shown with the column heading: Estimated Total Three Year Investment

    Phase 4

    Formulate Policies for Roadmap Initiatives

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Formulate zero trust policies for critical DAAS elements.
    • Formulate zero trust policies to secure a path to access critical DAAS elements.

    This phase involves the following participants:

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Understand the zero trust policy

    Use the Kipling methodology as a vendor agnostic approach to identify appropriate allow list elements when deploying multiple zero trust solutions.
    The policies help to prevent lateral movement.

    Who Who should access a resource? Here, the user ID that identifies the users through the principle of least privilege is allowed access to a particular resource. The authentication policy will be used to verify identity of a user when access request to a resource is made. Who requires MFA?
    What What application is used to access the resource? Application ID to identify applications that are only allowed on the network. Port control policies can be used for the application service.
    When When do users access the resource? Policy that identifies and enforces time schedule when an application accessed by users is used.
    Where Where is the resource located? The location of the destination resource should be added to the policy and, where possible, restrict the source of the traffic either by zone and/or IP address.
    Why Why is the data accessed? Data classification should be done to know why the data needs protection and the type of protection (data filtering).
    How How should you allow access to the resource? This covers the protection of the application traffic. Principle of least privilege access, log all traffic, configure security profiles, NGFW, decryption and encryption, consistent application of policy and threat prevention across all locations for all local and remote users on managed and unmanaged endpoints are ways to apply content-ID.

    Info-Tech Insight

    The success of a zero trust implementation relies on enforcing policies consistently. Applying the Kipling methodology to the protect surface is the best way to design zero trust policies.

    4.1.1 Formulate policy

    Estimated time 1-2 hours

    1. As a group, review the protect surface(s) identified in phase one, and using the Kipling methodology from the previous slide, formulate a policy. Each policy can be reviewed repeatedly until we are sure it satisfies the goal.
    2. The policy created should be consistent for both cloud and on-prem environments.
    3. As an example, let's use the healthcare scenario found in tab 3 of the Zero Trust Protect Surface Mapping Tool. The protect surface used is "Automated Medication Dispensing." Another example will be "Salesforce" accessed via the cloud.
    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    4.1.2 Apply policy

    1-2 hours

    1. Place each protect surface in its own microperimeter. Each microperimeter should be segmented by a next-generation firewall or authentication broker that will serve as a segmentation gateway.
    2. Name the microperimeter and place it on a firewall.

    Input

    • Kipling methodology
    • Protect surface

    Output

    • Zero trust policy

    Materials

    • Whiteboard/Flip Charts
    • Sticky Notes
    • Zero Trust Protect Surface Mapping Tool

    Participants

    • CIO
    • CISO
    • Business Executives
    • IT Manager
    • Security Team

    Microperimeter A
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter B
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    Microperimeter C
    Protect Surface:
    DAAS Elements:

    Who What When Where Why How
    Method User-ID App-ID Time limit System Object Classification Content-ID

    4.2 Secure a path to access critical DAAS elements

    How should you allow access to the resource?

    This component makes up the final piece of formulating the policies as it applies the protection of the application traffic.

    The principle of least privilege is applied to the security policy to only allow access requests and restrict the access to the purpose it serves. This access request is then logged as well as the traffic (both internal and external). Most firewalls (NGFW) have policy rules that, by default, enable logging.

    Segmentation gateways (NGFW, VM-series firewalls, agent-based and clientless VPN solutions), are used to apply zero trust policy (Kipling methodology) in the network, cloud, and endpoint (managed and unmanaged) for all local and remote users.

    These policies need to be applied to security profiles on all allowed traffic. Some of these profiles include but are not limited to the following: URL filtering profile for web access and protect against phishing attacks, vulnerability protection profile intrusion prevention systems, anti spyware profiles to protect against command-and-control threats, malware and antivirus profile to protect against malware, and a file blocking profile to block and/or alert suspicious file types.

    Good visibility on your network can also be tied to decryption as you can inspect traffic and data to the lowest level possible that is generally accepted by your organization and in compliance with regulation.

    Conceptualized flow

    With users working from anywhere on managed and unmanaged devices, access to the internet, SAAS, public cloud, and the data center will have consistent policies applied regardless of their location.

    The policy is validating that the user is who they say they are based on the role profile, what they are trying to access to make sure their role or attribute profile has the appropriate permission to the application, and within the stipulated time limit. Where the data or application is located is also verified and the why needs to be satisfied before the requested access is granted. Based on the mentioned policies, the how element is then applied throughout the lifecycle of the access.

    Who

    (Internet)

    What

    (SAAS)

    When

    Where

    (Public Cloud)

    Why

    How

    (Data Center)

    Method User-ID App-ID Time limit System Object Classification Content-ID
    On-Prem Pyxis_Users Pyxis Any Pyxis_server Severe (high value data) Decrypt, Inspect, log traffic
    Cloud Sales Salesforce Working hours Canada Severe (high value data) Decrypt, Inspect, log traffic

    Phase 5

    Monitor Zero Trust Roadmap Deployment

    Build a Zero Trust Roadmap

    This phase will walk you through the following activities:

    • Establish metrics for roadmap tasks.
    • Track metrics for roadmap tasks.

    This phase involves the following participants:

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    5.1 Establish metrics for roadmap tasks

    Estimated time 2 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, identify metrics to measure implementation and efficacy of tasks
    2. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, document metric metadata.
    3. On the Prioritization tab, use the drop-down lists to enter the estimated costs and efforts for each initiative, using the criteria defined earlier.
    • If you have actual costs available, you can optionally enter them under the Detailed Cost Estimates columns.
  • Enter the estimated benefits, also using the criteria defined earlier.
  • Input

    • Zero trust roadmap task list

    Output

    • Metrics for measuring zero trust task implementation and efficacy

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.1.1 Identify metrics to measure implementation and efficacy of tasks

    Estimated time 3-4 hours

    1. On tab “2. Task & Metric Register” of the Zero Trust Progress Monitoring Tool, for each section defined in columns C and D, enter zero trust implementation tasks into column E. If you completed the Zero Trust Program Gap Analysis Tool, use the tasks identified there to populate column E.
    2. For each task, identify in column F any metrics that will communicate implementation progress and/or implementation efficacy.
    • If multiple metrics are needed for a single task, we recommend expanding the size of the row and adding additional metrics onto a new line in the same row. A sample is provided in the tool.

    this image contains a screenshot of tab 2 in the Zero Trust Progress Monitoring Tool

    Info-Tech Insight

    To measure the efficacy of a zero trust implementation, ensure you know what a successful zero trust implementation means for your organization, and define metrics that demonstrate whether that success is being realized.

    5.1.2 Document metric metadata

    Estimated time 1-2 hours

    For each metric defined in step 4.1.1:

    1. Identify in column G whether the metric can be measured now (Phase 1), measured in a few months’ time (Phase 2), or measured in a few years’ time (Phase 3).
    2. Identify in columns H through M who is responsible for collecting the metric (Person Source), who/what is consulted to collect the metric (Technology Source), who compiles the collected metric into dashboards and presentations (Compiler), and who is informed of the measurement of the metric (Audience).
    • Add more columns under the Audience category if needed.
    • Use “X” to identify if an audience group will be informed of the measurement of the metric.
  • Identify in columns N through P the target for the metric (Metric Target), the effort it takes to collect the metric (Effort to Collect), the frequency with which the organizations plans to collect the metric (Frequency of Collection), and any comments that people should know when collecting, compiling, or presenting metrics.
  • This image contains a screenshot from the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Priority; 2: Roles and Responsibilities; 3: effort to collect; frequency of collection; Metric Target; Comments

    5.2 Track and report metrics

    Estimated time 2 hours

    1. In the Zero Trust Progress Monitoring Tool, copy and paste metrics you plan to track in the tool from column F on tab 2 to column B on tab 3.
    2. Use tab 3 to identify collection frequency, metric target, and measurements collected for each metric. Add notes or comments to each metric or measurement to track contextual elements that could affect metric measurements.
    3. Leverage the graphs on tab 4 to communicate metrics to the appropriated audience groups, as defined in tab 2.

    Input

    • Metrics for measuring zero trust task implementation and efficacy

    Output

    • Metric data and graphs for presenting zero trust implementation metrics to audience groups

    Materials

    • Zero Trust Progress Monitoring Tool

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Progress Monitoring Tool

    5.2.1 Record baseline measurements for metrics

    Estimated time 1-2 hours

    On tab “3. Track Metrics” of the Zero Trust Progress Monitoring Tool:

    1. Copy and paste the metrics from Column F on tab “2. Task & Metric Register” that you want to track into Column B of this tab.
    2. For each metric, record the frequency of collection (Collection Frequency) and the metric target (Target) by referencing columns O and P on tab “2. Task & Metric Register.”
    3. Begin to record baseline/initial values for each metric in column E. Rename columns to match your highest frequency of collection.
      (e.g. if any metric is being measured monthly, there should be one column per month)
    4. Over time, conduct measurements of your metrics and store them in the table below.
    5. Add notes, as necessary.

    this image contains a screenshot of tab 3 of the Zero Trust Progress Monitoring Tool, with the following column headings numbered: 1: Your Metrics; 2: Collection Frequency; Target; 3: Jan; 4: Metric Measurements; 5: Notes

    5.2.2 Report metric health to audience groups

    Estimated time 1-2 hours

    On tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    1. The Overall Metric Health gauge at the top of this tab presents the average percentage away from meeting metric targets for all metrics being tracked. To calculate this value, the differences between the most recent measurements and target values for each metric are averaged.
    2. Below the Overall Metric Health gauge, use the drop-down list in cell D9 to select one of the metrics from tab “3. Track Metrics.”
    3. Six different graphic representations of the tracked data for the selected metric will populate.

    Copy and paste desired graphs into presentations for audience members identified in step 5.1.2.

    This image contains a screenshot from tab “4. Graphs” of the Zero Trust Progress Monitoring Tool:

    5.3 Build a communication deck

    Estimated time 2 hours

    Leverage the Zero Trust Communication Deck to showcase the work that you have done in the tools and activities associated with this research.

    In this communication deck template, you will find the following sections:

    • Introduction
    • Protect Surfaces
    • Zero Trust Gap Analysis
    • Zero Trust Initiatives & Tasks

    Input

    • Protect surfaces mapped to business goals
    • Zero trust program gap analysis
    • Zero trust roadmap initiatives and tasks
    • Zero trust metrics

    Output

    • Communication deck for zero trust strategy

    Materials

    • Zero Trust Communication Deck

    Participants

    • Security Team
    • Subject Matter Experts From IT, HR, Legal, Facilities, Compliance, Audit, Risk Management
    • Project Management Office

    Download the Zero Trust Communication Deck

    Summary of Accomplishment

    Knowledge Gained

    • Knowledge of protect surfaces and the business goals protecting them supports
    • Comprehensive knowledge of zero trust current state and summary initiatives required to achieve zero trust objectives
    • Assessment of which solutions for zero trust tasks and initiatives are the most appropriate for the organization
    • A defined set of security metrics assessing zero trust implementation progress and efficacy

    Deliverables Completed

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    Contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    This is a picture of an Info-Tech Account Representative
    workshops@infotech.com 1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Zero Trust Program Gap Analysis Tool

    This is a screenshot from the Zero Trust Program Gap Analysis Tool

    Assess current security capabilities and build a roadmap of tasks and initiatives that close maturity gaps.

    Zero Trust Progress Monitoring Tool

    This is a screenshot from the Zero Trust Progress Monitoring Tool

    Identify and track metrics for zero trust tasks and initiatives.

    Research Contributors

    • Aaron Benson, CME Group, Director of IAM Governance
    • Brad Mateski, Zones, Solutions Architect for CyberSecurity
    • Bob Smock, Info-Tech Research Group, Vice President of Consulting
    • Dr. Chase Cunningham, Ericom Software, Chief Strategy Officer
    • John Kindervag, ON2IT Cybersecurity, Senior Vice President, Cybersecurity Strategy and ON2IT Group Fellow
    • John Zhao, Fonterra, Enterprise Security Architect
    • Rongxing Lu, University of New Brunswick, Associate Professor
    • Sumanta Sarkar, University of Warwick, Assistant Professor
    • Tim Malone, J.B. Hunt Transport, Senior Director Information Security
    • Vana Matte, J.B. Hunt Transport, Senior Vice President of Technology Services

    Related Info-Tech Research

    This is a screenshot from Info-Tech's Build an Information Security Strategy

    Build an Information Security Strategy

    Info-Tech has developed a highly effective approach to building an information security strategy – an approach that has been successfully tested and refined for over seven years with hundreds of organizations. This unique approach includes tools for ensuring alignment with business objectives, assessing organizational risk and stakeholder expectations, enabling a comprehensive current-state assessment, prioritizing initiatives, and building out a security roadmap.

    This is a screenshot from Info-Tech's Determine Your Zero Trust Readiness.

    Determine Your Zero Trust Readiness

    IT security was typified by perimeter security. However, the way the world does business has mandated a change to IT security. In response, zero trust is a set of principles that can add flexibility to planning your IT security strategy.

    Use this blueprint to determine your zero trust readiness and understand how zero trust can benefit both security and the business.

    This is a screenshot from Info-Tech's Mature Your Identity and Access Management Program

    Mature Your Identity and Access Management Program

    Many organizations are looking to improve their identity and access management (IAM) practices but struggle with where to start and whether all areas of IAM have been considered. This blueprint will help you improve the organization's identity and access management practices by following our three-phase methodology:

    • Assess identity and access requirements
    • Identify initiatives using the identity lifecycle
    • Prioritize initiatives and build a roadmap

    Bibliography

    • “2021 Data Breach Investigations Report.” Verizon, 2021. Web.
    • “A Zero-Trust Strategy Has 3 Needs - Identify, Authenticate, and Monitor Users and Devices On and Off The Network.” Fortinet, 15 July 2021. Web.
    • “Applying Zero Trust Principles to Enterprise Mobility.” CISA, March 2022. Web.
    • Biden Jr., Joseph R. “Executive Order on Improving the Nation’s Cybersecurity.” The White House, 12 May 2021. Web.
    • “CISA Zero Trust Maturity Model.” CISA - Cybersecurity Division, June 2021. Web.
    • “Continuous Diagnostics and Mitigation Program Overview.” CISA, Jan. 2022. Web.
    • Contributor. “The Five Business Benefits of a Zero Trust Approach to Security.” Security Brief - Australia, 19 Aug. 2020. Web.
    • “Cost of a Data Breach Report 2021.” IBM, July 2021. Web.
    • English, Melanie. “5 Stats That Show The Cost Saving Effect of Zero Trust.” Teramind, 29 Sept. 2021. Web.
    • “Improve Application Access and Security With Fortinet Zero Trust Network Access.” Fortinet, 2 March 2021. Web.
    • “Incorporating Zero-trust Strategies for Secure Network and Application Access.” Fortinet, 21 July 2021. Web.
    • Jakkal, Vasu. “Zero Trust Adoption Report: How Does Your Organization Compare?” Microsoft, 28 July 2021. Web.
    • “Jericho Forum™ Commandments.” The Open Group, Jericho Forum, May 2007. Web.
    • Johnson, Derrick. “Zero Trust vs. SASE - Here's What You Need to Know.” Security Magazine, 23 July 2021. Web.
    • Joint Defense Information Systems Agency (DISA) and National Security Agency (NSA) Zero Trust Engineering Team. “Department of Defense (DOD) Zero Trust Reference Architecture.” DoD CIO, Feb. 2021. Web.
    • Kay, Dennis. “Planning for a Zero Trust Architecture Target State.” NASA, NIST, 13 Nov. 2019. Web.
    • National Security Agency. “Embracing a Zero Trust Security Model.” U.S. Department of Defense, Feb. 2021. Web.
    • NSTAC. “Draft Report to the President - Zero Trust and Trusted Identity Management.” CISA, NSTAC, n.d. Web.
    • Rose, Scott W., et al. “Zero Trust Architecture.” NIST, 10 Aug. 2020. Web.
    • “Securing Digital Innovation Demands Zero-Trust Access.” Fortinet, 15 July 2021. Web.
    • Shackleford, Dave. “How to Create a Comprehensive Zero Trust Strategy.” SANS, Cisco, 2 Sept. 2020. Web.
    • “The CISO’s Guide to Effective Zero-Trust Access.” Fortinet, 28 April 2021. Web.
    • “The State of Zero Trust Security 2021.” Okta, June 2021. Web.
    • Kerman, Alper, et al. “Implementing a Zero Trust Architecture.” NIST - National Cybersecurity Center of Excellence, March 2020. Web.
    • Kindervag, John. “Keynote - John KINDERVAG - 021622.” Vimeo, VIRTUAL Eastern | CyberSecurity Conference, 16 Feb. 2022. Web.
    • Lodewijkx, Koos. “IBM CISO Perspective: Zero Trust Changes Security From Something You Do to Something You Have.” SecurityIntelligence, IBM, 19 Nov. 2020. Web.
    • VB Staff. “Report: Only 21% of Enterprises Use Zero Trust Architecture.” VentureBeat, 15 Feb. 2022. Web.
    • Young, Shalanda D. “Moving the U.S. Government Toward Zero Trust Cybersecurity Principles.” The White House, EXECUTIVE OFFICE OF THE PRESIDENT - OFFICE OF MANAGEMENT AND BUDGET, 26 Jan. 2022. Web.
    • “Zero Trust Access.” Fortinet, n.d. Web.
    • “Zero Trust Architecture Technical Exchange Meeting.” NIST - National Cybersecurity Center of Excellence, 12 Nov. 2019. Web.
    • “Zero Trust Cybersecurity Current Trends.” ACT-IAC, 18 April 2019. Web.
    • “Zero-Trust Access for Comprehensive Visibility and Control.” Fortinet, 24 Sep. 2020. Web.

    Streamline Application Maintenance

    • Buy Link or Shortcode: {j2store}402|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: 20 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: Maintenance
    • Parent Category Link: /maintenance
    • Application maintenance teams are accountable for the various requests and incidents coming from a variety business and technical sources. The sheer volume and variety of requests create unmanageable backlogs.
    • The increasing complexity and reliance on technology within the business has set unrealistic expectations on maintenance teams. Stakeholders expect teams to accommodate maintenance without impact on project schedules.

    Our Advice

    Critical Insight

    • Improving maintenance’s focus and attention may mean doing less but more valuable work. Teams need to be realistic about what can be committed and be prepared to justify why certain requests have to be pushed down the backlog (e.g. lack of business value, high risks).
    • Maintenance must be treated like any other development activity. The same intake and prioritization practices and quality standards must be upheld, and best practices followed.

    Impact and Result

    • Justify the necessity of streamlined maintenance. Gain a grounded understanding of stakeholder objectives and concerns, and validate their achievability against the current state of the people, process, and technologies involved in application maintenance.
    • Strengthen triaging and prioritization practices. Obtain a holistic picture of the business and technical impacts, risks, and urgencies of each accepted maintenance requests in order to justify its prioritization and relevance within your backlog. Identify opportunities to bundle requests together or integrate them within project commitments to ensure completion.
    • Establish and govern a repeatable process. Develop a maintenance process with well-defined stage gates, quality controls, and roles and responsibilities, and instill development best practices to improve the success of delivery.

    Streamline Application Maintenance Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to understand the common struggles found in application maintenance, their root causes, and the Info-Tech methodology to overcoming these hurdles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand your maintenance priorities

    Understand the stakeholder priorities driving changes in your application maintenance practice.

    • Streamline Application Maintenance – Phase 1: Assess the Current Maintenance Landscape
    • Application Maintenance Operating Model Template
    • Application Maintenance Resource Capacity Assessment
    • Application Maintenance Maturity Assessment

    2. Instill maintenance governance

    Identify the appropriate level of governance and enforcement to ensure accountability and quality standards are upheld across maintenance practices.

    • Streamline Application Maintenance – Phase 2: Develop a Maintenance Release Schedule

    3. Enhance triaging and prioritization practices

    Build a maintenance triage and prioritization scheme that accommodates business and IT risks and urgencies.

    • Streamline Application Maintenance – Phase 3: Optimize Maintenance Capabilities

    4. Streamline maintenance delivery

    Define and enforce quality standards in maintenance activities and build a high degree of transparency to readily address delivery challenges.

    • Streamline Application Maintenance – Phase 4: Streamline Maintenance Delivery
    • Application Maintenance Business Case Presentation Document
    [infographic]

    Workshop: Streamline Application Maintenance

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Your Maintenance Priorities

    The Purpose

    Understand the business and IT stakeholder priorities driving the success of your application maintenance practice.

    Understand any current issues that are affecting your maintenance practice.

    Key Benefits Achieved

    Awareness of business and IT priorities.

    An understanding of the maturity of your maintenance practices and identification of issues to alleviate.

    Activities

    1.1 Define priorities for enhanced maintenance practices.

    1.2 Conduct a current state assessment of your application maintenance practices.

    Outputs

    List of business and technical priorities

    List of the root-cause issues, constraints, and opportunities of current maintenance practice

    2 Instill Maintenance Governance

    The Purpose

    Define the processes, roles, and points of communication across all maintenance activities.

    Key Benefits Achieved

    An in-depth understanding of all maintenance activities and what they require to function effectively.

    Activities

    2.1 Modify your maintenance process.

    2.2 Define your maintenance roles and responsibilities.

    Outputs

    Application maintenance process flow

    List of metrics to gauge success

    Maintenance roles and responsibilities

    Maintenance communication flow

    3 Enhance Triaging and Prioritization Practices

    The Purpose

    Understand in greater detail the process and people involved in receiving and triaging a request.

    Define your criteria for value, impact, and urgency, and understand how these fit into a prioritization scheme.

    Understand backlog management and release planning tactics to accommodate maintenance.

    Key Benefits Achieved

    An understanding of the stakeholders needed to assess and approve requests.

    The criteria used to build a tailored prioritization scheme.

    Tactics for efficient use of resources and ideal timing of the delivery of changes.

    A process that ensures maintenance teams are always working on tasks that are valuable to the business.

    Activities

    3.1 Review your maintenance intake process.

    3.2 Define a request prioritization scheme.

    3.3 Create a set of practices to manage your backlog and release plans.

    Outputs

    Understanding of the maintenance request intake process

    Approach to assess the impact, urgency, and severity of requests for prioritization

    List of backlog management grooming and release planning practices

    4 Streamline Maintenance Delivery

    The Purpose

    Understand how to apply development best practices and quality standards to application maintenance.

    Learn the methods for monitoring and visualizing maintenance work.

    Key Benefits Achieved

    An understanding of quality standards and the scenarios for where they apply.

    The tactics to monitor and visualize maintenance work.

    Streamlined maintenance delivery process with best practices.

    Activities

    4.1 Define approach to monitor maintenance work.

    4.2 Define application quality attributes.

    4.3 Discuss best practices to enhance maintenance development and deployment.

    Outputs

    Taskboard structure and rules

    Definition of application quality attributes with user scenarios

    List of best practices to streamline maintenance development and deployment

    5 Finalize Your Maintenance Practice

    The Purpose

    Create a target state built from appropriate metrics and attainable goals.

    Consider the required items and steps for the implementation of your optimization initiatives.

    Key Benefits Achieved

    A realistic target state for your optimized application maintenance practice.

    A well-defined and structured roadmap for the implementation of your optimization initiatives.

    Activities

    5.1 Refine your target state maintenance practices.

    5.2 Develop a roadmap to achieve your target state.

    Outputs

    Finalized application maintenance process document

    Roadmap of initiatives to achieve your target state

    Design and Build a User-Facing Service Catalog

    • Buy Link or Shortcode: {j2store}395|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $62,821 Average $ Saved
    • member rating average days saved: 29 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Business users don’t know what breadth of services are available to them.
    • It is difficult for business users to obtain useful information regarding services because they are often described in technical language.
    • Business users have unrealistic expectations of what IT can do for them.
    • There is no defined agreement on what is available, so the business assumes everything is.

    Our Advice

    Critical Insight

    • Define services from the business user’s perspective, not IT’s perspective.
      • A service catalog is of no use if a user looks at it and sees a significant amount of information that doesn’t apply to them.
    • Separate the enterprise services from the Line of Business (LOB) services.
      • This will simplify the process of documenting your service definitions and make it easier for users to navigate, which leads to a higher chance of user acceptance.

    Impact and Result

    • Our program helps you organize your services in a way that is relevant to the users, and practical and manageable for IT.
    • Our approach to defining and categorizing services ensures your service catalog remains a living document. You may add or revise your service records with ease.
    • Our program creates a bridge between IT and the business. Begin transforming IT’s perception within the organization by communicating the benefits of the service catalog.

    Design and Build a User-Facing Service Catalog Research & Tools

    Start here – read the Executive Brief

    Read our concise executive brief to understand why building a Service Catalog is a good idea for your business, and how following our approach will help you accomplish this difficult task.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    The Launch the Project phase will walk through completing Info-Tech's project charter template. This phase will help build a balanced project team, create a change message and communication plan, and achieve buy-in from key stakeholders.

    • Design & Build a User-Facing Service Catalog – Phase 1: Launch the Project
    • Service Catalog Project Charter

    2. Identify and define enterprise services

    The Identify and Define Enterprise Services phase will help to target enterprise services offered by the IT team. They are offered to everyone in the organization, and are grouped together in logical categories for users to access them easily.

    • Design & Build a User-Facing Service Catalog – Phase 2: Identify and Define Enterprise Services
    • Sample Enterprise Services

    3. Identify and define Line of Business (LOB) services

    After completing this phase, all services IT offers to each LOB or functional group should have been identified. Each group should receive different services and display only these services in the catalog.

    • Design & Build a User-Facing Service Catalog – Phase 3: Identify and Define Line of Business Services
    • Sample LOB Services – Industry Specific
    • Sample LOB Services – Functional Group

    4. Complete the Services Definition Chart

    Completing the Services Definition Chart will help the business pick which information to include in the catalog. This phase also prepares the catalog to be extended into a technical service catalog through the inclusion of IT-facing fields.

    • Design & Build a User-Facing Service Catalog – Phase 4: Complete Service Definitions
    • Services Definition Chart
    [infographic]

    Workshop: Design and Build a User-Facing Service Catalog

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the Project

    The Purpose

    The purpose of this module is to help engage IT with business decision making.

    Key Benefits Achieved

    This module will help build a foundation for the project to begin. The buy-in from key stakeholders is key to having them take onus on the project’s completion.

    Activities

    1.1 Assemble the project team.

    1.2 Develop a communication plan.

    1.3 Establish metrics for success.

    1.4 Complete the project charter.

    Outputs

    A list of project members, stakeholders, and a project leader.

    A change message, communication strategy, and defined benefits for each user group.

    Metrics used to monitor the usefulness of the catalog, both from a performance and monetary perspective.

    A completed project charter to engage users in the initiative.

    2 Identify and Define Enterprise Services

    The Purpose

    The purpose of this module is to review services which are offered across the entire organization.

    Key Benefits Achieved

    A complete list of enterprise services defined from the user’s perspective to help them understand what is available to them.

    Activities

    2.1 Identify enterprise services used by almost everyone across the organization.

    2.2 Categorize services into logical groups.

    2.3 Define the services from the user’s perspective.

    Outputs

    A complete understanding of enterprise services for both IT service providers and business users.

    Logical groups for organizing the services in the catalog.

    Completed definitions in business language, preferably reviewed by business users.

    3 Identify and Define Line of Business (LOB) Services

    The Purpose

    The purpose of this module is to define the remaining LOB services for business users, and separate them into functional groups.

    Key Benefits Achieved

    Business users are not cluttered with LOB definitions that do not pertain to their business activities.

    Business users are provided with only relevant IT information.

    Activities

    3.1 Identify the LOBs.

    3.2 Determine which one of two methodologies is more suitable.

    3.3 Identify LOB services using appropriate methodology.

    3.4 Define services from a user perspective.

    Outputs

    A structured view of the different functional groups within the business.

    An easy to follow process for identifying all services for each LOB.

    A list of every service for each LOB.

    Completed definitions in business language, preferably reviewed by business users.

    4 Complete the Full Service Definitions

    The Purpose

    The purpose of this module is to guide the client to completing their service record definitions completely.

    Key Benefits Achieved

    This module will finalize the deliverable for the client by defining every user-facing service in novice terms.

    Activities

    4.1 Understand the components to each service definition (information fields).

    4.2 Pick which information to include in each definition.

    4.3 Complete the service definitions.

    Outputs

    A selection of information fields to be included in the service catalog.

    A selection of information fields to be included in the service catalog.

    A completed service record design, ready to be implemented with the right tool.

    Further reading

    Design and Build a User-Facing Service Catalog

    Improve user satisfaction with IT with a convenient menu-like catalog.

    Our understanding of the problem

    This Research Is Designed For:

    • CIOs
    • Directors and senior managers within IT and the business

    This Research Will Help You:

    • Articulate all of the services IT provides to the business in a language the business users understand.
    • Improve IT and business alignment through a common understanding of service features and IT support.

    This Research Will Help Them

    • Standardize and communicate how users request access to services.
    • Standardize and communicate how users obtain support for services.
    • Clearly understand IT’s role in providing each service.

    What is a service catalog?

    The user-facing service catalog is the go-to place for IT service-related information.

    The catalog defines, documents, and organizes the services that IT delivers to the organization. The catalog also describes the features of the services and how the services are intended to be used.

    The user-facing service catalog creates benefits for both the business and IT.

    For business users, the service catalog:

    1. Documents how to request access to the service, hours of availability, delivery timeframes, and customer responsibilities.
    2. Specifies how to obtain support for the services, support hours, and documentation.

    For IT, the service catalog:

    1. Identifies who owns the services and who is authorized to use the services.
    2. Specifies IT support requirements for the services, including support hours and documentation.

    What is the difference between a user-facing service catalog and a technical service catalog?

    This blueprint is about creating a user-facing service catalog written and organized in a way that focuses on the services from the business’ view.

    User facing

    User-friendly, intuitive, and simple overview of the services that IT provides to the business.

    The items you would see on the menu at a restaurant are an example of User Facing. The content is relatable and easy to understand.

    Technical

    Series of technical workflows, supporting services, and the technical components that are required to deliver a service.

    The recipe book with cooking instructions is an example of Technical Facing. This catalog is intended for the IT teams and is “behind the scene.”

    What is a service and what does it mean to be service oriented?

    The sum of the people, processes, and technologies required to enable users to achieve a business outcome is a Service.

    A service is used directly by the end users and is perceived as a coherent whole.

    Business Users →Service = Application & Systems + People & Processes

    Service Orientation is…

    • A focus on business requirements and business value, rather than IT driven motives.
    • Services are designed to enable required business activities.
    • Services are defined from the business perspective using business language.

    In other words, put on your user hat and leave behind the technical jargons!

    A lack of a published user-facing service catalog could be the source of many pains throughout your organization

    IT Pains

    • IT doesn’t understand all the services they provide.
    • Business users would go outside of IT for solutions, proliferating shadow IT.
    • Business users have a negative yet unrealistic perception of what IT is capable of.
    • IT has no way of managing expectations for their users, which tend to inflate.
    • There is often no defined agreement on services; the business assumes everything is available.

    Business Pains

    • Business users don’t know what services are available to them.
    • It is difficult to obtain useful information regarding a service because IT always talks in technical language.
    • Without a standard process in place, business users don’t know how to request access to a service with multiple sources of information available.
    • Receiving IT support is a painful, long process and IT doesn’t understand what type of support the business requires.

    An overwhelming majority of IT organizations still need to improve how they demonstrate their value to the business

    This image contains a pie chart with a slice representing 23% of the circle This image contains a pie chart with a slice representing 47% of the circle This image contains a pie chart with a slice representing 92% of the circle

    23% of IT is still viewed as a cost center.

    47% of business executives believe that business goals are going unsupported by IT.

    92% of IT leaders see the need to prove the business value of IT’s contribution.

    How a Service Catalog can help:

    Use the catalog to demonstrate how IT is an integral part of the organization and IT services are essential to achieve business objectives.

    Source: IT Communication in Crisis Report

    Transform the perception of IT by articulating all the services that are provided through the service catalog in a user-friendly language.

    Source: Info-Tech Benchmarking and Diagnostic Programs

    Increase IT-business communication and collaboration through the service catalog initiative. Move from technology focused to service-oriented.

    Source: IT Communication in Crisis Report

    Project Steps

    Phase 1 – Project Launch

    1.2 Project Team

    The team must be balanced between representatives from the business and IT.

    1.2 Communication Plan

    Communication plan to facilitate input from both sides and gain adoption.

    1.3 Identify Metrics

    Metrics should reflect the catalog benefits. Look to reduced number of service desk inquiries.

    1.4 Project Charter

    Project charter helps walk you through project preparation.

    This blueprint separates enterprise service from line of business service.

    This image contains a comparison between Enterprise IT Service and Line of Business Service, which will be discussed in further detail later in this blueprint.

    Project steps

    Phase 2 – Identify and Define Enterprise Services

    2.1 Identify the services that are used across the entire organization.

    2.2 Users must be able to identify with the service categories.

    2.3 Create basic definitions for enterprise services.

    Phase 3 – Identify and Define Line of Business Services

    3.1 Identify the different lines of business (LOBs) in the organization.

    3.2 Understand the differences between our two methodologies for identifying LOB services.

    3.3 Use methodology 1 if you have thorough knowledge of the business.

    3.4 Use methodology 2 if you only have an IT view of the LOB.

    Phase 4 – Complete Service Definitions

    4.1 Understand the different components to each service definition, or the fields in the service record.

    4.2 Identify which information to include for each service definition.

    4.3 Define each enterprise service according to the information and field properties.

    4.3 Define each LOB service according to the information and field properties.

    Define your service catalog in bundles to achieve better catalog design in the long run

    Trying to implement too many services at once can be overwhelming for both IT and the users. You don’t have to define and implement all of your services in one release of the catalog.

    Info-Tech recommends implementing services themselves in batches, starting with enterprise, and then grouping LOB services into separate releases. Why? It benefits both IT and business users:

    • It enables a better learning experience for IT – get to test the first release before going full-scale. In other words, IT gets a better understanding of all components of their deliverable before full adoption.
    • It is easier to meet customer agreements on what is to be delivered early, and easier to be able to meet those deadlines.
    This image depicts how you can use bundles to simplify the process of catalog design using bundles. The cycle includes the steps: Identify Services; Select a Service Bundle; Review Record Design; followed by a cycle of: Pick a service; Service X; Service Data Collection; Create Service Record, followed by Publish the bundle; Communicate the bundle; Rinse and Repeat.

    After implementing a service catalog, your IT will be able to:

    Use the service catalog to communicate all the services that IT provides to the business.

    Improve IT’s visibility within the organization by creating a single source of information for all the value creating services IT has to offer. The service catalog helps the business understand the value IT brings to each service, each line of business, and the overall organization.

    Concentrate more on high-value IT services.

    The service catalog contains information which empowers business users to access IT services and information without the help of IT support staff. The reduction in routine inquiries decreases workload and increases morale within the IT support team, and allows IT to concentrate on providing higher value services.

    Reduce shadow IT and gain control of services.

    Service catalog brings more control to your IT environment by reducing shadow IT activities. The service catalog communicates business requests responsively in a language the business users understand, thus eliminating the need for users to seek outside help.

    After implementing a service catalog, your business will be able to:

    Access IT services with ease.

    The language of IT is often confusing for the business and the users don’t know what to do when they have a concern. With a user-facing service catalog, business users can access information through a single source of information, and better understand how to request access or receive support for a service through clear, consistent, and business-relevant language.

    Empower users to self-serve.

    The service catalog enables users to “self-serve” IT services. Instead of calling the service desk every time an issue occurs, the users can rely on the service catalog for information. This simplified process not only reduces routine service requests, but also provides information in a faster, more efficient manner that increases productivity for both IT and the business.

    Gain transparency on the IT services provided.

    With every service clearly defined, business users can better understand the current support level, communicate their expectation for IT accountability, and help IT align services with critical business strategies.

    Leverage the different Info-Tech deliverable tools to help you along the way

    1. Project Charter

    A project charter template with a few samples completed. The project charter helps you govern the project progress and responsibilities.

    2. Enterprise Service Definitions

    A full list of enterprise definitions with features and descriptions pre-populated. These are meant to get you on your feet defining your own enterprise services, or editing the ones already there.

    3. Basic Line of Business Service Definitions

    Similar to the enterprise services deliverable, but with two separate deliverables focusing on different perspectives – functional groups services (e.g. HR and finance) and industry-specific services (e.g. education and government).

    Service Definitions & Service Record Design

    Get a taste of a completed service catalog with full service definitions and service record design. This is the final product of the service catalog design once all the steps and activities have been completed.

    The service catalog can be the foundation of your future IT service management endeavors

    After establishing a catalog of all IT services, the following projects are often pursued for other objectives. Service catalog is a precursor for all three.

    1. Technical Service Catalog

    Need an IT-friendly breakdown of each service?
    Keep better record of what technical components are required to deliver a service. The technical service catalog is the IT version of a user-facing catalog.

    2. Service-Based Costing

    Want to know how much each IT service is costing you?
    Get a better grip on the true cost of IT. Using service-based costing can help justify IT expenses and increase budgetary allotment.

    3. Chargeback

    Want to hold each business unit accountable for the IT services they use?
    Some business units abuse their IT services because they are thought to be free. Keep them accountable and charge them for what they use.

    The service catalog need not be expensive – organizations of all sizes (small, medium, large) can benefit from a service catalog

    No matter what size organization you may be, every organization can create a service catalog. Small businesses can benefit from the catalog the same way a large organization can. We have an easy step-by-step methodology to help introduce a catalog to your business.

    It is common that users do not know where to go to obtain services from IT… We always end up with a serious time-crunch at the beginning of a new school year. With automated on- and off-boarding services, this could change for the better.Dean Obermeyer, Technology Coordinator, Los Alamos Public Schools

    CIO Call to Action

    As the CIO and the project sponsor, you need to spearhead the development of the service catalog and communicate support to drive engagement and adoption.

      Start

    1. Select an experienced project leader
    2. Identify stakeholders and select project team members with the project leader
    3. Throughout the project

    4. Attend or lead the project kick-off meeting
    5. Create checkpoints to regularly touch base with the project team
    6. Service catalog launch

    7. Communicate the change message from beginning to implementation

    Identify a project leader who will drive measurable results with this initiative

    The project leader acts on behalf of the CIO and must be a senior level staff member who has extensive knowledge of the organization and experiences marshalling resources.

    Influential & Impactful

    Developing a service catalog requires dedication from many groups within IT and outside of IT.
    The project leader must hold a visible, senior position and can marshal all the necessary resources to ensure the success of the project. Ability to exert impact and influence around both IT and the business is a must.

    Relationship with the Business

    The user-facing service catalog cannot be successful if business input is not received.
    The project leader must leverage his/her existing relationship with the business to test out the service definitions and the service record design.

    Results Driven

    Creating a service catalog is not an easy job and the project leader must continuously engage the team members to drive results and efficiency.
    The highly visible nature of the service catalog means the project leader must produce a high-quality outcome that satisfies the business users.

    Info-Tech’s methodology helps organization to standardize how to define services

    CASE STUDY A
    Industry Municipal Government
    Source Onsite engagement

    Municipal Government
    The IT department of a large municipal government in the United States provides services to a large number of customers in various government agencies.
    Service Catalog Initiative
    The municipal government allocated a significant amount of resources to answer routine inquiries that could have been avoided through user self-service. The government also found that they do not organize all the services IT provides, and they could not document and publish them to the customer. The government has already begun the service catalog initiative, but was struggling with how to identify services. Progress was slow because people were arguing amongst themselves – the project team became demoralized and the initiative was on the brink of failure.
    Results
    With Info-Tech’s onsite support, the government was able to follow a standardized methodology to identify and define services from the user perspective. The government was able to successfully communicate the initiative to the business before the full adoption of the service catalog.

    We’re in demos with vendors right now to purchase an ITSM tool, and when the first vendor looked at our finished catalog, they were completely impressed.- Client Feedback

    [We feel] very confident. The group as a whole is pumped up and empowered – they're ready to pounce on it. We plan to stick to the schedule for the next three months, and then review progress/priorities. - Client Feedback

    CASE STUDY B
    Industry Healthcare
    Source Onsite engagement

    Healthcare Provider
    The organization is a healthcare provider in Canada. It treats patients with medical emergencies, standard operations, and manages a faculty of staff ranging from nurses and clerks, to senior doctors. This organization is run across several hospitals, various local clinics, and research centers.
    Service Catalog Initiative
    Because the organization is publicly funded, it is subject to regular audit requirements – one of which is to have a service catalog in place.
    The organization also would like to charge back its clients for IT-related costs. In order to do this, the organization must be able to trace it back to each service. Therefore, the first step would be to create a user-facing service catalog, followed by the technical service catalog, which then allows the organization to do service-based costing and chargeback.
    Results
    By leveraging Info-Tech’s expertise on the subject, the healthcare provider was able to fast-track its service catalog development and establish the groundwork for chargeback abilities.

    "There is always some reticence going in, but none of that was apparent coming out. The group dynamic was very good. [Info-Tech] was able to get that response, and no one around the table was silent.
    The [expectation] of the participants was that there was a purpose in doing the workshop. Everybody knew it was for multiple reasons, and everyone had their own accountability/stakes in the development of it. Highly engaged."
    - Client Feedback

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Launch the Project

    Identify Enterprise Services

    Identify Line of Business Services

    Complete Service Definitions

    Best-Practice Toolkit

    1.1 Assemble the project team.

    1.2 Develop a communication plan.

    1.3 Establish metrics for success.

    1.4 Complete the project charter.

    2.1 Identify services available organization-wide.

    2.2 Categorize services into logical groups.

    2.3 Define the services.

    3.1 Identify different LOBs.

    3.2 Pick one of two methodologies.

    3.3 Use method to identify LOB services.

    4.1 Learn components to each service definition.

    4.2 Pick which information to include in each definition.

    4.3 Define each service accordingly.

    Guided Implementations Identify the project leader with the appropriate skills.

    Assemble a well-rounded project team.

    Develop a mission statement and change messages.

    Create a comprehensive list of enterprise services that are used across the organization.

    Create a categorization scheme that is based on the needs of the business users.

    Walk through the two Info-Tech methodologies and understand which one is applicable.

    Define LOB services using the appropriate methodology.

    Decide what should be included and what should be kept internal for the service record design.

    Complete the full service definitions.

    Onsite Workshop Phase 1 Results:

    Clear understanding of project objectives and support obtained from the business.

    Phase 2 Results:

    Enterprise services defined and categorized.

    Phase 3 Results:

    LOB services defined based on user perspective.

    Phase 4 Results:

    Service record designed according to how IT wishes to communicate to the business.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities

    Launch the Project

    Identify Enterprise Services

    Identify Line of Business Services

    Complete Service Definitions

    1.1 Assemble the project team.

    1.2 Develop a communication plan.

    1.3 Establish metrics for success.

    1.4 Complete the project charter.

    2.1 Identify services available organization-wide.

    2.2 Categorize services into logical groups.

    2.3 Define the services.

    3.1 Identify different LOBs.

    3.2 Pick one of two methodologies.

    3.3 Use method to identify LOB services.

    4.1 Learn components to each service definition.

    4.2 Pick which information to include in each definition.

    4.3 Define each service accordingly.

    Deliverables
    • Service Catalog Project Charter
    • Enterprise Service Definitions
    • LOB Service Definitions – Functional groups
    • LOB Service Definitions – Industry specific
    • Service Definitions Chart

    PHASE 1

    Launch the Project

    Design & Build a User-Facing Service Catalog

    Step 1 – Create a project charter to launch the initiative

    1. Complete the Project Charter
    2. Create Enterprise Services Definitions
    3. Create Line of Business Services Definitions
    4. Complete Service Definitions

    This step will walk you through the following activities:

    • Develop a mission statement to obtain buy-ins from both IT and business stakeholders.
    • Assemble a well-rounded project team to increase the success of the project.
    • Identify and obtain support from stakeholders.
    • Create an impactful change message to the organization to promote the service catalog.
    • Determine project metrics to measure the effectiveness and value of the initiative.

    Step Insights

    • The project leader must have a strong relationship with the business, the ability to garner user input, and the authority to lead the team in creating a user-facing catalog that is accessible and understandable to the user.
    • Having two separate change messages prepared for IT and the business is a must. The business change message advocates how the catalog will make IT more accessible to users, and the IT message centers around how the catalog will make IT’s life easier through a standardized request process.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the project
    Proposed Time to Completion: 2 weeks
    Step 1.2: Create change messages

    Step 1.2: Create change messages

    Start with an analyst kick off call:

    • Identify the key objectives of creating a user-facing service catalog.
    • Identify the necessary members of the project team.

    Review findings with analyst:

    • Prioritize project stakeholders according to their involvement and influence.
    • Create a change message for IT and the business articulating the benefits.

    Then complete these activities…

  • Assemble a team with representatives from all areas of IT.
  • Identify the key project stakeholders.
  • Create a project mission statement.
  • Then complete these activities…

  • Create a separate change message for IT and the business.
  • Determine communication methods and channels.
  • With these tools & templates: Service

    Catalog Project Charter

    With these tools & templates:

    Service Catalog Project Charter

    Use Info-Tech’s Service Catalog Project Charter to begin your initiative

    1.1 Project Charter

    The following section of slides outline how to effectively use Info-Tech’s sample project charter.

    The Project Charter is used to govern the initiative throughout the project. IT should provide the foundation for project communication and monitoring.

    It has been pre-populated with information appropriate for Service Catalog projects. Please review this sample text and change, add, or delete information as required.

    Building the charter as a group will help you to clarify your key messages and help secure buy-in from critical stakeholders upfront.

    You may feel like a full charter isn’t necessary, and depending on your organizational size, it might not be. However, the exercise of building the charter is important none-the-less. No matter your current climate, some elements of communicating the value and plans for implementing the catalog will be necessary.

    The Charter includes the following sections:

    • Mission Statement
    • Project team members
    • Project stakeholders
    • Change message
    • Communication and organizational plan
    • Metrics

    Use Info-Tech’s Service Catalog Project Charter.

    Create a mission statement to articulate the purpose of this project

    The mission statement must be compelling because embarking on creating a service catalog is no easy task. It requires significant commitment from different people in different areas of the business.

    Good mission statements are directive, easy to understand, narrow in focus, and favor substance over vagueness.

    While building your mission statement, think about what it is intended to do, i.e. keep the project team engaged and engage others to adopt the service catalog. Included in the project charter’s mission statement section is a brief description of the goals and objectives of the service catalog.

    Ask yourself the following questions:

    1. What frustrations does your business face regarding IT services?
    2. f our company continues growing at this rate, will IT be able to manage service levels?
    3. How has IT benefited from consolidating IT services into a user perspective?

    Project Charter

    Info-Tech’s project charter contains two sample mission statements, along with additional tips to help you create yours.

    Tackle the project with a properly assembled team to increase the speed and quality in which the catalog will be created

    Construct a well-balanced project team to increase your chances of success.

    Project Leader

    Project leader will be the main catalyst for the creation of the catalog. This person is responsible for driving the whole initiative.

    Project Participants

    IT project participants’ input and business input will be pivotal to the creation of the catalog.

    Project Stakeholders

    The project stakeholders are the senior executives who have a vested interest in the service catalog. IT must produce periodic and targeted communication to these stakeholders.

    Increase your chances of success by creating a dynamic group of project participants

    Your project team will be a major success factor for your service catalog. Involvement from IT management and the business is a must.

    IT Team Member

    IT Service Desk Manager

    • The Service Desk team will be an integral part of the service catalog creation. Because of their client-facing work, service desk technicians can provide real feedback about how users view and request services.

    Senior Manager/Director of Application

    • The Application representative provides input on how applications are used by the business and supported by IT.

    Senior Manager/Director of Infrastructure

    • The infrastructure representative provides input on services regarding data storage, device management, security, etc.

    Business Team Member

    Business IT Liaison

    • This role is responsible for bridging the communication between IT and the business. This role could be fulfilled by the business relationship manager, service delivery manager, or business analyst. It doesn’t have to be a dedicated role; it could be part of an existing role.

    Business representatives from different LOBs

    • Business users need to validate the service catalog design and ensure the service definitions are user facing and relevant.

    Project Charter

    Input your project team, their roles, and relevant contact information into your project charter, Section 2.

    Identify the senior managers who are the stakeholders for the service catalog

    Obtain explicit buy-in from both IT and business stakeholders.

    The stakeholders could be your biggest champions for the service catalog initiative, or they could pull you back significantly. Engage the stakeholders at the start of the project and communicate the benefits of the service catalog to them to gain their approval.

    Stakeholders

    Benefits

    CIO
    • Improved visibility and perception for IT
    • Ability to better manage business expectation

    Manager of Service Desk

    • Reduced number of routine inquires
    • Respond to business needs faster and uniformly

    Senior Manager/Director of Application & Infrastructure

    • Streamlined and standardized request/support process
    • More effective communication with the business

    Senior Business Executives from Major LOBs

    • Self-service increases user productivity for business users
    • Better quality of services provided by IT

    Project Charter

    Document a list of stakeholders, their involvement in the process (why they are stakeholders), and their contact information in Section 3.

    Articulate the creation of the service catalog to the organization

    Spread the word of service catalog implementation. Bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). Talking to the business leaders is very important, and you need IT executives to deliver the message. Work hard on obtaining their support as they are the ones communicating to their staff and could be your project champions.

    Recommended organizational changes

    The communication plan should consist of changes that will affect the way users interact with the catalog. Users should know of any meetings pertinent to the maintenance and improvement of the catalog, and ways to access the catalog (e.g. link on desktop/start menu).

    This image depicts the cycle of communicating change. the items in the cycle include: What is the change?; Why are we doing it?; How are we going to go about it?; What are we trying to achieve?; How often will we be updated?

    The Qualities of Leadership: Leading Change

    Project Charter

    Your communication plan should serve as a rough guide. Communication happens in several unpredictable happenstances, but the overall message should be contained within.

    Ensure you get the whole company on board for the service catalog with a well practiced change message

    The success of your catalog implementation hinges on the business’ readiness.

    One of the top challenges for organizations that are implementing a service catalog is the acceptance and adoption of the change. Effective planning for implementation and communication is pivotal. Ensure you create tailored plans for communication and understand how the change will impact staff.

    1. Draft your change message
    2. “Better Service, Better Value.” It is important to have two change messages prepared: one for the IT department and one for business users.
      Outline a few of the key benefits each user group will gain from adopting the service catalog (e.g. Faster, ease of use, convenient, consistent…)

    3. Address feedback
    4. Anticipate some resistances of service catalog adoption and prepare responses. These may be the other benefits which were not included in the change message (e.g. IT may be reluctant to think in business language.)

    5. Conduct training sessions
    6. Host lunch & learns to demonstrate the value of the service catalog to both business and IT user groups.
      These training sessions also serve as a great way to gather feedback from users regarding style and usability.

    Project Charter

    Pick your communication medium, and then identify your target audience. You should have a change message for each: the IT department and the business users. Pay careful consideration to wording and phrasing with regard for each.

    Track metrics throughout the project to keep stakeholders informed

    In order to measure the success of your service catalog, you must establish baseline metrics to determine how much value the catalog is creating for your business.

    1. Number of service requests via the service catalog
    2. The number of service catalog requests should be carefully monitored so that it does not fluctuate too greatly. In general, the number of requests via the service catalog should increase, which indicates a higher level of self-serve.

    3. Number of inquiry calls to the service desk
    4. The number of inquiry calls should decrease because customers are able to self-serve routine IT inquiries that would otherwise have gone through the service desk.

    5. Customer satisfaction – specific questions
    6. The organization could adopt the following sample survey questions:
      From 0-5: How satisfied are you with the functionality of the service catalog? How often do you turn to the service catalog first to solve IT problems?

    7. Number of non-standard requests
    8. The number of non-standard requests should decrease because a majority of services should eventually be covered in the service catalog. Users should be able to solve nearly any IT related problem through navigating the service catalog.

    Metric Description Current Metric Future Goal
    Number of service requests via the Service Catalog
    Number of inquiry calls to the service desk
    Customer Satisfaction – specific question
    Number of non-standard requests

    Use metrics to monitor the monetary improvements the service catalog creates for the business

    When measuring against your baseline, you should expect to see the following two monetary improvements:

    1. Improved service desk efficiency
    2. (# of routine inquiry calls reduced) x (average time for a call) x (average service desk wage)

      Routine inquiries often take up a significant portion of the service desk’s effort, and the majority of them can be answered via the service catalog, thus reducing the amount of time required for a service desk employee to engage in routine solutions. The reduction in routine inquiries allows IT to allocate resources to high-value services and provide higher quality of support.

    Example

    Originally, the service desk of an organization answers 850 inquiries per month, and around 540 of them are routine inquiries requesting information on when a service is available, who they can contact if they want to receive a service, and what they need to do if they want access to a service, etc.

    IT successfully communicated the introduction of the service catalog to the business and 3 months after the service catalog was implemented, the number of routine inquiries dropped to 60 per month. Given that the average time for IT to answer the inquiry is 10 minutes (0.167 hour) and the hourly wage of a service desk technician is $25, the monthly monetary cost saving of the service catalog is:

    (540 – 60) x 0.167 x 25 = $2004.00

    • Reduced expense by eliminating non-standard requests

    (Average additional cost of non-standard request) x (Reduction of non-standard request)
    +
    (Extra time IT spends on non-standard request fulfilment) x (Average wage)

    Non-standard requests require a lot of time, and often a lot of money. IT frequently incurs additional cost because the business is not aware of how to properly request service or support. Not only can the service catalog standardize and streamline the service request process, it can also help IT define its job boundary and say no to the business if needed.

    Example

    The IT department of an organization often finds itself dealing with last-minute, frustrating service requests from the business. For example, although equipment requests should be placed a week in advance, the business often requests equipment to be delivered the next day, leaving IT to pay for additional expedited shipping costs and/or working fanatically to allocate the equipment. Typically, these requests happen 4 times a month, with an additional cost of $200.00. IT staff work an extra 6 hours per each non-standard request at an hourly wage of $30.00.

    With the service catalog, the users are now aware of the rules that are in place and can submit their request with more ease. IT can also refer the users to the service catalog when a non-standard request occurs, which helps IT to charge the cost to the department or not meet the terms of the business.

    The monthly cost saving in this case is:

    $200.00 x 4 + 6 hours x 30 = $980.00

    Create your project charter for the service catalog initiative to get key stakeholders to buy in

    1.1 2-3 hours

    The project charter is an important document to govern your project process. Support from the project sponsors is important and must be documented. Complete the following steps working with Info-Tech’s sample Project Charter.

    1. The project leader and the core project team must identify key reasons for creating a service catalog. Document the project objectives and benefits in the mission statement section.
    2. Identify and document your project team. The team must include representatives from the Infrastructure, Applications, Service desk, and a Business-IT Liaison.
    3. Identify and document your project stakeholders. The stakeholders are those who have interest in seeing the service catalog completed. Stakeholders for IT are the CIO and management of different IT practices. Stakeholders for the business are executives of different LOBs.
    4. Identify your target audience and choose the communication medium most effective to reach them. Draft a communication message hitting all key elements.
      Info-Tech’s project charter contains sample change messages for the business and IT.
    5. Develop a strategy as to how the change message will be distributed, i.e. the communication and organizational change plan.
    6. Use the metrics identified as a base to measure your service catalog’s implementation. If you have identified any other objectives, add new metrics to monitor your progress from the baseline to reaching those objectives.
    7. Sign and date the project charter to officiate commitment to completing the project and reaching your objectives. Have the signed and dated charter available to members of the project team.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    Obtain buy-in from business users at the beginning of the service catalog initiative

    CASE STUDY A
    Industry Government
    Source Onsite engagement

    Challenge

    The nature of government IT is quite complex: there are several different agencies located in a number of different areas. It is extremely important to communicate the idea of the service catalog to all the users, no matter the agency or location.

    The IT department had yet to let business leaders of the various agencies know about the initiative and garner their support for the project. This has proven to be prohibitive for gaining adoption from all users.

    Solution

    The IT leaders met and identified all the opportunities to communicate the service catalog to the business leaders and end users.

    To meet with the business leaders, IT leaders hosted a service level meeting with the business directors and managers. They adopted a steering committee for the continuation of the project.

    To communicate with business users, IT leaders published announcements on the intranet website before releasing the catalog there as well.

    Results

    Because IT communicated the initiative, support from business stakeholders was obtained early and business leaders were on board shortly after.

    IT also managed to convince key business stakeholders to become project champions, and leveraged their network to communicate the initiative to their employees.

    With this level of adoption, it meant that it was easier for IT to garner business participation in the project and to obtain feedback throughout.

    Info-Tech assists project leader to garner support from the project team

    CASE STUDY A
    Industry Government
    Source Onsite engagement

    Challenge

    The project received buy-in from the CIO and director of infrastructure. Together they assembled a team and project leader.

    The two struggled to get buy-in from the rest of the team, however. They didn’t understand the catalog or its benefits and objectives. They were reluctant to change their old ways. They didn’t know how much work was required from them to accomplish the project.

    Solution

    With the Info-Tech analyst on site, the client was able to discuss the benefits within their team as well as the project team responsibilities.

    The Info-Tech analyst convinced the group to move towards focusing on a business- and service-oriented mindset.

    The workshop discussion was intended to get the entire team on board and engaged with meeting project objectives.

    Results

    The project team had experienced full buy-in after the workshop. The CIO and director relived their struggles of getting project members on-board through proper communication and engagement.

    Engaging the members of the project team with the discussion was key to having them take ownership in accomplishing the project.

    The business users understood that the service catalog was to benefit their long-term IT service development.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    1.1 this image contains a screenshot from section 1.1 of this blueprint. Begin your project with a mission statement
    A strong mission statement that outlines the benefits of the project is needed to communicate the purpose of the project. The onsite Info-Tech analysts will help you customize the message and establish the foundation of the project charter.
    1.2 this image contains a screenshot from section 1.2 of this blueprint.

    Identify project team members

    Our onsite analysts will help you identify high-value team members to contribute to this project.

    1.3 This image contains a screenshot from section 1.3 of this blueprint.

    Identify important business and IT stakeholders

    Buy-in from senior IT and business management is a must. Info-Tech will help you identify the stakeholders and determine their level of influence and impact.

    1.4 This image contains a screenshot from section 1.4 of this blueprint.

    Create a change message for the business and IT

    It is important to communicate changes early and the message must be tailored for each target audience. Our analysts will help you create an effective message by articulating the benefits of the service catalog to the business and to IT.

    1.5 This image contains a screenshot from section 1.5 of this blueprint.

    Determine service project metrics

    To demonstrate the value of the service catalog, IT must come up with tangible metrics. Info-Tech’s analysts will provide some sample metrics as well as facilitate a discussion around which metrics should be tracked and monitored.

    PHASE 2

    Identify and Define Enterprise Services

    Design & Build a User-Facing Service Catalog

    Step 2 – Create Enterprise Services Definitions

    1. Complete the Project Charter
    2. Create Enterprise Services Definitions
    3. Create Line of Business Services Definitions
    4. Complete Service Definitions

    This step will walk you through the following activities:

    • Identify and define enterprise services that are commonly used across the organization.
    • Create service descriptions and features to accurately sum up the functionality of each service.
    • Create service categories and assign each service to a category.

    Step Insights

    • When defining services, be sure to carefully distinguish between what is a feature and what is a service. Often, separate services are defined in situations when they would be better off as features of existing services, and vice versa.
    • When coming up with enterprise services categories, ensure the categories group the services in a way that is intuitive. The users should be able to find a service easily based on the names of the categories.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Define Enterprise Services
    Proposed Time to Completion: 4 weeks

    Step 2.1: Identify enterprise services

    Step 2.2: Create service categories

    Start with an analyst kick off call:

    • Identify enterprise services that are commonly used.
    • Ensure the list is comprehensive and capture common IT needs.
    • Create service descriptions and features.

    Review findings with analyst:

    • Review full list of identified enterprise services.
    • Identify service categories that are intuitive to the users.

    Then complete these activities…

    • Use Info-Tech’s sample enterprise service definitions as a guide, and change/add/delete the service definitions to customize them to your organization.

    Then complete these activities…

    • Group identified services into categories that are intuitive to the users.

    With these tools & templates: Service

    Sample Enterprise Services

    With these tools & templates:

    Sample Enterprise Services

    Identify enterprise services in the organization apart from the services available to lines of business

    Separating enterprise services from line of business services helps keep things simple to organize the service catalog. -

    Documentation of all business-facing IT services is an intimidating task, and a lack of parameters around this process often leads to longer project times and unsatisfactory outcomes.

    To streamline this process, separating enterprise services from line of business services allows IT to effectively and efficiently organize these services. This method increases the visibility of the service catalog through user-oriented communication plans.

    Enterprise Services are common services that are used across the organization.

    1. Common Services for all users within the organization (e.g. Email, Video Conferencing, Remote Access, Guest Wireless)
    2. Service Requests organized into Service Offerings (e.g. Hardware Provisioning, Software Deployment, Hardware Repair, Equipment Loans)
    3. Consulting Services (e.g. Project Management, Business Analysis, RFP Preparation, Contract Negotiation)

    All user groups access Enterprise Services

    Enterprise Services

    • Finance
    • IT
    • Sales
    • HR

    Ensure your enterprise services are defined from the user perspective and are commonly used

    If you are unsure whether a service is enterprise wide, ask yourself these two questions:

    This image contains an example of how you would use the two questions: Does the user directly use the service themselves?; and; Is the service used by the entire organization (or nearly everyone)?. The examples given are: A. Video Conferencing; B. Exchange Server; C. Email & Fax; D. Order Entry System

    Leverage Info-Tech’s Sample Enterprise Services definition

    2.1 Info-Tech’s Sample Enterprise Services definitions

    Included with this blueprint is Info-Tech’s Sample Enterprise Services definitions.

    The sample contains dozens of services common across most organizations; however, as a whole, they are not complete for every organization. They must be modified according to the business’ needs. Phase two will serve as a guide to identifying an enterprise service as well as how to fill out the necessary fields.

    This image contains a screenshot of definitions from Info-Tech's Sample Enterprises services

    Info-Tech Insight

    Keep track of which services you either modify or delete. You will have to change the same services in the final Info-Tech deliverable.

    The next slide will introduce you to the information for each service record that can be edited.

    Info-Tech’s Sample Enterprise Services definitions is designed to be easily customized

    2.1 Info-Tech’s Sample Enterprise Services definitions

    Below is an example of a service record and its necessary fields of information. This is information that can be kept, deleted, or expanded upon.

    Name the service unambiguously and from the user’s perspective.

    Brief description of how the service allows users to perform tasks.

    Describe the functionality of the service and how it helps users to achieve their business objectives.

    Cluster the services into logical groups.

    Service Name Description Features Category
    Email Email communication to connect with other employees, suppliers, and customers
    • Inbox
    • Calendar
    • Resource Scheduling (meeting rooms)
    • Access to shared mailboxes
    • Limit on mailbox size (‘x’ GB)
    • Address book/external contacts
    • Spam filtering, virus protection
    • Archiving and retrieval of older emails
    • Web/browser access to email
    • Mass email/notification (emergency, surveys, reporting)
    • Setting up a distribution list
    • Setting up Active Sync for email access on mobile devices
    Communications

    Distinguish between a feature and a unique service

    It can be difficult to determine what is considered a service itself, and what is a feature of another service. Use these tips and examples below to help you standardize this judgement.

    Example 1

    Web Conferencing has already been defined as a service. Is Audio Conferencing its own service or a feature of Web Conferencing?

    Info-Tech Tip: Is Audio Conferencing run by the same application as the Web Conferencing? Does it use the same equipment? If not, Audio Conferencing is probably its own service.

    Example 2

    Web Conferencing has already been defined as a service. Is “Screen Sharing” its own service or a feature of Web Conferencing?

    Info-Tech Tip: It depends on how the user interacts with Screen Sharing. Do they only screen share when engaged in a Web Conference? If so, Screen Sharing is a feature and not a service itself.

    Example 3

    VoIP is a popular alternative to landline telephone nowadays, but should it be part of the telephony service or a separate service?

    Info-Tech Tip: It depends on how the VoIP phone is set up.

    If the user uses the VoIP phone the same way they would use a landline phone – because the catalog is user facing – consider the VoIP as part of the telephone service.

    If the user uses their computer application to call and receive calls, consider this a separate service on its own.

    Info-Tech Insight

    While there are some best practices for coming up with service definitions, it is not an exact science and you cannot accommodate everyone. When in doubt, think how most users would perceive the service.

    Change or delete Info-Tech’s enterprise services definitions to make them your own

    2.1 3 hours

    You need to be as comprehensive as possible and try to capture the entire breadth of services IT provides to the business.

    To achieve this, a three-step process is recommended.

    1. First, assemble your project team. It is imperative to have representatives from the service desk. Host two separate workshops, one with the business and one with IT. These workshops should take the form of focus groups and should take no more than 1-2 hours.
    2. Business Focus Group:
    • In an open-forum setting, discuss what the business needs from IT to carry out their day-to-day activities.
    • Engage user-group representatives and business relationship managers.

    IT Focus Group:

    • In a similar open-forum setting, determine what IT delivers to the business. Don’t think about it from a support perspective, but from an “ask” perspective – e.g. “Service Requests.
    • Engage the following individuals: team leads, managers, directors.
  • Review results from the focus groups and compare with your service desk tickets – are there services users inquire about frequently that are not included? Finalize your list of enterprise services as a group.
  • INPUT

    • Modify Info-Tech’s sample services

    OUTPUT

    • A list of some of your business’ enterprise services

    Materials

    • Whiteboard/marker
    • Info-Tech sample enterprise services

    Participants

    • Key members of the project team
    • Service desk rep
    • Business rep

    Using Info-Tech’s Sample Enterprise Services, expand upon the services to add those that we did not include

    2.2 1-3 hours (depending on size and complexity of the IT department)

    Have your user hat on when documenting service features and descriptions. Try to imagine how the users interact with each service.

    1. Once you have your service name, start with the service feature. This field lists all the functionality the service provides. Think from the user’s perspective and document the IT-related activities they need to complete.
    2. Review the service feature fields with internal IT first to make sure there isn’t any information that IT doesn’t want to publish. Afterwards, review with business users to ensure the language is easy to understand and the features are relatable.
    3. Lastly, create a high-level service description that defines the nature of the service in one or two sentences.

    INPUT

    • Collaborate and discuss to expand on Info-Tech’s example

    OUTPUT

    • A complete list of your business’ enterprise services

    Materials

    • Whiteboard/marker
    • Info-Tech sample enterprise services

    Participants

    • Key members of the project team
    • Service desk rep
    • Business rep

    Follow Info-Tech’s guidelines to establish categories for the enterprise services that IT provides to the business

    Similar to the services and their features, there is no right or wrong way to categorize. The best approach is to do what makes sense for your organization and understand what your users think.

    What are Service Categories?

    Categories organize services into logical groups that the users can identify with. Services with similar functions are grouped together in a common category.

    When deciding your categories, think about:

    • What is best for the users?
    • Look at the workflows from the user perspective: how and why do they use the service?
    • Will the user connect with the category name?
    • Will they think about the services within the category?
    Enterprise Service Categories
    Accounts and Access
    Collaboration
    Communication
    Connectivity
    Consulting
    Desktop, Equipment, & Software
    Employee Services
    Files and Documents
    Help & Support
    Training

    Sample categories

    Categorize the services from the list below; how would you think to group them?

    There is no right or wrong way to categorize services; it is subjective to how they are provided by IT and how they are used by the business. Use the aforementioned categories to group the following services. Sample solutions are provided on the following slide.

    Service Name
    Telephone
    Email
    Remote access
    Internet
    BYOD (wireless access)
    Instant Messaging
    Video Conferencing
    Audio Conferencing
    Guest Wi-Fi
    Document Sharing

    Tips and tricks:

    1. Think about the technology behind the service. Is it the same application that provides the services? For example: is instant messaging run by the same application as email?
    2. Consider how the service is used by the business. Are two services always used together? If instant messaging is always used during video conferencing, then they belong in the same category.
    3. Consider the purpose of the services. Do they achieve the same outcomes? For example, document sharing is different from video conferencing, though they both support a collaborative working environment.

    This is a sample of different categorizations – use these examples to think about which would better suit your business

    Example 1 Example 2

    Desktop, Equipment, & Software Services

    Connectivity

    Mobile Devices

    Communications

    Internet

    Telephone

    BYOD (wireless access)

    Telephone

    Guest Wi-Fi

    Internet

    Email

    Remote Access

    Instant Messaging

    Video Conferencing

    Audio Conferencing

    Communications

    Collaboration

    Storage and Retrieval

    Accounts and Access

    Telephone

    Email

    Document Sharing

    Remote access

    Email

    Instant Messaging

    Connectivity

    Mobile Devices

    Video Conferencing

    Internet

    BYOD (wireless access)

    Audio Conferencing

    Guest Wi-Fi

    Guest Wi-Fi

    Document Sharing

    Info-Tech Insight

    Services can have multiple categories only if it means the users will be better off. Try to limit this as much as possible.

    Neither of these two examples are the correct answer, and no such thing exists. The answers you came up with may well be better suited for the users in your business.

    With key members of your project team, categorize the list of enterprise services you have created

    2.3 1 hour

    Before you start, you must have a modified list of all defined enterprise services and a modified list of categories.

    1. Write down the service names on sticky notes and write down the categories either on the whiteboard or on the flipchart.
    2. Assign the service to a category one at a time. For each service, obtain consensus on how the users would view the service and which category would be the most logical choice. In some cases, discuss whether a service should be included in two categories to create better searchability for the users.
    3. If a consensus could not be reached on how to categorize a service, review the service features and category name. In some cases, you may go back and change the features or modify or create new categories if needed.

    INPUT

    • Collaborate and discuss to expand on Info-Tech’s example

    OUTPUT

    • A complete list of your business’ enterprise services

    Materials

    • Whiteboard/marker
    • Info-Tech sample enterprise services

    Participants

    • Key members of the project team
    • Service desk rep
    • Business rep

    Accounts & Access Services

    • User ID & Access
    • Remote Access
    • Business Applications Access

    Communication Services

    • Telephone
    • Email
    • Mobile devices

    Files & Documents

    • Shared Folders
    • File Storage
    • File Restoration
    • File Archiving

    Collaboration

    • Web Conferencing
    • Audio Conferencing
    • Video Conferencing
    • Chat
    • Document Sharing

    Employee Services

    • Onboarding & Off Boarding
    • Benefits Self Service
    • Time and Attendance
    • Employee Records Management

    Help & Support

    • Service Desk
    • Desk Side Support
    • After Hours Support

    Desktop, Equipment, & Software

    • Printing
    • Hardware Provisioning
    • Software Provisioning
    • Software Support
    • Device Move
    • Equipment Loaner

    Education & Training Services

    • Desktop Application Training
    • Corporate Application Training
    • Clinical Application Training
    • IT Training Consultation

    Connectivity

    • BYOD (wireless access)
    • Internet
    • Guest Wi-Fi

    IT Consulting Services

    • Project Management
    • Analysis
    • RFP Reviews
    • Solution Development
    • Business Analysis/Requirements Gathering
    • RFI/RFP Evaluation
    • Security Consulting & Assessment
    • Contract Management
    • Contract Negotiation

    IT department identifies a comprehensive list of enterprise services

    CASE STUDY A
    Industry Government
    Source Onsite engagement

    Challenge

    Because of the breadth of services IT provides across several agencies, it was challenging to identify what was considered enterprise beyond just the basic ones (email, internet, etc.)

    IT recognized that although the specific tasks of service could be different, there are many services that are offered universally across the organization and streamlining the service request and delivery process would reduce the burden on IT.

    Solution

    The client began with services that users interact with on a daily basis; this includes email, wireless, telephone, internet, printing, etc.

    Then, they focused on common service requests from the users, such as software and hardware provisioning, as well as remote access.

    Lastly, they began to think of other IT services that are provided across the organization, such as RFP/RFI support, project management analysis, employee onboarding/off-boarding, etc.

    Results

    By going through the lists and enterprise categories, the government was able to come up with a comprehensive list of all services IT provides to the business.

    Classifying services such as onboarding meant that IT could now standardize IT services for new recruits and employee termination.

    By capturing all enterprise services offered to the organization, IT centralized its management of services instead of having scattered request processes.

    Organization distinguishes features from services using Info-Tech’s tips and techniques

    CASE STUDY B
    Industry Government
    Source Onsite engagement

    Challenge

    For some services, the project team had difficulty deciding on what was a service and what was a feature. They found it hard to distinguish between a service with features or multiple services.

    For example, the client struggled to define the Wi-Fi services because they had many different user groups and different processes to obtain the service. Patients, visitors, doctors, researchers, and corporate employees all use Wi-Fi, but the service features for each user group were different.

    Solution

    The Info-Tech analyst came on-site and engaged the project team in a discussion around how the users would view the services.

    The analyst also provided tips and techniques on identifying services and their features.

    Because patients and visitors do not access Wi-Fi or receive support for the service in the same way as clinical or corporate employees, Wi-Fi was separated into two services (one for each user group).

    Results

    Using the tips and techniques that were provided during the onsite engagement, the project team was able to have a high degree of clarity on how to define the services by articulating who the authorized users are, and how to access the process.

    This allowed the group to focus on the users’ perspective and create clear, unambiguous service features so that users could clearly understand eligibility requirements for the service and how to request them.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    2.1 This image contains a screenshot from section 2.1 of this blueprint.

    Understand what enterprise services are

    The project team must have a clear understanding of what qualifies as an enterprise service. The onsite analysts will also promote a user-oriented mindset so the catalog focuses on business needs.

    2.2 this image contains a screenshot from section 2.2 of this blueprint.

    Identify enterprise services

    The Info-Tech analysts will provide a list of ready-to-use services and will work with the project team to change, add, and delete service definitions and to customize the service features.

    2.3 this image contains a screenshot from section 2.3 of this blueprint.

    Identify categories for enterprise services

    The Info-Tech analyst will again emphasize the importance of being service-oriented rather than IT-oriented. This will allow the group to come up with categories that are intuitive to the users.

    PHASE 3

    Identify and Define Line of Business Services

    Design & Build a User-Facing Service Catalog

    Step 3 – Create Line of Business Services Definitions

    1. Complete the Project Charter
    2. Create Enterprise Services Definitions
    3. Create Line of Business Services Definitions
    4. Complete Service Definitions

    This step will walk you through the following activities:

    • Identify lines of business (LOB) within the organization as well as the user groups within the different LOBs.
    • Determine which one of Info-Tech’s two approaches is more suitable for your IT organization.
    • Define and document LOB services using the appropriate approach.
    • Categorize the LOB services based on the organization’s functional structure.

    Step Insights

    • Collaboration with the business significantly strengthens the quality of line of business service definitions. A significant amount of user input is crucial to create impactful and effective service definitions.
    • If a strong relationship with the business is not in place, IT can look at business applications and the business activities they support in order to understand how to define line of business services.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Define LOB Services

    Proposed Time to Completion: 4 weeks

    Step 3.1: Identify LOB services

    Step 3.2: Define LOB services

    Start with an analyst kick off call:

    • Identify enterprise services that are commonly used.
    • Ensure the list is comprehensive and capture common IT needs.
    • Create service descriptions and features.

    Review findings with analyst:

    • Use either the business view or the IT view methodology to identify and define LOB services.

    Then complete these activities…

    • Select one of the methodologies and either compile a list of business applications or a list of user groups/functional departments.

    Then complete these activities…

    • Validate the service definitions and features with business users.

    With these tools & templates: Service

    LOB Services – Functional Group
    LOB Services – Industry Specific

    With these tools & templates:

    LOB Services – Functional Group
    LOB Services – Industry Specific

    Communicate with your business users to get a clear picture of each line of business

    Within a business unit, there are user groups that use unique applications and IT services to perform business activities. IT must understand which group is consuming each service to document to their needs and requirements. Only then is it logical to group services into lines of business.

    Covering every LOB service is a difficult task. Info-Tech offers two approaches to identifying LOB services, though we recommend working alongside business user groups to have input on how each service is used directly from the users. Doing so makes the job of completing the service catalog easier, and the product more detailed and user friendly.

    Some helpful questions to keep in mind when characterizing user groups:

    • Where do they fall on the organizational chart?
    • What kind of work do they do?
    • What is included in their job description?
    • What are tasks that they do in addition to their formal responsibilities?
    • What do they need from IT to do their day-to-day tasks?
    • What does their work day look like?
    • When, why, and how do they use IT services?

    Info-Tech Insight

    With business user input, you can answer questions as specific as “What requirements are necessary for IT to deliver value to each line of business?” and “What does each LOB need in order to run their operation?”

    Understand when it is best to use one of Info-Tech’s two approaches to defining LOB services

    1. Business View

    Business View is the preferred method for IT departments with a better understanding of business operations. This is because they can begin with input from the user, enabling them to more successfully define every service for each user group and LOB.

    In addition, IT will also have a chance to work together with the business and this will improve the level of collaboration and communication. However, in order to follow this methodology, IT needs to have a pre-established relationship with the business and can demonstrate their knowledge of business applications.

    2. IT View

    The IT view begins with considering each business application used within the organization’s lines of business. Start with a broad view, following with a process of narrowing down, and then iterate for each business application.

    This process leads to each unique service performed by every application within the business’ LOBs.

    The IT view does not necessarily require a substantial amount of information about the business procedures. IT staff are capable of deducing what business users often require to maintain their applications’ functionality.

    Use one of Info-Tech’s two methodologies to help you identify each LOB service

    Choose the methodology that fits your IT organization’s knowledge of the business.

    This image demonstrates a comparison between the business view of service and the IT View of Service. Under the Business View, the inputs are LOB; User Groups; and Business Activity. Under the IT View, the inputs are Business Application and Functionality, and the outputs are Business Activity; User Groups; and LOB.

    1. Business View

    If you do have knowledge of business operations, using the business view is the better option and the service definition will be more relatable to the users.

    2. IT View

    For organizations that don’t have established relationships with the business or detailed knowledge of business activities, IT can decompose the application into services. They have more familiarity and comfort with the business applications than with business activities.

    It is important to continue after the service is identified because it helps confirm and solidify the names and features. Determining the business activity and the user groups can help you become more user-oriented.

    Identifying LOB services using Info-Tech’s Business View method

    We will illustrate the two methodologies with the same example.

    If you have established an ongoing relationship with the business and you are familiar with their business operations, starting with the LOB and user groups will ensure you cover all the services IT provides to the business and create more relatable service names.

    This is a screenshot of an example of the business view of Service.

    Identifying LOB services using Info-Tech’s IT View method

    If you want to understand what services IT provides to the Sales functional group, and you don’t have comprehensive knowledge of the department, you need to start with the IT perspective.

    This is a screenshot of an example of the business view of Service.

    Info-Tech Insight

    If you are concerned about the fact that people always associate a service with an application, you can include the application in the service name or description so users can find the service through a search function.

    Group LOB services into functional groups as you did enterprise services into categories

    3.1 Sample Line of Business Services Definitions – Functional Groups & Industry Examples

    Like categories for enterprise services in Phase Two, LOB services are grouped into functional groups. Functional groups are the components of an organizational chart (HR, Finance, etc.) that are found in a company’s structure.

    Functional Groups

    Functional groups enable a clear view for business users of what services they need, while omitting services that do not apply to them. This does not overwhelm them, and provides them with only relevant information.

    Industry Services

    To be clear, industry services can be put into functional groups.

    Info-Tech provides a few sample industry services (without their functional group) to give an idea of what LOB service is specific to these industries. Try to extrapolate from these examples to create LOB services for your business.

    Use Info-Tech’s Sample LOB Services – Functional Group and Sample LOB Services – Industry Specific documents.

    This is a screenshot of Info-Tech's Functional Group Services

    Info-Tech Insight

    Keep track of which services you either modify or delete. You will have to change the same services in the final Info-Tech deliverable.

    Identify the user group and business activity within each line of business – Business view

    3.1 30-45 minutes per line of business

    Only perform this activity if you have a relationship with the business that can enable you to generate business input on service identifications and definitions.

    In a group of your project participants, repeat the sequence for each LOB.

    1. Brainstorm each user group within the LOB that is creating value for the business by performing functional activities.
    2. Think of what each individual end user must do to create their value. Think of the bigger picture rather than specifics at this point. For example, sales representatives must communicate with clients to create value.
    3. Now that you have each user group and the activities they perform, consider the specifics of how they go about doing that activity. Consider each application they use and how much they use that application. Think of any and all IT services that could occur as a result of that application usage.

    INPUT

    • A collaborative discussion (with a business relationship)

    OUTPUT

    • LOB services defined from the business perspective

    Materials

    • Sticky notes
    • Whiteboard/marker

    Participants

    • Members of the project team
    • Representatives from the LOBs

    Identify the user group and business activity within each line of business – IT view

    3.1 30-45 minutes per application

    Only perform this activity if you cannot generate business input through your relationships, and must begin service definitions with business applications.

    In a group of your project participants, repeat the sequence for each application.

    1. Brainstorm all applications that the business provides through IT. Cross out the ones that provide enterprise services.
    2. In broad terms, think about what the application is accomplishing to create value for the business from IT’s perspective. What are the modules? Is it recording interactions with the clients? Each software can have multiple functionalities.
    3. Narrow down each functionality performed by the application and think about how IT helps deliver that value. Create a name for the service that the users can relate to and understand.
    4. → Optional

    5. Now go beyond the service and think about the business activities. They are always similar to IT’s application functionality, but from the user perspective. How would the user think about what the application’s functionality to accomplish that particular service is? At this point, focus on the service, not the application.
    6. Determine the user groups for each service. This step will help you complete the service record design in phase 4. Keep in mind that multiple user groups may access one service.

    INPUT

    • A collaborative discussion (without a business relationship)

    OUTPUT

    • LOB services defined from the IT perspective

    Materials

    • Sticky notes
    • Whiteboard/marker

    Participants

    • Members of the project team

    You must review your LOB service definitions with the business before deployment

    Coming up with LOB service definitions is challenging for IT because it requires comprehension of all lines of business within the organization as well as direct interaction with the business users.

    After completing the LOB service definitions, IT must talk to the business to ensure all the user groups and business activities are covered and all the features are accurate.

    Here are some tips to reviewing your LOB Service Catalog generated content:

    • If you plan to talk to a business SME, plan ahead to help complete the project in time for rollout.
    • Include a business relationship manager on the project team to facilitate discussion if you do not have an established relationship with the business.

    Sample Meeting Agenda

    Go through the service in batches. Present 5-10 related services to the business first. Start with the service name and then focus on the features.

    In the meeting, discuss whether the service features accurately sum up the business activities, or if there are missing key activities. Also discuss whether certain services should be split up into multiple services or combined into one.

    Organization identifies LOB services using Info-Tech’s methodologies

    CASE STUDY A
    Industry Government
    Source Onsite engagement

    Challenge

    There were many users from different LOBs, and IT provided multiple services to all of them. Tracking them and who had access to what was difficult.

    IT didn’t understand who provided the services (service owner) and who the customers were (business owner) for some of the services.

    Solution

    After identifying the different Lines of Business, they followed the first approach (Business View) for those that IT had sufficient knowledge of in terms of business operations:

    1. Identified lines of business
    2. Identified user groups
    3. Identified business activities

    For the LOBs they weren’t familiar with, they used the IT view method, beginning with the application:

    1. Identified business apps
    2. Deduced the functionalities of each application
    3. Traced the application back to the service and identified the service owner and business owner

    Results

    Through these two methodologies, IT was able to define services according to how the users both perceive and utilize them.

    IT was able to capture all the services it provides to each line of business effectively without too much help from the business representatives.

    By capturing all enterprise services offered to the organization, IT centralized its management of services instead of having scattered request processes.

    Info-Tech helps organization to identify LOB services using the IT View

    CASE STUDY B
    Industry Healthcare
    Source Onsite engagement

    Challenge
    The organization uses a major application containing several modules used by different users for various business activities.

    The challenge was to break down the application into multiple services in a way that makes sense to the business users. Users should be able to find services specific to them easily.

    Therefore, the project team must understand how to map the modules to different services and user groups.


    Solution
    The project team identified the major lines of business and took various user groups such as nurses and doctors, figured out their daily tasks that require IT services, and mapped each user-facing service to the functionality of the application.

    The project team then went back to the application to ensure all the modules and functionalities within the application were accounted for. This helped to ensure that services for all user groups were covered and prepared to be released in the catalog.


    Results
    Once the project team had come up with a comprehensive list of services for each line of business, they were able to sit with the business and review the services.

    IT was also able to use this opportunity to demonstrate all the services it provides. Having all the LOB services demonstrates IT has done its preparation and can show the value they help create for the business in a language the users can understand. The end result was a strengthened relationship between the business and the IT department.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    This is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    3.1 this image contains a screenshot from section 3.1 of this blueprint.

    Understand what Line of Business services are

    The onsite analysts will provide a clear distinction between enterprise services and LOB services. The analysts will also articulate the importance of validating LOB services with the business.

    3.2 this image contains a screenshot from section 3.2 of this blueprint.

    Identify LOB services using the business’ view

    There are two methods for coming up with LOB services. If IT has comprehensive knowledge of the business, they can identify the services by outlining the user groups and their business activities.

    3.3 This image contains a screenshot from section 3.3 of this blueprint.

    Identify LOB services using IT’s view

    If IT does not understand the business and cannot obtain business input, Info-Tech’s analysts will present the second method, which allows IT to identify services with more comfortability through business applications/systems.

    3.4 This image contains a screenshot from section 3.4 of this blueprint.

    Categorize the LOB services into functional groups

    The analysts will help the project team categorize the LOB services based on user groups or functional departments.

    PHASE 4

    Complete Service Definitions

    Design & Build a User-Facing Service Catalog

    Step 4: Complete service definitions and service record design

    1. Complete the Project Charter
    2. Create Enterprise Services Definitions
    3. Create Line of Business Services Definitions
    4. Complete Service Definitions

    This step will walk you through the following activities:

    • Select which fields of information you would like to include in your service catalog design.
    • Determine which fields should be kept internal for IT use only.
    • Complete the service record design with business input if possible.

    Step Insights

    • Don’t overcomplicate the service record design. Only include the pieces of information the users really need to see.
    • Don’t publish anything that you don’t want to be held accountable for. If you are not ready, keep the metrics and costs internal.
    • It is crucial to designate a facilitator and a decision maker so confusions and disagreements regarding service definitions can be resolved efficiently.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Complete service definitions
    Proposed Time to Completion (in weeks): 4 weeks

    Step 4.1: Design service record

    Step 4.2: Complete service definitions

    Start with an analyst kick off call:

    • Review Info-Tech’s sample service record and determine which fields to add/change/delete.
    • Determine which fields should be kept internal.

    Review findings with analyst:

    • Complete all fields in the service record for each identified service.

    Then complete these activities…

    • Finalize the design of the service record and bring over enterprise services and LOB services.

    Then complete these activities…

    • Test the service definitions with business users prior to catalog implementation.

    With these tools & templates: Service

    Services Definition Chart

    With these tools & templates:

    Services Definition Chart

    Utilize Info-Tech’s Services Definition Chart to map out your final service catalog design

    Info-Tech’s Sample Services Definition Chart

    Info-Tech has provided a sample Services Definition Chart with standard service definitions and pre-populated fields. It is up to you throughout this step to decide which fields are necessary to your business users, as well as how much detail you wish to include in each of them.

    This image contains a screenshot from Info-Tech's Services Definition Chart.

    Info-Tech Insight

    Keep track of which services you either modify or delete. You will have to change the same services in the final Info-Tech deliverable.

    Tips and techniques for service record design

    The majority of the fields in the service catalog are user facing, which means they must be written in business language that the users can understand.

    If there is any confusion or disagreement in filling out the fields, a facilitator is required to lead the working groups in coming up with a definitive answer. If a decision is still not reached, it should be escalated to the decision maker (usually the service owner).

    IT-Facing Fields

    There are IT facing fields that should not be published to the business users – they are for the benefit of IT. For example, you may want to keep Performance Metrics internal to IT until you are ready to discuss it with the business.

    If the organization is interested in creating a Technical Service Catalog following this initiative, these fields will provide a helpful starting place for IT to identify the people, process, and technology required to support user-facing services.

    Info-Tech Insight

    It is important for IT-facing fields to be kept internal. If business users are having trouble with a service and the service owner’s name is available to them, they will phone them for support even if they are not the support owner.

    Design your service catalog with business input: have the user in mind

    When completing the service record, adopt the principle that “Less is More.” Keep it simple and write the service description from the user’s perspective, without IT language. From the list below, pick which fields of information are important to your business users.

    What do the users need to access the service quickly and with minimal assistance?

    The depicted image contains an example of an analysis of what users need to access the service quickly and with minimal assistance. The contents are as follows. Under Service Overview, Name; Description; Features; Category; and Supporting Services. Under Owners, are Service Owner; Business Owner. Under Access Policies and Procedures, are Authorized Users; Request Process; Approval Requirements/Process; Turnaround Time; User Responsibility. Under Availability and Service Levels are Support Hours; Hours of Availability; Planned Downtime; and Metrics. Under Support Policies & Procedures are Support Process; Support Owner; Support Documentation. Under Costs are Internal Cost; Customer Cost. The items which are IT Facing are coloured Red. These include Supporting Services; Service Owner; Business Owner; Metrics; Support Owner; and Internal Cost.

    Identify service overview

    “What information must I have in each service record? What are the fundamentals required to define a service?”

    Necessary Fields – Service Description:

    • Service name → a title for the service that gives a hint of its purpose.
    • Service description → what the service does and expected outcomes.
    • Service features → describe functionality of the service.
    • Service category → an intuitive way to group the service.
    • Support services → applications/systems required to support the service.

    Description: Delivers electronic messages to and from employees.

    Features:

    • Desk phone
    • Teleconference phones (meeting rooms)
    • Voicemail
    • Recover deleted voicemails
    • Team line: call rings multiple phones/according to call tree
    • Employee directory
    • Caller ID, Conference calling

    Category: Communications

    This image contains an example of a Service overview table. The headings are: Description; Features; Category; Supporting Services (Systems, Applications).

    Identify owners

    Who is responsible for the delivery of the service and what are their roles?

    Service Owner and Business Owner

    Service owner → the IT member who is responsible and accountable for the delivery of the service.

    Business owner → the business partner of the service owner who ensures the provided service meets business needs.

    Example: Time Entry

    Service Owner: Manager of Business Solutions

    Business Owner: VP of Human Resources

    This image depicts a blank table with the headings Service Owner, and Business Owner

    Info-Tech Insight

    For enterprise services that are used by almost everyone in the organization, the business owner is the CIO.

    Identify access policies and procedures

    “Who is authorized to access this service? How do they access it?”

    Access Policies & Procedures

    Authorized users → who can access the service.

    Request process → how to request access to the service.

    Approval requirement/process → what the user needs to have in place before accessing the service.

    Example: Guest Wi-Fi

    Authorized Users: All people on site not working for the company

    Request Process: Self-Service through website for external visitors

    Approval Requirement/Process: N/A

    This image depicts a blank table with the headings: Authorized Users; Request Process; Approval Requirement/Process

    Info-Tech Insight

    Clearly defining how to access a service saves time and money by decreasing calls to the service desk and getting users up and running faster. The result is higher user productivity.

    Identify access policies and procedures

    “Who is authorized to access this service? How do they access it?”

    Access Policies & Procedures

    Requirements & pre-requisites → details of what must happen before a service can be provided.

    Turnaround time → how much time it will take to grant access to the service.

    User responsibility → What the user is expected to do to acquire the service.

    Example: Guest Wi-Fi

    Requirements & Pre-requisites: Disclaimer of non-liability and acceptance

    Turnaround time: Immediate

    User Responsibility: Adhering to policies outlined in the disclaimer

    This image depicts a blank table with the headings: Authorized Users; Request Process; Approval Requirement/Process

    Info-Tech Insight

    Clearly defining how to access a service saves time and money by decreasing calls to the service desk and getting users up and running faster. The result is higher user productivity.

    Identify availability and service levels

    “When is this service available to users? What service levels can the user expect?”

    Availability & Service Levels

    Support hours → what days/times is this service available to users?

    Hours of availability/planned downtime → is there scheduled downtime for maintenance?

    Performance metrics → what level of performance can the user expect for this service?

    Example: Software Provisioning

    Support Hours: Standard business hours

    Hours of Availability/Planned Downtime: Standard business hours; can be agreed to work beyond operating hours either earlier or later

    Performance Metrics: N/A

    This image depicts a blank table with the headings: Support hours; Hours of availability/planned downtime; Performance Metrics.

    Info-Tech Insight

    Manage user expectations by clearly documenting and communicating service levels.

    Identify support policies and procedures

    “How do I obtain support for this service?”

    Support Policies & Procedures

    Support process → what is the process for obtaining support for this service?

    Support owner → who can users contact for escalations regarding this service?

    Support documentation → where can users find support documentation for this service?

    Example: Shared Folders

    Support Process: Contact help desk or submit a ticket via portal

    Support Owner: Manager, client support

    Support Documentation: .pdf of how-to guide

    This image depicts a blank table with the headings: Support Process; Support Owner; Support Documentation

    Info-Tech Insight

    Clearly documenting support procedures enables users to get the help they need faster and more efficiently.

    Identify service costs and approvals

    “Is there a cost for this service? If so, how much and who is expensing it?”

    Costs

    Internal Cost → do we know the total cost of the service?

    Customer Cost → a lot of services are provided without charge to the business; however, certain service requests will be charged to a department’s budget.

    Example: Hardware Provisioning

    Internal Cost: For purposes of audit, new laptops will be expensed to IT.

    Customer Cost: Cost to rush order 10 new laptops with retina displays for the graphics team. Charged for extra shipment cost, not for cost of laptop.

    This image depicts a blank table with the headings: Internal Costs; Customer costs

    Info-Tech Insight

    Set user expectations by clearly documenting costs associated with a service and how to obtain approval for these costs if required.

    Complete the service record design fields for every service

    4.1 3 Hours

    This is the final activity to completing the service record design. It has been a long journey to make it here; now, all that is left is completing the fields and transferring information from previous activities.

    1. Organize the services however you think is most appropriate. A common method of organization is alphabetically by enterprise category, and then each LOB functional group.
    2. Determine which fields you would like to keep or edit to be part of your design. Also add any other fields you can think of which will add value to the user or IT. Remember to keep them IT facing if necessary.
    3. Complete the fields for each service one by one. Keep in mind that for some services, a field or two may not apply to the nature of that service and may be left blank or filled with a null value (e.g. N/A).

    INPUT

    • A collaborative discussion

    OUTPUT

    • Completed service record design ready for a catalog

    Materials

    • Info-Tech sample service record design.

    Participants

    • Project stakeholders, business representatives

    Info-Tech Insight

    Don’t forget to delete or bring over the edited LOB and Enterprise services from the phase 2 and 3 deliverables.

    Complete the service definitions and get them ready for publication

    Now that you have completed the first run of service definitions, you can go back and complete the rest of the identified services in batches. You should observe increased efficiency and effectiveness in filling out the service definitions.

    This image depicts how you can use bundles to simplify the process of catalog design using bundles. The cycle includes the steps: Identify Services; Select a Service Bundle; Review Record Design; followed by a cycle of: Pick a service; Service X; Service Data Collection; Create Service Record, followed by Publish the bundle; Communicate the bundle; Rinse and Repeat.

    This blueprint’s purpose is to help you design a service catalog. There are a number of different platforms to build the catalog offered by application vendors. The sophistication of the catalog depends on the size of your business. It may be as simple as an Excel book, or something as complex as a website integrated with your service desk.

    Determine how you want to publish the service catalog

    There are various levels of maturity to consider when you are thinking about how to deploy your service catalog.

    1. Website/User Portal 2. Catalog Module Within ITSM Tool

    3. Homegrown Solution

    Prerequisite

    An internet website, or a user portal

    An existing ITSM tool with a built-in service catalog module

    Database development capabilities

    Website development capabilities

    Pros

    Low cost

    Low effort

    Easy to deploy

    Customized solution tailored for the organization

    High flexibility regarding how the service catalog is published

    Cons

    Not aesthetically appealing

    Lacking sophistication

    Difficult to customize to organization’s needs

    Limitation on how the service catalog info is published

    High effort

    High cost

    → Maturity Level →

    Organization uses the service catalog to outline IT’s and users’ responsibilities

    CASE STUDY A
    Industry Government
    Source Onsite engagement

    Challenge

    The client had collected a lot of good information, but they were not sure about what to include to ensure the users could understand the service clearly.

    They were also not sure what to keep internal so the service catalog did not increase IT’s workload. They want to help the business, but not appear as if they are capable of solving everything for everyone immediately. There was a fear of over-commitment.

    Solution

    The government created a Customer Responsibility field for each service, so it was not just IT who was providing solutions. Business users needed to understand what they had to do to receive some services.

    The Service Owner and Business Owner fields were also kept internal so users would go through the proper request channel instead of calling Service Owners directly.

    Lastly, the Performance Metrics field was kept internal until IT was ready to present service metrics to the business.

    Results

    The business was provided clarity on their responsibility and what was duly owed to them by IT staff. This established clear boundaries on what was to be expected of IT services projected into the future.

    The business users knew what to do and how to obtain the services provided to them. In the meantime, they didn’t feel overwhelmed by the amount of information provided by the service catalog.

    Organization leverages the service catalog as a tool to define IT workflows and business processes

    CASE STUDY B
    Industry Healthcare
    Source Onsite engagement

    Challenge

    There is a lack of clarity and a lack of agreement between the client’s team members regarding the request/approval processes for certain services. This was an indication that there is a level of ambiguity around process. Members were not sure what was the proper way to access a service and could not come up with what to include in the catalog.

    Different people from different teams had different ways of accessing services. This could be true for both enterprise and LOB services.

    Solution

    The Info-Tech analyst facilitated a discussion about workflows and business processes.

    In particular, the discussion focused around the approval/authorization process, and IT’s workflows required to deliver the service. The Info-Tech analyst on site walked the client through their different processes to determine which one should be included in the catalog.

    Results

    The discussion brought clarity to the project team around both IT and business process. Using this new information, IT was able to communicate to the business better, and create consistency for IT and the users of the catalog.

    The catalog design was a shared space where IT and business users could confer what the due process and responsibilities were from both sides. This increased accountability for both parties.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts

    this is a picture of an Info-Tech Analyst

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.
    The following are sample activities that will be conducted by Info-Tech analysts with your team:
    4.1 this image contains a screenshot from section 4.1 of this blueprint.

    Determine which fields should be included in the record design

    The analysts will present the sample service definitions record and facilitate a discussion to customize the service record so unique business needs are captured.

    4.2 this image contains a screenshot from section 4.2.1 of this blueprint.

    Determine which fields should be kept internal

    The onsite analysts will explain why certain fields are used but not published. The analysts will help the team determine which fields should be kept internal.

    4.3 this image contains a screenshot from section 4.3 of this blueprint.

    Complete the service definitions

    The Info-Tech analysts will help the group complete the full service definitions. This exercise will also provide the organization with a clear understanding of IT workflows and business processes.

    Summary of accomplishment

    Knowledge Gained

    • Understanding why it is important to identify and define services from the user’s perspective.
    • Understand the differences between enterprise services and line of business services.
    • Distinguish service features from services.
    • Involve the business users to define LOB services using either IT’s view or LOB’s view.

    Processes Optimized

    • Enterprise services identification and documentation.
    • Line of business services identification and documentation.

    Deliverables Completed

    • Service catalog project charter
    • Enterprise services definitions
    • Line of business service definitions – functional groups
    • Line of business service definitions – industry specific
    • Service definition chart

    Project step summary

    Client Project: Design and Build a User-Facing Service Catalog

    1. Launch the Project – Maximize project success by assembling a well-rounded team and managing all important stakeholders.
    2. Identify Enterprise Services – Identify services that are used commonly across the organization and categorize them in a user-friendly way.
    3. Identify Line of Business Services – Identify services that are specific to each line of business using one of two Info-Tech methodologies.
    4. Complete the Service Definitions – Determine what should be presented to the users and complete the service definitions for all identified services.

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery (Info-Tech Guided Implementation).

    Related Info-Tech research

    Establish a Service-Based Costing Model

    Develop the right level of service-based costing capability by applying our methodology.

    Next-Generation InfraOps

    • Buy Link or Shortcode: {j2store}457|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Traditional IT capabilities, activities, organizational structures, and culture need to adjust to leverage the value of cloud, optimize spend, and manage risk.
    • Different stakeholders across previously separate teams rely on one another more than ever, but rules of engagement do not yet exist.

    Our Advice

    Critical Insight

    • By defining your end goals and framing solutions based on the type of visibility and features you need, you can enable speed and reliability without losing control of the work.

    Impact and Result

    • Understand the xOps spectrum and what approaches benefit your organization.
    • Make sense of the architectural approaches and enablement tools available to you.
    • Evolve from just improving your current operations to a continuous virtuous cycle of development and deployment.

    Next-Generation InfraOps Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Next-Generation InfraOps Storyboard – A deck that will help you use Ops methodologies to build a virtuous cycle.

    This storyboard will help you understand the spectrum of different Agile xOps working modes and how best to leverage them and build an architecture and toolset that support rapid continuous IT operations

    • Next-Generation InfraOps Storyboard
    [infographic]

    Further reading

    Next-Generation InfraOps

    Embrace the spectrum of Ops methodologies to build a virtuous cycle.

    Executive summary

    Your Challenge

    IT Operations continue to be challenged by increasing needs for scale and speed, often in the face of constrained resources and time. For most, Agile methodologies have become a foundational part of tackling this problem. Since then, we've seen Agile evolve into DevOps, which started a trend into different categories of "xOps" that are too many to count. How does one make sense of the xOps spectrum? What is InfraOps and where does it fit in?

    Common Obstacles

    Ultimately, all these methodologies and approaches are there to serve the same purpose: increase effectiveness through automation and improve governance through visibility. The key is to understand what tools and methodologies will deliver actual benefits to your IT operation and to the organization as a whole.

    Info-Tech's Approach

    By defining your end goals and framing solutions based on the type of visibility and features you need, you can enable speed and reliability without losing control of the work.

    1. Understand the xOps spectrum and what approaches will benefit your organization.
    2. Make sense of the architectural approaches and enablement tools available to you.
    3. Evolve from just improving your current operations to a continuous virtuous cycle of development and deployment.

    Info-Tech Insight

    InfraOps, when applied well, should be the embodiment of the governance policies as expressed by standards in architecture and automation.

    Project overview

    Understand the xOps spectrum

    There are as many different types of "xOps" as there are business models and IT teams. To pick the approaches that deliver the best value to your organization and that align to your way of operating, it's important to understand the different major categories in the spectrum and how they do or don't apply to your IT approach.

    How to optimize the Ops in DevOps

    InfraOps is one of the major methodologies to address a key problem in IT at cloud scale: eliminating friction and error from your deliveries and outputs. The good news is there are architectures, tools, and frameworks you can easily leverage to make adopting this approach easier.

    Evolve to integration and build a virtuous cycle

    Ultimately your DevOps and InfraOps approaches should embody your governance needs via architecture and process. As time goes on, however, both your IT footprint and your business environment will shift. Build your tools, telemetry, and governance to anticipate and adapt to change and build a virtuous cycle between development needs and IT Operations tools and governance.

    The xOps spectrum

    This is an image of the xOps spectrum. The three main parts are: Code Acceleration (left), Governance(middle), and Infrastructure Acceleration (right)

    xOps categories

    There is no definitive list of x's in the xOps spectrum. Different organizations and teams will divide and define these in different ways. In many cases, the definitions and domains of various xOps will overlap.

    Some of the commonly adopted and defined xOps models are listed here.

    Shift left? Shift right?

    Cutting through the jargon

    • Shifting left is about focusing on the code and development aspects of a delivery cycle.
    • Shifting right is about remembering that infrastructure and tools still do matter.

    Info-Tech Insight

    Shifting left or right isn't an either/or choice. They're more like opposite sides of the same coin. Like the different xOps approaches, usually more than one shift approach will apply to your IT Operations.

    IT Operations in the left-right spectrum

    Shifting from executing and deploying to defining the guardrails and standards

    This is an image of the left-right spectrum for your XOps position

    Take a middle-out approach

    InfraOps and DevOps aren't enemies; they're opposite sides of the same coin.

    • InfraOps is about the automation and standardization of execution. It's an essential element in any fully automated CI/CD pipeline.
    • Like DevOps, InfraOps is built on similar values (the pillars of DevOps).
    • It builds on the principle of Lean to focus on removing friction, or turn-and-type activities, from the pipeline/process.
    • In InfraOps, one of the key methods for removing friction is through automation of the interstitia between different phases of a DevOps or CI/CD cycle.

    Optimize the Ops in DevOps

    Focus on eliminating friction

    This is an image of an approach to optimizing the ops in DevOps.

    With the shift from execution to governing and validating, the role of deployment falls downstream of IT Operations.

    IT Operations needs to move to a mindset that focuses on creating the guardrails, enforced standards, and compliance rules that need to be used downstream, then apply those standards using automation and tooling to remove friction and error from the interstitia (the white spaces between chevrons) of the various phases.

    InfraOps tools

    Four quadrants in the shape of a human head, in the boxes are the following: Hyperconverged Infrastructure; Composable Infrastructure; Infrastructure as code and; Automation and Orchestration

    Info-Tech Insight

    Your tools can be broken into two categories:

    • Infrastructure Architecture
      • HCI vs. CI
    • Automation Tooling
      • IaC and A&O

    Keep in mind that while your infrastructure architecture is usually an either/or choice, your automation approach should use any and all tooling that helps.

    Infrastructure approach

    • Hyperconverged

    • Composable

    Hyperconverged Infrastructure (HCI)

    Hyperconvergence is the next phase of convergence, virtualizing servers, networks, and storage on a single server/storage appliance. Capacity scales as more appliances are added to a cluster or stack.
    The disruptive departure:

    • Even though servers, networks, and storage were each on their own convergence paths, the three remained separate management domains (or silos). Even single-SKU converged infrastructures like VCE Vblocks are still composed of distinct server, network, and storage devices.
    • In hyperconvergence, the silos collapse into single-software managed devices. This has been disruptive for both the vendors of technology solutions (especially storage) and for infrastructure management.
    • Large storage array vendors are challenged by hyperconvergence alternatives. IT departments need to adapt IT skills and roles away from individual management silos and to more holistic service management.

    A comparison between converged and hyperconverged systems.

    Info-Tech Insight

    HCI follows convergence trends of the past ten years but is also a departure from how IT infrastructure has traditionally been provisioned and managed.

    HCI is at the same time a logical progression of infrastructure convergence and a disruptive departure.

    Hyperconverged (HCI) – SWOT

    HCI can be the foundation block for a fully software defined data center, a prerequisite for private cloud.

    Strengths

    • Potentially lower TCO through further infrastructure consolidation, reducing CapEx and OpEx expenditures through facilities optimization and cost consolidation.
    • Operations in particular can be streamlined, since storage, network connections, and processors/memory are all managed as abstractions via a single control pane.
    • HCI comes with built-in automation and analytics that lead to quicker issue resolution.

    Opportunities

    • Increased business agility by paving the way for a fully software defined infrastructure stack and cloud automation.
    • Shift IT human assets from hardware asset maintainers and controllers to service delivery managers.
    • Better able to compete with external IT service alternatives.
    • Move toward a hybrid cloud service offering where the service catalog contains both internal and external offerings.

    Key attributes of a cloud are automation, resource elasticity, and self-service. This kind of agility is impossible if physical infrastructure needs intervention.

    Info-Tech Insight

    Virtualization alone does not a private cloud make, but complete stack virtualization (software defined) running on a hands-off preconfigured HCI appliance (or group of appliances) provides a solid foundation for building cloud services.

    Hyperconverged (HCI) – SWOT

    Silo-busting and private cloud sound great, but are your people and processes able to manage the change?

    Weaknesses

    • HCI typically scales out linearly (CPU & storage). This does not suit traditional scale-up applications such as high-performance databases and large-capacity data warehouses.
    • Infrastructure stacks are perceived as more flexible for variable growth across segments. For example, if storage is growing but processing is not, storage can scale separately from processing.

    Threats

    • HCI will be disruptive to roles within IT. Internal pushback is a real threat if necessary changes in skills and roles are not addressed.
    • HCI is not a simple component replacement but an adoption of a different kind of infrastructure. Different places in the lifecycles for each of storage, network, and processing devices could make HCI a solution where there is no immediate problem.

    In traditional infrastructure, performance and capacity are managed as distinct though complementary jobs. An all-in-one approach may not work.

    Composable Infrastructure (CI)

    • Composable infrastructure in many ways represents the opposite of an HCI approach. Its focus is on further disaggregating resources and components used to build systems.
      • Unlike traditional cloud virtual systems, composable infrastructure provides virtual bare metal resources, allowing tightly coupled resources like CPU, RAM, and GPU – or any device/card/module – to be released back and forth into the resource pool as required by a given workload.
      • This is enabled by the use of high-speed, low-latency PCI Express (PCI-e) and Compute Express Link (CXL) fabrics that allow these resources to be decoupled.
      • It also supports the ability to present other fabric types critical for building out enterprise systems (e.g. Ethernet, InfiniBand).
    • Accordingly, CI systems are also based on next-generation network architecture that supports moving critical functions to the network layer, which enables more efficient use of the application-layer resources.

    Composable Infrastructure (CI)

    • CI may also leverage network-resident data/infrastructure processing units (DPUs/IPUs), which offload many network, security, and storage functions.
      • As new devices and functions become available, they can be added into the catalog of resources/functions available in a CI pool.

    Use Case Example: Composable AI flow

    Data Ingestion > Data Cleaning/Tagging > Training > Conclusion

    • At each phase of the process, resources, including specialized hardware like memory and GPU cores, can be dynamically allocated and reallocated to the workload on demand

    Composable Infrastructure (CI)

    Use cases and considerations

    Where it's useful

    • Enable even more efficient allocation/utilization of resources for workloads.
    • Very large memory or shared memory requirements can benefit greatly.
    • Decouple purchasing decisions for underlying resources.
    • Leverage the fabric to make it easier to incrementally upgrade underlying resources as required.
    • Build "the Impossible Server."

    Considerations

    • Requires significant footprint/scale to justify in many cases
    • Not necessarily good value for environments that aren't very volatile and heterogeneous in terms of deployment requirements
    • May not be best value for environments where resource-stranding is not a significant issue

    Info-Tech Insight

    Many organizations using a traditional approach report resource stranding as having an impact of 20% or more on efficiency. When focusing specifically on the stranding of memory in workloads, the number can often approach 40%.

    The CI ecosystem

    This is an image of the CI ecosystem.

    • The CI ecosystem has many players, large and small!
    • Note that the CI ecosystem is dependent on a large ecosystem of underlying enablers and component builders to support the required technologies.

    Understanding the differences

    This image shows the similarities and differences between traditional, cloud, hyperconverged, and composable.

    Automation approach

    • Infrastructure as Code
    • Automation & Orchestration
    • Metaorchestration

    Infrastructure as Code (IaC)

    Infrastructure as code (IaC) is the process of managing and provisioning computer data centers through machine-readable definition files rather than physical hardware configuration or interactive configuration tools.

    Before IaC, IT personnel would have to manually change configurations to manage their infrastructure. Maybe they would use throwaway scripts to automate some tasks, but that was the extent of it.

    With IaC, your infrastructure's configuration takes the form of a code file, making it easy to edit, copy, and distribute.

    Info-Tech Insight
    IaC is a critical tool in enabling key benefits!

    • Reduced costs
    • Increased scalability, flexibility, and speed
    • Better consistency and version control
    • Reduced deployment errors

    Infrastructure as Code (IaC)

    1. IaC uses a high-level descriptive coding language to automate the provisioning of IT infrastructure. This eliminates the need to manually provision and manage servers, OS, database connections, storage, and other elements every time we want to develop, test, or deploy an application.
    2. IaC allows us to define the computer systems on which code needs to run. Most commonly, we use a framework like Chef, Ansible, Puppet, etc., to define their infrastructure. These automation and orchestration tools focus on the provisioning and configuring of base compute infrastructure.
    3. IaC is also an essential DevOps practice. It enables teams to rapidly create and version infrastructure in the same way they version source code and to track these versions so as to avoid inconsistency among IT environments that can lead to serious issues during deployment.
    • Idempotence is a principle of IaC. This means a deployment command always sets the target environment into the same configuration, regardless of the environment's starting state.
      • Idempotency is achieved by either automatically configuring an existing target or discarding the existing target and recreating a fresh environment.

    Automation/Orchestration

    Orchestration describes the automated arrangement, coordination, and management of complex computer systems, middleware, and services.

    This usage of orchestration is often discussed in the context of service-oriented architecture, virtualization, provisioning, converged infrastructure, and dynamic data center topics. Orchestration in this sense is about aligning the business request with the applications, data, and infrastructure.

    It defines the policies and service levels through automated workflows,
    provisioning, and change management. This creates an application-aligned infrastructure that can be scaled up or down based on the needs of each application.

    As the requirement for more resources or a new application is triggered, automated tools now can perform tasks that previously could only be done by multiple administrators operating on their individual pieces of the physical stack.

    Orchestration also provides centralized management of the resource pool, including billing, metering, and chargeback for consumption. For example, orchestration reduces the time and effort for deploying multiple instances of a single application.

    Info-Tech Insight

    Automation and orchestration tools can be key components of an effective governance toolkit too! Remember to understand what data can be pulled from your various tools and leveraged for other purposes such as cost management and portfolio roadmapping.

    Automation/Orchestration

    There are a wide variety of orchestration and automation tools and technologies.

    Configuration Management

    Configuration Management

    The logos for companies which fall in each of the categories in the column to the left of the image.

    CI/CD
    Orchestration

    Container
    Orchestration

    Cloud-Specific
    Orchestration

    PaaS
    Orchestration

    Info-Tech Insight

    Automation and orchestration tools and software offerings are plentiful, and many of them have a different focus on where in the application delivery ecosystem they provide automation functionality.

    Often there are different tools for different deployment and service models as well as for different functional phases for each service model.

    Automation/Orchestration

    Every tool focuses on different aspects or functions of the deployment of resources and applications.

    • Resources
      • Compute
      • Storage
      • Network
    • Extended Services
      • Platforms
      • Infrastructure Services
      • Web Services
    • Application Assets
      • Images
      • Templates
      • Containers
      • Code

    Info-Tech Insight

    Let the large ecosystem of tools be your ally. Leverage the right tools where needed and then address the complexity of tools using a master orchestration scheme.

    Metaorchestration

    A Flow chart for the approach to metaorchestration.

    Additionally, most tools do not cover all aspects required for most automation implementations, especially in hybrid cloud scenarios.

    As such, often multiple tools must be deployed, which can lead to fragmentation and loss of unified controls.

    Many enterprises address this fragmentation using a cloud management platform approach.

    One method of achieving this is to establish a higher layer of orchestration – an "orchestrator of orchestrators," or metaorchestration.

    In complex scenarios, this can be a challenge that requires customization and development.

    InfraOps tools ecosystem

    Toolkit Pros Cons Tips
    HCI Easy scale out Shift in skills required Good for enabling automation and hybridization with current-gen public cloud services
    CI Maximal workload resource efficiency Investment in new fabrics and technologies Useful for very dynamic or highly scalable workloads like AI
    IaC Error reduction and standardization Managing drift in standards and requirements Leverage a standards and exception process to keep track of drift
    A&O Key enabler of DevOps automation within phases Usually requires multiple toolsets/frameworks Use the right tools and stitch together at the metaorchestration layer
    Metaorchestration Reduces the complexity of a diverse A&O and IaC toolkit Requires understanding of the entire ecosystems of tools used Key layer of visibility and control for governance

    Build a virtuous cycle

    Remember, the goal is to increase speed AND reliability. That's why we focus on removing friction from our delivery pipelines.

    • The first step is to identify the points of friction in your cycle and understand the intensity and frequency of these friction points.
    • Depending on your delivery and project management methodology, you'll have a different posture of the different tools that make sense for your pipeline.
    • For example, if you are focused on delivering raw resources for sysadmins and/or you're in a Waterfall methodology where the friction points are large but infrequent, hyperconverged is likely to delivery good value, whereas tools like IaC and orchestration may not be as necessary.

    Info-Tech Insight

    Remember that, especially in modern and rapid methodologies, your IT footprint can drift unexpectedly. This means you need a real feedback mechanism on where the friction moves to next.

    This is particularly important in more Agile methodologies.

    Activity: Map your IT operations delivery

    Identify your high-friction interstitial points

    • Using the table below, or a table modified to your delivery phases, map out the activities and tasks that are not standardized and automated.
    • For the incoming and outgoing sections, think about what resources and activities need to be (or could be) created, destroyed, or repurposed to efficiently manage each cycle and the spaces between cycles.
    Plan Code Test Deploy Monitor
    Incoming Friction
    In-Cycle Friction
    Outgoing Friction

    Info-Tech Insight

    Map your ops groups to the delivery cycles in your pipeline. How many delivery cycles do you have or need?

    Good InfraOps is a reflection of governance policies, expressed by standards in architecture and automation.

    Related Info-Tech Research

    Evaluate Hyperconverged Infrastructure for Your Infrastructure Roadmap

    • This Info-Tech note covers evaluation of HCI platforms.

    Design Your Cloud Operations

    • This Info-Tech blueprint covers organization of operations teams for various deployment and Agile modes.

    Bibliography

    Banks, Ethan, host. "Choosing Your Next Infrastructure." Datanauts, episode 094, Packet Pushers, 26 July 2017. Podcast.
    "Composable Infrastructure Solutions." Hewlett Packard Canada, n.d. Web.
    "Composable Infrastructure Technology." Liqid Inc., n.d. Web.
    "DataOps architecture design." Azure Architecture Center, Microsoft Learn, n.d. Web.
    Tan, Pei Send. "Differences: DevOps, ITOps, MLOps, DataOps, ModelOps, AIOps, SecOps, DevSecOps." Medium, 5 July 2021. Web.

    Legacy Active Directory Environment

    • Buy Link or Shortcode: {j2store}471|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy

    You are looking to lose your dependency on Active Directory (AD), and you need to tackle infrastructure technical debt, but there are challenges:

    • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
    • You are unaware of what processes depend on AD and how integrated they are.
    • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.

    Our Advice

    Critical Insight

    • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
    • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
    • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

    Impact and Result

    Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

    Legacy Active Directory Environment Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Legacy Active Directory Environment Deck – Legacy AD was never built for modern infrastructure. Understand the history and future of Active Directory and what alternatives are in the market.

    Build all new systems with cloud integration in mind. Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code.

    • Legacy Active Directory Environment Storyboard
    [infographic]

    Further reading

    Legacy Active Directory Environment

    Kill the technical debt of your legacy Active Directory environment.

    Analyst Perspective

    Understand what Active Directory is and why Azure Active Directory does not replace it.

    It’s about Kerberos and New Technology LAN Manager (NTLM).

    The image contains a picture of John Donovan.

    Many organizations that want to innovate and migrate from on-premises applications to software as a service (SaaS) and cloud services are held hostage by their legacy Active Directory (AD). Microsoft did a good job taking over from Novell back in the late 90s, but its hooks into businesses are so deep that many have become dependent on AD services to manage devices and users, when in fact AD falls far short of needed capabilities, restricting innovation and progress.

    Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD. While Azure AD is a secure authentication store that can contain users and groups, that is where the similarities end. In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially for businesses that have an in-house footprint of servers and applications.

    If you are a greenfield business and intend to take advantage of software, infrastructure, and platform as a service (SaaS, IaaS, and PaaS), as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

    John Donovan
    Principal Director, I&O Practice
    Info-Tech Research Group

    Insight Summary

    Legacy AD was never built for modern infrastructure

    When Microsoft built AD as a free component for the Windows Server environment to replace Windows NT before the demise of Novell Directory Services in 2001, it never meant Active Directory to work outside the corporate network with Microsoft apps and devices. While it began as a central managing system for users and PCs on Microsoft operating systems, with one user per PC, the IT ecosystem has changed dramatically over the last 20 years, with cloud adoption, SaaS, IaaS, PaaS, and everything as a service. To make matters worse, work-from-anywhere has become a serious security challenge.

    Build all new systems with cloud integration in mind

    Many applications built in the past had built-in AD components for access, using Kerberos and NTLM. This dependency has prevented organizations from migrating away from AD. When assessing new technology and applications, consider SaaS or cloud-native apps rather than a Microsoft-dependent application with AD ingrained in the code. Ensure you are engaged when the business is assessing new apps. Stop the practice of the business purchasing apps without IT’s involvement; for example, if your marketing department is asking you for your Domain credentials for a vendor when you were not informed of this purchase.

    Hybrid AD is a solution but not a long-term goal

    Economically, Microsoft has no interest in replacing AD anytime soon. Microsoft wants that revenue and has built components like Azure AD Connect to mitigate the AD dependency issue, which is basically holding your organization hostage. In fact, Microsoft has advised that a hybrid solution will remain because, as we will investigate, Azure AD is not legacy AD.

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    You are looking to lose your dependency on Active Directory, and you need to tackle infrastructure technical debt, but there are challenges.

    • Legacy apps that are in maintenance mode cannot shed their AD dependency or have hardware upgrades made.
    • You are unaware of what processes depend on AD and how integrated they are.
    • Departments invest in apps that are integrated with AD without informing you until they ask for Domain details after purchasing.
    • Legacy applications can prevent you from upgrading servers or may need to be isolated due to security concerns related to inadequate patching and upgrades.
    • You do not see any return on investment in AD maintenance.
    • Mergers and acquisitions can prevent you from migrating away from AD if one company is dependent on AD and the other is fully in the cloud. This increases technical debt.
    • Remove your dependency on AD one application at a time. If you are a cloud-first organization, rethink your AD strategy to ask “why” when you add a new device to your Active Directory.
    • With the advent of hybrid work, AD is now a security risk. You need to shore up your security posture. Think of zero trust architecture.
    • Take inventory of your objects that depend on Kerberos and NTML and plan on removing that barrier through applications that don’t depend on AD.

    Info-Tech Insight

    Don’t allow Active Directory services to dictate your enterprise innovation and modernization strategies. Determine if you can safely remove objects and move them to a cloud service where your Azure AD Domain Services can handle your authentication and manage users and groups.

    The history of Active Directory

    The evolution of your infrastructure environment

    From NT to the cloud

    AD 2001 Exchange Server 2003 SharePoint 2007 Server 2008 R2 BYOD Security Risk All in Cloud 2015
    • Active Directory replaces NT and takes over from Novell as the enterprise access and control plane.
    • With slow WAN links, no cellphones, no tablets, and very few laptops, security was not a concern in AD.
    • In 2004, email becomes business critical.
    • This puts pressure on links, increases replication and domains, and creates a need for multiple identities.
    • Collaboration becomes pervasive.
    • Cross domain authentication becomes prevalent across the enterprise.
    • SharePoint sites need to be connected to multiple Domain AD accounts. More multiple identities are required.
    • Exchange resource forest rolls out, causing the new forest functional level to be a more complex environment.
    • Fine-grained password policies have impacted multiple forests, forcing them to adhere to the new password policies.
    • There are powerful Domain controllers, strong LAN and WAN connections, and an increase in smartphones and laptops.
    • Audits and compliance become a focus, and mergers and acquisitions add complexity. Security teams are working across the board.
    • Cloud technology doesn’t work well with complicated, messy AD environment. Cloud solutions need simple, flat AD architecture.
    • Technology changes after 15+ years. AD becomes the backbone of enterprise infrastructure. Managers demand to move to cloud, building complexity again.

    Organizations depend on AD

    AD is the backbone of many organizations’ IT infrastructure

    73% of organizations say their infrastructure is built on AD.

    82% say their applications depend on AD data.

    89% say AD enables authenticated access to file servers.

    90% say AD is the main source for authentication.

    Source: Dimensions research: Active Directory Modernization :

    Info-Tech Insight

    Organizations fail to move away from AD for many reasons, including:

    • Lack of time, resources, budget, and tools.
    • Difficulty understanding what has changed.
    • Migrating from AD being a low priority.

    Active Directory components

    Physical and logical structure

    Authentication, authorization, and auditing

    The image contains a screenshot of the active directory components.

    Active Directory has its hooks in!

    AD creates infrastructure technical debt and is difficult to migrate away from.

    The image contains a screenshot of an active directory diagram.

    Info-Tech Insight

    Due to the pervasive nature of Active Directory in the IT ecosystem, IT organizations are reluctant to migrate away from AD to modernize and innovate.

    Migration to Microsoft 365 in Azure has forced IT departments’ hand, and now that they have dipped their toe in the proverbial cloud “lake,” they see a way out of the mounting technical debt.

    AD security

    Security is the biggest concern with Active Directory.

    Neglecting Active Directory security

    98% of data breaches came from external sources.

    Source: Verizon, Data Breach Report 2022

    85% of data breach took weeks or even longer to discover.

    Source: Verizon Data Breach Report, 2012

    The biggest challenge for recovery after an Active Directory security breach is identifying the source of the breach, determining the extent of the breach, and creating a safe and secure environment.

    Info-Tech Insight

    Neglecting legacy Active Directory security will lead to cyberattacks. Malicious users can steal credentials and hijack data or corrupt your systems.

    What are the security risks to legacy AD architecture?

    • It's been 22 years since AD was released by Microsoft, and it has been a foundational technology for most businesses over the years. However, while there have been many innovations over those two decades, like Amazon, Facebook, iPhones, Androids, and more, Active Directory has remained mostly unchanged. There hasn’t been a security update since 2016.
    • This lack of security innovation has led to several cyberattacks over the years, causing businesses to bolt on additional security measures and added complexity. AD is not going away any time soon, but the security dilemma can be addressed with added security features.

    AD event logs

    84% of organizations that had a breach had evidence of that breach in their event logs.

    Source: Verizon Data Breach Report, 2012

    What is the business risk

    How does AD impact innovation in your business?

    It’s widely estimated that Active Directory remains at the backbone of 90% of Global Fortune 1000 companies’ business infrastructure (Lepide, 2021), and with that comes risk. The risks include:

    • Constraints of AD and growth of your digital footprint
    • Difficulty integrating modern technologies
    • Difficulty maintaining consistent security policies
    • Inflexible central domains preventing innovation and modernization
    • Inability to move to a self-service password portal
    • Vulnerability to being hacked
    • BYOD not being AD friendly

    AD is dependent on Windows Server

    1. Even though AD is compliant with LDAP, software vendors often choose optional features of LDAP that are not supported by AD. It is possible to implement Kerberos in a Unix system and establish trust with AD, but this is a difficult process and mistakes are frequent.
    2. Restricting your software selection to Windows-based systems reduces innovation and may hamper your ability to purchase best-in-class applications.

    Azure AD is not a replacement for AD

    AD was designed for an on-premises enterprise

    The image contains a screenshot of a Azure AD diagram.

    • Despite Microsoft’s Azure becoming prominent in the world of cloud services, Azure AD is not a replacement for on-premises AD.
    • In fact, Microsoft itself has an architecture to mitigate the shortcomings of Azure AD by recommending organizations migrate to a hybrid model, especially those businesses that have an in-house footprint of servers and applications.
    • If you are a greenfield business and intend to take advantage of SaaS, IaaS, and PaaS, as well as Microsoft 365 in Azure, then Azure AD is for you and you don’t have to worry about the need for AD.

    "Azure Active Directory is not designed to be the cloud version of Active Directory. It is not a domain controller or a directory in the cloud that will provide the exact same capabilities with AD. It actually provides many more capabilities in a different way.

    That’s why there is no actual ‘migration’ path from Active Directory to Azure Active Directory. You can synchronize your on-premises directories (Active Directory or other) to Azure Active Directory but not migrate your computer accounts, group policies, OU etc."

    – Gregory Hall,
    Brand Representative for Microsoft
    (Source: Spiceworks)

    The hybrid model for AD and Azure AD

    How the model works

    The image contains a screenshot of a hybrid model for AD and Azure AD.

    Note: AD Federated Services (ADFS) is not a replacement for AD. It’s a bolt-on that requires maintenance, support, and it is not a liberating service.

    Many companies are:

    • Moving to SaaS solutions for customer relationship management, HR, collaboration, voice communication, file storage, and more.
    • Managing non-Windows devices.
    • Moving to a hybrid model of work.
    • Enabling BYOD.

    Given these trends, Active Directory is becoming obsolete in terms of identity management and permissions.

    The difference between AD Domain Services and Azure AD DS

    One of the core principles of Azure AD is that the user is the security boundary, not the network.

    Kerberos is the default authentication and authorization protocol for AD. Kerberos is involved in nearly everything from the time you log on to accessing Sysvol, which is used to deliver policy and logon scripts to domain members from the Domain Controller.

    Info-Tech Insight

    If you are struggling to get away from AD, Kerberos and NTML are to blame. Working around them is difficult. Azure AD uses SAML2.0 OpenID Connect and OAuth2.0.

    Feature Azure AD DS Self-managed AD DS
    Managed service
    Secure deployments Administrator secures the deployment
    DNS server ✓ (managed service)
    Domain or Enterprise administrator privileges
    Domain join
    Domain authentication using NTLM and Kerberos
    Kerberos-constrained delegation Resource-based Resource-based and account-based
    Custom OU structure
    Group Policy
    Schema extensions
    AD domain/forest trusts ✓ (one-way outbound forest trusts only)
    Secure LDAP (LDAPS)
    LDAP read
    LDAP write ✓ (within the managed domain)
    Geo-distributed deployments

    Source: “Compare self-managed Active Directory Domain Services...” Azure documentation, 2022

    Impact of work-from-anywhere

    How AD poses issues that impact the user experience

    IT organizations are under pressure to enable work-from-home/work-from-anywhere.

    • IT teams regard legacy infrastructure, namely Active Directory, as inadequate to securely manage remote workloads.
    • While organizations previously used VPNs to access resources through Active Directory, they now have complex webs of applications that do not reside on premises, such as AWS, G-Suite, and SaaS customer relationship management and HR management systems, among others. These resources live outside the Windows ecosystem, complicating user provisioning, management, and security.
    • The work environment has changed since the start of COVID-19, with businesses scrambling to enable work-from-home. This had a huge impact on on-premises identity management tools such as AD, exposing their limitations and challenges. IT admins are all too aware that AD does not meet the needs of work-from-home.
    • As more IT organizations move infrastructure to the cloud, they have the opportunity to move their directory services to the cloud as well.
      • JumpCloud, OneLogin, Okta, Azure AD, G2, and others can be a solution for this new way of working and free up administrators from the overloaded AD environment.
      • Identity and access management (IAM) can be moved to the cloud where the modern infrastructure lives.
      • Alternatives for printers using AD include Google Cloud Print, PrinterOn, and PrinterLogic.

    How AD can impact your migration to Microsoft 365

    The beginning of your hybrid environment

    • Businesses that have a large on-premises footprint have very few choices for setting up a hybrid environment that includes their on-premises AD and Azure AD synchronization.
    • Microsoft 365 uses Azure AD in the background to manage identities.
    • Azure AD Connect will need to be installed, along with IdFix to identify errors such as duplicates and formatting problems in your AD.
    • Password hash should be implemented to synchronize passwords from on-premises AD so users can sign in to Azure without the need for additional single sign-on infrastructure.
    • Azure AD Connect synchronizes accounts every 30 minutes and passwords within two minutes.

    Alternatives to AD

    When considering retiring Active Directory from your environment, look at alternatives that can assist with those legacy application servers, handle Kerberos and NTML, and support LDAP.

    • JumpCloud: Cloud-based directory services. JumpCloud provides LDAP-as-a-Service and RADIUS-as-a-Service. It authenticates, authorizes, and manages employees, their devices, and IT applications. However, domain name changes are not supported.
    • Apache Directory Studio Pro: Written in Java, it supports LDAP v3–certified directory services. It is certified by Eclipse-based database utilities. It also supports Kerberos, which is critical for legacy Microsoft AD apps authentication.
    • Univention Corporate Server (UCS): Open-source Linux-based solution that has a friendly user interface and gets continuous security and feature updates. It supports Kerberos V5 and LDAP, works with AD, and is easy to sync. It also supports DNS server, DHCP, multifactor authentication and single sign-on, and APIs and REST APIs. However, it has a limited English knowledgebase as it is a German tool.

    What to look for

    If you are embedded in Windows systems but looking for an alternative to AD, you need a similar solution but one that is capable of working in the cloud and on premises.

    Aside from protocols and supporting utilities, also consider additional features that can help you retire your Active Directory while maintaining highly secure access control and a strong security posture.

    These are just a few examples of the many alternatives available.

    Market drivers to modernize your infrastructure

    The business is now driving your Active Directory migration

    What IT must deal with in the modern world of work:

    • Leaner footprint for evolving tech trends
    • Disaster recovery readiness
    • Dynamic compliance requirements
    • Increased security needs
    • The need to future-proof
    • Mergers and acquisitions
    • Security extending the network beyond Windows

    Organizations are making decisions that impact Active Directory, from enabling work-from-anywhere to dealing with malicious threats such as ransomware. Mergers and acquisitions also bring complexity with multiple AD domains.
    The business is putting pressure on IT to become creative with security strategies, alternative authentication and authorization, and migration to SaaS and cloud services.

    Activity

    Build a checklist to migrate off Active Directory.

    Discovery

    Assessment

    Proof of Concept

    Migration

    Cloud Operations

    ☐ Catalog your applications.

    ☐ Define your users, groups and usage.

    ☐ Identify network interdependencies and complexity.

    ☐ Know your security and compliance regulations.

    ☐ Document your disaster recovery plan and recovery point and time objectives (RPO/RTO).

    ☐ Build a methodology for migrating apps to IaaS.

    ☐ Develop a migration team using internal resources and/or outsourcing.

    ☐ Use Microsoft resources for specific skill sets.

    ☐ Map on-premises third-party solutions to determine how easily they will migrate.

    ☐ Create a plan to retire and archive legacy data.

    ☐ Test your workload: Start small and prove value with a phased approach.

    ☐ Estimate cloud costs.

    ☐ Determine the amount and size of your compute and storage requirements.

    ☐ Understand security requirements and the need for network and security controls.

    ☐ Assess network performance.

    ☐ Qualify and test the tools and solutions needed for the migration.

    ☐ Create a blueprint of your desired cloud environment.

    ☐ Establish a rollback plan.

    ☐ Identify tools for automating migration and syncing data.

    ☐ Understand the implications of the production-day data move.

    ☐ Keep up with the pace of innovation.

    ☐ Leverage 24/7 support via skilled Azure resources.

    ☐ Stay on top of system maintenance and upgrades.

    ☐ Consider service-level agreement requirements, governance, security, compliance, performance, and uptime.

    Related Info-Tech Research

    Manage the Active Directory in the Service Desk

    • Build and maintain your Active Directory with good data.
    • Actively maintaining the Active Directory is a difficult task that only gets more difficult with issues like stale accounts and privilege creep.

    SoftwareReviews: Microsoft Azure Active Directory

    • The Azure Active Directory (Azure AD) enterprise identity service provides SSO and multifactor authentication to help protect your users from 99.9% of cybersecurity attacks

    Define Your Cloud Vision

    • Don’t think about the cloud as an inevitable next step for all workloads. The cloud is merely another tool in the toolbox, ready to be used when appropriate and put away when it’s not needed. Cloud-first isn’t always the way to go.

    Bibliography

    “2012 Data Breach Investigations Report.” Verizon, 2012. Web.
    “2022 Data Breach Investigations Report.” Verizon, 2012. Web.
    “22 Best Alternatives to Microsoft Active Directory.” The Geek Page, 16 Feb 2022. Accessed 12 Sept. 2022.
    Altieri, Matt. “Infrastructure Technical Debt.” Device 42, 20 May 2019. Accessed Sept 2022.
    “Are You Ready to Make the Move from ADFS to Azure AD?’” Steeves and Associates, 29 April 2021. Accessed 28 Sept. 2022.
    Blanton, Sean. “Can I Replace Active Directory with Azure AD? No, Here’s Why.” JumpCloud, 9 Mar 2021. Accessed Sept. 2022.
    Chai, Wesley, and Alexander S. Gillis. “What is Active Directory and how does it work?” TechTarget, June 2021. Accessed 10 Sept. 2022.
    Cogan, Sam. “Azure Active Directory is not Active Directory!” SamCogan.com, Oct 2020. Accessed Sept. 2022.
    “Compare Active Directory to Azure Active Directory.” Azure documentation, Microsoft Learn, 18 Aug. 2022. Accessed 12 Sept. 2022.
    "Compare self-managed Active Directory Domain Services, Azure Active Directory, and managed Azure Active Directory Domain Services." Azure documentation, Microsoft Learn, 23 Aug. 2022. Accessed Sept. 2022.
    “Dimensional Research, Active Directory Modernization: A Survey of IT Professionals.” Quest, 2017. Accessed Sept 2022.
    Grillenmeier, Guido. “Now’s the Time to Rethink Active Directory Security.“ Semperis, 4 Aug 2021. Accessed Oct. 2013.
    “How does your Active Directory align to today’s business?” Quest Software, 2017, accessed Sept 2022
    Lewis, Jack “On-Premises Active Directory: Can I remove it and go full cloud?” Softcat, Dec.2020. Accessed 15 Sept 2022.
    Loshin, Peter. “What is Kerberos?” TechTarget, Sept 2021. Accessed Sept 2022.
    Mann, Terry. “Why Cybersecurity Must Include Active Directory.” Lepide, 20 Sept. 2021. Accessed Sept. 2022.
    Roberts, Travis. “Azure AD without on-prem Windows Active Directory?” 4sysops, 25 Oct. 2021. Accessed Sept. 2022.
    “Understanding Active Directory® & its architecture.” ActiveReach, Jan 2022. Accessed Sept. 2022.
    “What is Active Directory Migration?” Quest Software Inc, 2022. Accessed Sept 2022.

    Implement Software Asset Management

    • Buy Link or Shortcode: {j2store}313|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $107,154 Average $ Saved
    • member rating average days saved: 39 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process.
    • Poor data capture procedures and lack of a centralized repository produce an incomplete picture of software assets and licenses, preventing accurate forecasting and license optimization.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work and lack of preparedness for external software audits.

    Our Advice

    Critical Insight

    • A strong SAM program will benefit all aspects of the business. Data and reports gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data. Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • Win the audit battle without fighting. Conduct internal audits to minimize surprises when external audits are requested.

    Impact and Result

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement.
    • Develop an internal audit policy to mitigate the risk of costly external audits.

    Implement Software Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should implement software asset management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess & plan

    Assess current state and plan the scope of the SAM program, team, and budget.

    • Implement Software Asset Management – Phase 1: Assess & Plan
    • SAM Maturity Assessment
    • SAM Standard Operating Procedures
    • SAM Budget Workbook

    2. Procure, receive & deploy

    Define processes for software requests, procurement, receiving, and deployment.

    • Implement Software Asset Management – Phase 2: Procure, Receive & Deploy
    • SAM Process Workflows (Visio)
    • SAM Process Workflows (PDF)

    3. Manage, redeploy & retire

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    • Implement Software Asset Management – Phase 3: Manage, Redeploy & Retire
    • Patch Management Policy

    4. Build supporting processes

    Build processes for audits and plan the implementation.

    • Implement Software Asset Management – Phase 4: Build Supporting Processes & Tools
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    • SAM Communication Plan
    • SAM FAQ Template
    • Software Asset Management Policy
    [infographic]

    Workshop: Implement Software Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess & Plan

    The Purpose

    Assess current state and plan the scope of the SAM program, team, and budget.

    Key Benefits Achieved

    Current state assessment

    Defined roles and responsibilities

    SAM budget plan

    Activities

    1.1 Outline SAM challenges and objectives.

    1.2 Assess current state.

    1.3 Identify roles and responsibilities for SAM team.

    1.4 Identify metrics and reports.

    1.5 Identify SAM functions to centralize vs. decentralize.

    1.6 Plan SAM budget process.

    Outputs

    Current State Assessment

    RACI Chart

    Defined metrics and reports

    SAM Budget Workbook

    2 Procure, Receive & Deploy

    The Purpose

    Define processes for software requests, procurement, receiving, and deployment.

    Key Benefits Achieved

    Defined standards for software procurement

    Documented processes for software receiving and deployment

    Activities

    2.1 Determine software standards.

    2.2 Define procurement process for new contracts.

    2.3 Define process for contract renewals and additional procurement scenarios.

    2.4 Design process for receiving software.

    2.5 Design deployment workflow.

    2.6 Define process for non-standard software requests.

    Outputs

    Software standards

    Standard Operating Procedures

    SAM Process Workflows

    3 Manage, Redeploy & Retire

    The Purpose

    Define processes for software inventory, maintenance, harvest and redeployment, and retirement.

    Key Benefits Achieved

    Defined process for conducting software inventory

    Maintenance and patch policy

    Documented workflows for software harvest and redeployment as well as retirement

    Activities

    3.1 Define process for conducting software inventory.

    3.2 Define policies for software maintenance and patches.

    3.3 Map software license harvest and reallocation process.

    3.4 Define policy for retiring software.

    Outputs

    Standard Operating Procedures

    Patch management policy

    SAM Process Workflows

    4 Build Supporting Processes & Tools

    The Purpose

    Build processes for audits, identify tool requirements, and plan the implementation.

    Key Benefits Achieved

    Defined process for internal and external audits

    Tool requirements

    Communication and implementation plan

    Activities

    4.1 Define and document the internal audit process.

    4.2 Define and document the external audit process.

    4.3 Document tool requirements.

    4.4 Develop a communication plan.

    4.5 Prepare an FAQ list.

    4.6 Identify SAM policies.

    4.7 Develop a SAM roadmap to plan your implementation.

    Outputs

    Audit response templates

    Tool requirements

    Communication plan

    End-user FAQ list

    Software Asset Management Policy

    Implementation roadmap

    Further reading

    Implement Software Asset Management

    Go beyond tracking licenses to proactively managing software throughout its lifecycle.

    Table of contents

    1. Title
    2. Executive Brief
    3. Execute the Project/DIY Guide
    4. Next Steps
    5. Appendix

    Analyst Perspective

    “Organizations often conflate software asset management (SAM) with license tracking. SAM is not merely knowing how many licenses you require to be in compliance; it’s asking the deeper budgetary questions to right-size your software spend.

    Software audits are a growing concern for businesses, but proactive reporting and decision making supported by quality data will mitigate audit risks. Value is left on the table through underused or poor-quality data, so active data management must be in play. A dedicated ITAM tool can assist with extracting value from your license data.

    Achieving an optimized SAM program is a transformative effort, but the people, processes, and technology need to be in place before that can happen.” (Sandi Conrad, Senior Director, Infrastructure & Operations Practice, Info-Tech Research Group)

    Software license complexity and audit frequency are increasing: are you prepared to manage the risk?

    This Research Is Designed For:

    • CIOs that want to improve IT’s reputation with the business.
    • CIOs that want to eliminate the threat of a software audit.
    • Organizations that want proactive reporting that benefits the entire business.
    • IT managers who want visibility into their software usage.

    This Research Will Help You:

    • Establish a standardized software management process.
    • Track and manage software throughout its lifecycle, from procurement through to retirement or redeployment.
    • Rationalize your software license estate.
    • Improve your negotiations with software vendors.
    • Improve the quality of your SAM data gathering and reporting.

    Executive summary

    Situation

    • Organizations are aware of the savings that result from implementing software asset management (SAM), but are unsure of where to start the process. With no formal standards in place for managing licenses, organizations are constantly at risk for costly software audits and poorly executed software spends.

    Complication

    • Poor data-capture procedures produce an incomplete picture of software lifecycles.
    • No centralized repository exists, resulting in fragmented reporting.
    • Audit protocols are ad hoc, resulting in sloppy reporting and time-consuming work.

    Resolution

    • Conduct a current state assessment of existing SAM processes to form an appropriate plan for implementing or improving your SAM program.
    • Build and involve a SAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the software asset lifecycle, from procurement through to retirement. Pace yourself; a staged implementation will make your ITAM program a success.
    • Develop an internal audit program to mitigate the risk of costly audits.
    • Once a standardized SAM program and data are in place, you will be able to use the data to optimize and rationalize your software licenses.

    Info-Tech Insight

    A strong SAM program will benefit all aspects of the business.
    Data and reports gained through SAM will enable data-driven decision making for all areas of the business.

    Don’t just track licenses; manage them to create value from data.
    Gathering and monitoring license data is just the beginning. What you do with that data is the real test.

    Win the audit battle without fighting.
    Conduct internal audits to minimize surprises when external audits are requested.

    Build the business case for SAM on cost and risk avoidance

    You can estimate the return even without tools or data.

    Benefit Calculate the return
    Compliance

    How many audits did you have in the past three years?

    How much time did you spend in audit response?

    Suppose you had two audits each year for the last three years, each with an average $250,000 in settlements.

    A team of four with an average salary of $75,000 each took six months to respond each year, allocating 20% of their work time to the audit.

    You could argue annual audits cost on average $530,000. Increasing ITAM maturity stands to reduce that cost significantly.

    Efficiency

    How much do you spend on software and maintenance by supplier?

    Suppose you spent $1M on software last year. What if you could reduce the spend by just 10% through better practices?

    SAM can help reduce the annual spend by simplifying support, renegotiating contracts based on asset data, reducing redundancy, and reducing spend.

    The Business Benefits of SAM

    • Compliance: Managing audits and meeting legal, contractual, and regulatory obligations.
    • Efficiency: Reducing costs and making the best use of assets while maintaining service.
    • Agility: Anticipate requirements using asset data for business intelligence and analytics.

    Poor software asset management practices increase costs and risks

    Failure to implement SAM can lead to:

    High cost of undiscovered IT assets
    • Needless procurement of software for new hires can be costly.
    Licensing, liability, and legal violations
    • Legal actions and penalties that result from ineffective SAM processes and license incompliance can severely impact an organization’s financial performance and corporate brand image.
    Compromised security
    • Not knowing what assets you have, who is using them and how, can compromise the security of sensitive information.
    Increased management costs
    • Not having up-to-date software license information impacts decision making, with many management teams failing to respond quickly and efficiently to operational demands.
    Increased disruptions
    • Vendors seek out organizations who don’t manage their software assets effectively; it is likely that you could be subject to major operational disruptions as a result of an audit.
    Poor supplier/vendor relationship
    • Most organizations fear communicating with vendors and are anxious about negotiating new licenses.

    54% — A study by 1E found that only 54% of organizations believe they can identify all unused software in their organization.

    28% — On average, 28% of deployed software is unused, with a wasted cost of $224 per PC on unused software (1E, 2014).

    53% — Express Metrix found that 53% of organizations had been audited within the past two years. Of those, 72% had been audited within the last 12 months.

    SAM delivers cost savings beyond the procurement stage

    SAM delivers cost savings in several ways:

    • Improved negotiating position
      • Certainty around software needs and licensing terms can put the organization in a better negotiating position for new contracts or contract renewals.
    • Improved purchasing position
      • Centralized procurement can allow for improved purchasing agreements with better pricing.
    • More accurate forecasting and spend
      • With accurate data on what software is installed vs. used, more accurate decisions can be made around software purchasing needs and budgeting.
    • Prevention of over deployment
      • Deploy software only where it is needed based on what end users actively use.
    • Software rationalization
      • SAM data may reveal multiple applications performing similar functions that can be rationalized into a single standard software that is used across the enterprise.
    • License harvesting
      • Identify unused licenses that can be harvested and redeployed to other users rather than purchasing new licenses.

    SAM delivers many benefits beyond cost savings

    Manage risk. If licensing terms are not properly observed, the organization is at risk of legal and financial exposure, including illegal software installation, loss of proof of licenses purchased, or breached terms and conditions.

    Control and predict spend. Unexpected problems related to software assets and licenses can significantly impact cash flow.

    Less operational interruptions. Poor software asset management processes could lead to failed deployments, software update interruptions, viruses, or a shutdown of unlicensed applications.

    Avoid security breaches. If data is not secure through software patches and security, confidential information may be disclosed.

    More informed decisions. More accurate data on software assets improves transparency and informs decision making.

    Improved contract management. Automated tools can alert you to when contracts are up for renewal to allow time to plan and negotiate, then purchase the right amount of licenses.

    Avoid penalties. Conduct internal audits and track compliance to avoid fees or penalties if an external audit occurs.

    Reduced IT support. Employees should require less support from the service desk with proper, up to date, licensed software, freeing up time for IT Operations to focus on other work.

    Enhanced productivity. By rationalizing and standardizing software offerings, more staff should be using the same software with the same versioning, allowing for better communication and collaboration.

    Asset management is especially correlated with the following processes

    Being highly effective at asset management means that you are more likely to be highly effective at almost all IT processes, especially:

    Icon for process 'BAI10 Configuration Management'. Configuration Management
    76% more effective
    Icon for process 'ITRG03 Manage Service Catalogs'. Service Catalog
    74% more effective
    Icon for process 'APO11 Quality Management'. Quality Management
    63% more effective
    Icon for process 'ITRG08 Data Quality'. Data Quality
    62% more effective
    Icon for process 'MEA01 Performance Measurement'. Performance Measurement
    61% more effective
    Icon for process 'BAI05 Organizational Change Management'. Organizational Change Management
    60% more effective
    Icon for process 'APO05 Portfolio Management'. Portfolio Management
    59% more effective
    Icon for process 'APO03 Enterprise Architecture'. Enterprise Architecture
    58% more effective

    Why? Good SAM processes are integral to both service management and configuration management

    (Source: Info-Tech Research Group, IT Management and Governance Diagnostic; N=972 organizations) (High asset management effectiveness was defined as those organizations with an effectiveness score of 8 or above.)

    To accelerate progress, Info-Tech Research Group parses software asset management into its essential processes

    Focus on software asset management essentials

    Software Procurement:

    • Define procurement standards for software and related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    Software Deployment and Maintenance:

    • Define policies, processes, and workflows for software receiving, deployment, and maintenance practices.
    • Develop processes and workflows for managing imaging, harvests and redeployments, service requests, and large-scale rollouts.

    Software Harvest and Retirement:

    • Manage the employee termination and software harvest cycle.
    • Develop processes, policies, and workflows for software security and retirement.

    Software Contract and Audit Management:

    • Develop processes for data collection and validation to prepare for an audit.
    • Define metrics and reporting processes to keep asset management processes on track.
    A diagram that looks like a tier circle with 'Implement SAM' at the center. The second ring has 'Request & Procure', 'Receive & Deploy', 'Manage & Maintain', and 'Harvest & Retire'. The third ring seems to be a cycle beginning with 'Plan', 'Request', 'Procure', 'Deploy', 'Manage', 'Retire', and back to 'Plan'.

    Asset management is a key piece of Info-Tech’s COBIT-based IT Management and Governance Framework

    The Info-Tech / COBIT5 IT Management & Governance Framework, a number of IT process icons arranged like a periodic table. A magnifying glass highlights process 'BAI09 Asset Management' in the 'Infrastructure & Operations' category.

    Follow Info-Tech's methodology to build a plan to implement software asset management

    Phase 1
    Assess & Plan
    Phase 2
    Procure, Receive & Deploy
    Phase 3
    Manage, Redeploy & Retire
    Phase 4
    Build supporting processes

    1.1

    Assess current state

    2.1

    Request & procure

    3.1

    Manage & maintain contracts

    4.1

    Compliance & audits

    1.2

    Build team and define metrics

    2.2

    Receive & deploy

    3.2

    Harvest or retire

    4.2

    Communicate & build roadmap

    1.3

    Plan & budget
    Deliverables
    Standard Operating Procedures (SOP)
    SAM maturity assessment Process workflows Process workflows Audit response templates
    RACI chart Software standards Patch management policy Communication plan & FAQ template
    SAM metrics SAM policies
    SAM budget workbook

    Thanks to SAM, Visa saved $200 million in three years

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: International Business Software Managers Association

    Visa, Inc.

    Visa, Inc. is the largest payment processing company in the world, with a network that can handle over 40,000 transactions every minute.

    Software Asset Management Program

    In 2006, Visa launched a formal IT asset management program, but it was not until 2011 that it initiated a focus on SAM. Joe Birdsong, the SAM director, first addressed four major enterprise license agreements (ELAs) and compliance issues. The SAM team implemented a few dedicated SAM tools in conjunction with an aggressive approach to training.

    Results

    The proactive approach taken by Visa used a three-pronged strategy: people, process, and tools. The process included ELA negotiations, audit responses, and software license rationalization exercises.

    According to Birdsong, “In the past three years, SAM has been credited with saving Visa over $200 million.”

    An timeline arrow with benchmarks, in order: 'Tool purchases', 'ELA negotiations', 'License rationalization', 'Audit responses', '$200 million in savings in just three years thanks to optimized SAM processes'.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    Thumbnail of Info-Tech's 'SAM Standard Operating Procedures (SOP)'.
    SAM Standard Operating Procedures (SOP)
    Thumbnail of Info-Tech's 'SAM Maturity Assessment'.
    SAM Maturity Assessment
    Thumbnail of Info-Tech's 'SAM Visio Process Workflows'.
    SAM Visio Process Workflows
    Thumbnail of Info-Tech's 'SAM Budget Workbook'.
    SAM Budget Workbook
    Thumbnail of Info-Tech's 'Additional SAM Policy Templates'.
    Additional SAM Policy Templates
    Thumbnail of Info-Tech's 'Software Asset Management Policy'.
    Software Asset Management Policy
    Thumbnail of Info-Tech's 'SAM Communication Plan'.
    SAM Communication Plan
    Thumbnail of Info-Tech's 'SAM FAQ Template'.
    SAM FAQ Template

    Use these insights to help guide your understanding of the project

    • SAM provides value to other processes in IT.
      Data, reports, and savings gained through SAM will enable data-driven decision making for all areas of the business.
    • Don’t just track licenses; manage them to create value from data.
      Gathering and monitoring license data is just the beginning. What you do with that data is the real test.
    • SAM isn’t about managing costs; it’s about understanding your environment to make better decisions.
      Capital tied up in software can impact the progress of other projects.
    • Managing licenses can impact the entire organization.
      Gain project buy-in from stakeholders by articulating the impact that managing licenses can have on other projects and the prevalence of shadow IT.

    Measure the value of a guided implementation (GI)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value (Assuming 260 workdays in a year)
    Phase 1: Assess & Plan
    • Time, value, and resources saved by using Info-Tech’s methodology to assess current state and create a defined SAM team with actionable metrics
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 2: Procure, Receive & Deploy
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline request, procurement, receiving, and deployment processes for software assets.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 3: Manage, Redeploy & Retire
    • Time, value, and resources saved by using Info-Tech’s methodology to streamline the maintenance, inventory, license redeployment, and software retiring processes.
    • For example, 2 FTEs * 5 days * $80,000/year = $6,400
    Phase 4: Build Supporting Processes and Tools
    • Time, resources, and potential audit fines saved by using Info-Tech’s methodology to improve audit defense processes ($298,325 average audit penalty (Based on the results of Cherwell Software’s 2013 Software Audit Industry Report)) and design a communication and implementation plan.
    • For example, 2 FTEs * 5days * $80,000/year = $6,400 + $298,325 = $304,725
    Total savings $330,325

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Implement Software Asset Management – project overview

    Phase 1: Assess & plan Phase 2: Procure, receive & deploy Phase 3: Manage, redeploy & retire Phase 4: Build supporting processes
    Supporting Tool icon Best-Practice Toolkit

    Step 1.1: Assess current state

    Step 1.2: Build team and define metrics

    Step 1.3: Plan and budget

    Step 2.1: Request and procure

    Step 2.2: Receive and deploy

    Step 3.1: Manage and maintain contracts

    Step 3.2: Harvest, redeploy, or retire

    Step 4.1: Compliance and audits

    Step 4.2: Communicate and build roadmap

    Guided Implementations
    • Assess current state and challenges.
    • Define roles and responsibilities as well as metrics.
    • Discuss SAM budgeting.
    • Define software standards and procurement process.
    • Build processes for receiving software and deploying software.
    • Define process for conducting software inventory and maintenance and patches.
    • Build software harvest and redeployment processes and retirement.
    • Define process for internal and external audits.
    • Develop communication and implementation plan.
    Associated Activity icon Onsite Workshop Module 1:
    Assess & Plan
    Module 2:
    Map Core Processes: Procure, Receive & Deploy
    Module 3:
    Map Core Processes: Manage, Redeploy & Retire
    Module 4:
    Prepare for audit, build roadmap and communications

    Workshop Overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4
    Activities
    Assess & Plan

    1.1 Outline SAM challenges and objectives

    1.2 Assess current state

    1.3 Identify roles and responsibilities for SAM team

    1.4 Identify metrics and reports

    1.5 Identify SAM functions to centralize vs. decentralize

    1.6 Plan SAM budget process

    Map Core Processes: Procure, Receive & Deploy

    2.1 Determine software standards

    2.2 Define procurement process for new contracts

    2.3 Define process for contract renewals and additional procurement scenarios

    2.4 Design process for receiving software

    2.5 Design deployment workflow

    2.6 Define process for non-standard software requests

    Map Core Processes: Manage, Redeploy & Retire

    3.1 Define process for conducting software inventory

    3.2 Define policies for software maintenance and patches

    3.3 Map software license harvest and reallocation process

    3.4 Define policy for retiring software

    Build Supporting Processes

    4.1 Define and document the internal audit process

    4.2 Define and document the external audit process

    4.3 Develop a communication plan

    4.4 Prepare an FAQ list

    4.5 Identify SAM policies

    4.6 Develop a SAM roadmap to plan your implementation

    Deliverables
    • SAM maturity assessment
    • RACI chart
    • Defined metrics and reports
    • Budget workbook
    • Process workflows
    • Software standards
    • Process workflows
    • Patch management policy
    • Standard operating procedures
    • Audit response templates
    • Communication plan
    • FAQ template
    • Additional policy templates
    • Roadmap of initiatives

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Phase 1: Assess Current State

    VISA fought fire with fire to combat costly software audits

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa implemented an IT asset management program in 2006. After years of software audit teams from large firms visiting and leaving expensive software compliance bills, the world’s leading payment processing company decided it was time for a change.

    Upper management recognized that it needed to combat audits. It had the infrastructure in place and the budget to purchase SAM tools that could run discovery and tracking functions, but it was lacking the people and processes necessary for a mature SAM program.

    Solution

    Visa decided to fight fire with fire. It initially contracted the same third-party audit teams to help build out its SAM processes. Eventually, Visa formed a new SAM team that was led by a group of former auditors.

    The former auditors recognized that their role was not technology based, so a group of technical individuals were hired to help roll out various SAM tools.

    The team rolled out tools like BDNA Discover and Normalize, Flexera FlexNet Manager, and Microsoft SCCM.

    Results

    To establish an effective SAM team, diverse talent is key. Visa focused on employees that were consultative but also technical. Their team needed to build relationships with teams within the organization and externally with vendors.

    Most importantly, the leaders of the team needed to think like auditors to better prepare for audits. According to Joe Birdsong, SAM Director at Visa, “we want to be viewed as a team that can go in and help right-size their environment and better understand licensing to help teams make better decisions.”

    The SAM team was only the beginning.

    Step 1.1 Assess current state and plan scope

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.1.1 Outline the organization’s SAM challenges
    • 1.1.2 Identify objectives of SAM program
    • 1.1.3 Determine the maturity of your SAM program
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • An outline of the challenges related to SAM
    • A clear direction for the program based on drivers, anticipated benefits, and goals
    • A completed maturity assessment of current SAM processes

    Sketch out challenges related to software asset management to shape the direction of the project

    Common SAM challenges

    • Audits are disruptive, time-consuming, and costly
    • No audit strategy and response in place
    • Software non-compliance risk is too high
    • Lacking data to forecast software needs
    • No central repository of software licenses
    • Untracked or unused software licenses results in wasted spend
    • Software license and maintenance costs account for a large percentage of the budget
    • Lacking data to know what software is purchased and deployed across the organization
    • Lack of software standards make it difficult to collect consistent information about software products
    • New software licenses are purchased when existing licenses remain on the shelf or multiple similar software products are purchased
    • Employees or departments make ad hoc purchases, resulting in overspending and reduced purchasing power
    • License renewal dates come up unexpectedly without time for adequate decision making
    • No communication between departments to coordinate software purchasing
    • Difficult to stay up to date with software licensing rule changes to remain in compliance
    • Processes and policies are unstandardized and undocumented

    Outline the organization’s SAM challenges

    Associated Activity icon 1.1.1 Brainstorm SAM challenges

    Participants: CIO/CFO, IT Director, Asset Manager, Purchasing, Service Desk Manager, Security (optional), Operations (optional)

    1. Distribute sticky notes to participants. Have everyone start by identifying challenges they face as a result of poor software asset management.
    2. As group, discuss and outline the software asset management challenges facing the organization. These may be challenges caused by poor SAM processes or simply by a lack of process. Group the challenges into key pain points to inform the current state discussion and assessment to follow.

    To be effective with software asset management, understand the drivers and potential impact to the organization

    Drivers of effective SAM Results of effective SAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets. Encryption, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of software spend through data for better forecasting, planning, and licensing rationalization and harvesting.
    Audits are time consuming, disruptive to project timelines and productivity, and costly. Respond to audits with a formalized process, accurate data, and minimal disruption using always-available reporting.

    Determine goals to focus the direction of your SAM program

    Associated Activity icon 1.1.2 Identify objectives of the SAM program

    Participants: CIO/CFO, IT Director, Asset Manager, Service Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Identify the drivers behind the software asset management implementation or improvement project. List on a whiteboard or flip chart.
    2. Using the project drivers as input, brainstorm the goals of the SAM project. Discuss the goals as a group and finalize into a list of objectives for the SAM program.
    3. Record the objectives in the SOP and keep them in mind as you work through the rest of the project.

    Sample Objectives:

    1. A single data repository to efficiently manage assets for their entire lifecycle.
    2. Formalizing a methodology for documenting assets to make data retrieval easy and accurate.
    3. Defining and documenting processes to determine where improvements can be made.
    4. Improving customer experience in accessing, using, and maintaining assets.
    5. Centralizing contract information.
    6. Providing access to information for all technical teams as needed.

    Implementing SAM processes will support other IT functions

    By improving how you manage your licenses and audit requests, you will not only provide benefits through a mature SAM program, you will also improve your service desk and disaster recovery functions.

    Service Desk Disaster Recovery
    • Effective service desk tickets require a certain degree of technical detail for completion that a SAM program often provides.
    • Many tools are available that can handle both ITSM and ITAM functions. Your SAM data can be integrated into many of your service desk functions.
    • For example, if a particular application is causing a high number of tickets, SAM data could show the application’s license is almost expired and its usage has decreased due to end-user frustrations. The SAM team could review the application and decide to purchase software that better meets end-user needs.
    • If you don’t know what you have, you don’t know what needs to be back online first.
    • The ability to restore system functionality is heavily dependent on the ability to locate or reproduce master media documentation and system configuration information.
    • If systems/software are permanently lost, the ability to recover software licensing information is crucial to preserving compliance.
    • License agreement and software are needed to demonstrate software ownership. Unless the proof of ownership is present, there is no proof of compliance.
    Short description of Info-Tech blueprint 'Standardize the Service Desk'. Short description of Info-Tech blueprint 'Create a Right-Sized Disaster Recovery Plan'.

    Each level of SAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Licenses purchased randomly
    • Help desk images machines, but users can buy and install software
    • Minimal tracking tools in place
    Reactive
    • Semi-focused SAM manager
    • No policies published
    • Reliance on suppliers to provide reports for software purchases
    • Buy licenses as needed
    • Software installations limited to help desk
    • Discovery tools and spreadsheets used to manage software
    Controlled
    • Full-time SAM manager
    • End-user policies published and requiring sign-off
    • License reviews with maintenance and support renewals
    • SAM manager involved in budgeting and planning sessions
    • Discovery and inventory tools used to manage software
    • Compliance reports run as needed
    Proactive
    • Extended SAM team, including help desk and purchasing
    • Corporate anti-piracy statement in place and enforced
    • Quarterly license reviews
    • Centralized view into software licenses
    • Software requests through service catalog with defined standard and non-standard software
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • SAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Full support and maintenance analysis for all license reviews
    • Quarterly meetings with SAM team to review policies, procedures, upcoming contracts, and rollouts
    • Software deployed automatically through service catalog/apps store
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Determine the maturity of your SAM program

    Supporting Tool icon 1.1.3 Use the SAM Maturity Assessment Tool
    1. Download the SAM Maturity Assessment Tool and go to tab 2.
    2. Complete the self-assessment in all seven categories:
      1. Control Environment
      2. Roles & Responsibilities
      3. Policies & Procedures
      4. Competence
      5. Planning & Implementation Process
      6. Monitoring & Review
      7. Inventory Processes
    3. Go to tab 3 and examine the graphs produced. Identify the areas in your SAM program that require the most attention and which are already relatively mature.
    4. Use the results of this maturity assessment to focus the efforts of the project moving forward. Return to the assessment after a pre-determined time (e.g. one year later) to track improvement in maturity over time.
    Screenshot of the results page from the SAM Maturity Assessment Tool. Screenshot of the processes page from the SAM Maturity Assessment Tool.

    Step 1.2 Build team and define metrics

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.2.1 Identify roles and responsibilities for SAM team
    • 1.2.2 Identify metrics and KPIs to track the success of your SAM program
    • 1.2.3 Define SAM reports to track metrics
    • CIO/CFO
    • IT Director
    • SAM Manager
    • SAM Team
    • Service Desk Manager

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • A description of the roles and responsibilities of IT staff involved in SAM
    • A list of metrics and reports to track to measure the success of the software asset management program

    Define roles and responsibilities for the SAM program

    Roles and responsibilities should be adapted to fit specific organizational requirements based on its size, structure, and distribution and the scope of the program. Not all roles are necessary and in small organizations, one or two people may fulfill multiple roles.

    Senior Management Sponsor – Ensures visibility and support for the program.

    IT Asset Manager – Responsible for management of all assets and maintaining asset database.

    Software Asset Manager – Responsible for management of all software assets (a subset of the overall responsibility of the IT Asset Manager).

    SAM Process Owner – Responsible for overall effectiveness and efficiency of SAM processes.

    Asset Analyst – Maintains up-to-date records of all IT assets, including software version control.

    Additional roles that interact with SAM:

    • Security Manager
    • Auditors
    • Procurement Manager
    • Legal Council
    • Change Manager
    • Configuration Manager
    • Release and Deployment Manager
    • Service Desk Manager

    Form a software asset management team to drive project success

    Many organizations simply do not have a large enough staff to hire a full-time software asset manager. The role will need to be championed by an internal employee.

    Avoid filling this position with a temporary contract; one of the most difficult operational factors in SAM implementation and continuity is constant turnover and organizational shifts. Hiring a software asset manager on contract might get the project going faster, but without the knowledge gained by doing the processes, the program won’t have enough momentum to sustain itself.

    Software Asset Manager Duties

    • Gather proof of license.
    • Record and track all assets within the SAM repository.
    • Produce compliance reports.
    • Preparation of budget requests.
    • Administration of software renewal process.
    • Contract and support analysis.
    • Document procedures.
    • Ensure project is on track.

    SAM Team Member Duties

    • Record license and contract data in SAM tool.
    • Assist in production of SAM reports.
    • Data analysis.
    • Match tickets to SAM data.
    • Assist in documentation.
    • Assist in compliance reports.
    • Gather feedback from end users.

    Info-Tech Best Practice

    Make sure your SAM team is diverse. The SAM team will need to be skilled at achieving compliance, but there is also a need for technically skilled individuals to maximize the function of the SAM tool(s) at your organization.

    Identify roles and responsibilities for SAM

    Associated Activity icon 1.2.1 Complete a RACI chart for your organization

    Participants: CIO/CFO, IT Director, SAM Manager, SAM Team, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    Determine the roles and responsibilities for your SAM program. Record the results in a RACI (responsible, accountable, consulted, informed) chart such as the example below.

    SAM Processes and Tasks CIO CFO SAM Manager IT Director Service Management Team IT Ops Security Finance Legal Project Manager
    Policies/Governance A C R R I I C I R I
    Strategy A C R R I I I I C
    Risk Management/Asset Security A C R R C R C C C
    Data Entry/Quality I I A R R
    Compliance Auditing R C A R I I I I
    Education & Training R I A C I I
    Contract Lifecycle Management R R A R C C C C R C
    Workflows R C A R I I I R I C/I
    Budgeting R R R A C R
    Software Acquisition R I A R I C R C C
    Controls/Reporting R I A R I I C I
    Optimize License Harvesting I I A R I C C

    Identify metrics to form the framework of the project

    Trying to achieve goals without metrics is like trying to cook without measuring your ingredients. You might succeed, but you’ll have no idea how to replicate it.

    SAM metrics should measure one of five categories:

    • Quantity → How many do we have? How many do we want?
    • Compliance → What is the level of compliance in a specific area?
    • Duration → How long does it take to achieve the desired result?
    • Financial → What is the cost/value? What is our comparative spend?
    • Quality → How good was the end result? E.g. Completeness, accuracy, timeliness

    The metrics you track depend on your maturity level. As your organization shifts in maturity, the metrics you prioritize for tracking will shift to reflect that change. Example:

    Metric category Low maturity metric High maturity metric
    Compliance % of software installed that is unauthorized % of vendors in effective licensing position (ELP) report
    Quantity % of licenses documented in ITAM tool % of requests made through unauthorized channels

    Associate KPIs and metrics with SAM goals

    • Identify the critical success factors (CSFs) for your software asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success, as well as specific metrics that will be tracked and reported on.
    • Sample metrics are below:

    CSF = Goal, or what success looks like

    KPI = How achievement of goal will be defined

    Metric = Numerical measure to determine if KPI has been achieved

    CSF/Goal KPI Metrics
    Improve accuracy of software budget and forecasting
    • Reduce software spend by 5%
    • Total software asset spending
    • Budgeted software spend vs. actual software spend
    Avoid over purchasing software licenses and optimize use of existing licenses
    • Reduce number of unused and underused licenses by 10%
    • Number of unused licenses
    • Money saved from harvesting licenses instead of purchasing new ones
    Improve accuracy of data
    • Data in SAM tool matches what is deployed with 95% accuracy
    • Percentage of entitlements recorded in SAM tool
    • Percentage of software titles recognized by SAM tool
    Improved service delivery
    • Reduce time to deploy new software by 10%
    • Mean time to purchase new software
    • Mean time to fulfill new software requests

    Identify metrics and KPIs to track the success of your SAM program

    Associated Activity icon 1.2.2 Brainstorm metrics and KPIs

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Discuss the goals and objectives of implementing or improving software asset management, based on challenges identified earlier.
    2. From the goals, identify the critical success factors for the SAM program.
    3. For each CSF, identify one to three key performance indicators (KPIs) to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable.

    Use the table below as an example.

    Goal/CSF KPI Metric
    Improve license visibility Increase accuracy and completeness of SAM data
    • % of total titles included in ITAM tool
    • % of licenses documented in ITAM tool
    Reduce software costs Reduce number of unused software licenses by 20%
    • % of licenses assigned to ex-employees
    • % of deployed licenses that have not been used in the past six months
    Reduce shadow IT Reduce number of unauthorized software purchases and installations by 10%
    • % of software requests made through unauthorized channels
    • % of software installed that is unauthorized

    Tailor metrics and reports to specific stakeholders

    Asset Managers

    Asset managers require data to manage how licenses are distributed throughout the organization. Are there multiple versions of the same application deployed? What proportion of licenses deployed are assigned to employees who are no longer at the organization? What are the usage patterns for applications?

    Service Desk Technicians

    Service desk technicians need real-time data on licenses currently available to deploy to machines that need to be imaged/updated, otherwise there is a risk of breaching a vendor agreement.

    Business Managers and Executives

    Business managers and executives need reports to make strategic decisions. The reports created for business stakeholders need to help them align business projects or business processes with SAM metrics. To determine which reports will provide the most value, start by looking at business goals and determining the tactical data that will help inform and support these goals and their progress.

    Additional reporting guidelines:

    • Dashboards should provide quick-glance information for daily maintenance.
    • Alerts should be set for all contract renewals to provide enough advanced notice (e.g. 90 days).
    • Reports should be automated to provide actionable information to appropriate stakeholders as needed.

    Define SAM reports to track metrics

    Associated Activity icon 1.2.3 Identify reports and metrics to track regularly

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. Identify key stakeholders requiring SAM reports. For each audience, identify their goals and requirements from reporting.
    2. Using the list of metrics identified previously, sort metrics into reports for each audience based on their requirements and goals. Add any additional metrics required.
    3. Identify a reporting frequency for each report.

    Example:

    Stakeholder Purpose Report Frequency
    Asset Manager
    • Manage budget
    • Manage contracts and cash flow
    • Ensure processes are being followed
    Operational budget spent to date Monthly
    Capital budget spent to date Monthly
    Contracts coming due for renewal Quarterly
    Software harvested for redeployment Quarterly
    Number of single applications being managed Annually
    CFO
    • Manage budget
    • Manage cash flow
    Software purchased, operational & capital Monthly
    Software accrued for future purchases Monthly
    Contracts coming due for renewal
    • Include dollar value, savings/spend
    Quarterly
    CIO
    • Resource planning
    • Progress reporting
    Software deployments and redeployments Monthly
    Software rollouts planned Quarterly
    % of applications patched Quarterly
    Money saved Annually
    Number of contracts & apps managed Quarterly

    Step 1.3 Plan the SAM program and budget

    Phase 1:
    Assess & Plan
    This step will walk you through the following activities:This step involves the following participants:

    1.1

    Assess current state
    • 1.3.1 Identify SAM functions to centralize vs. decentralize
    • 1.3.2 Complete the SAM budget tool
    • Project Sponsor
    • IT Director, CIO
    • IT Managers and SAM Manager
    • CFO

    1.2

    Build team and define metrics

    1.3

    Plan & budget

    Step Outcomes

    • Defined scope for the SAM program in terms of the degree of centralization of core functions and contracts
    • A clearer picture of software spend through the use of a SAM budgeting tool.

    Asset managers need to be involved in infrastructure projects at the decision-making stage

    Ensure that your software asset manager is at the table when making key IT decisions.

    Many infrastructure managers and business managers are unaware of how software licensing can impact projects. For example, changes in core infrastructure configuration can have big impacts from a software licensing perspective.

    Mini Case Study

    • When a large healthcare organization’s core infrastructure team decided to make changes to their environment, they failed to involve their asset manager in the decision-making process.
    • When the healthcare organization decided to make changes to their servers, they were running Oracle software on their servers, but the licenses were not being tracked.
    • When the change was being made to the servers, the business contacted Oracle to notify them of the change. What began as a tech services call quickly devolved into a licensing error; the vendor determined that the licenses deployed in the server environment were unauthorized.
    • For breaching the licensing agreement, Oracle fined the healthcare organization $250,000.
    • Had the asset manager been involved in the process, they would have understood the implications that altering the hardware configuration would have on the licensing agreement and a very expensive mistake could have been avoided.

    Decide on the degree of centralization for core SAM functions

    • Larger organizations with multiple divisions or business units will need to decide which SAM functions will be centralized and which, if any, will be decentralized as they plan the scope of their SAM program. Generally, certain core functions should be centralized for the SAM program to deliver the greatest benefits.
    • The degree of centralization may also be broken down by contract, with some contracts centralized and some decentralized.
    • A centralized SAM database gives needed visibility into software assets and licenses across the organization, but operation of the database may also be done locally.

    Centralization

    • Allows for more strategic planning
    • Visibility into software licenses across the organization promotes rationalization and cost savings
    • Ensure common products are used
    • More strategic sourcing of vendors and resellers
    • Centrally negotiate pricing for better deals
    • Easier to manage risk and prepare for audits
    • Greater coordination of resources

    Decentralization

    • May allow for more innovation
    • May be easier to demonstrate local compliance if the organization is geographically decentralized
    • May be easier to procure software if offices are in different countries
    • Deployment and installation of software on user devices may be easier

    Identify SAM functions to centralize vs. decentralize

    Associated Activity icon 1.3.1 Identify functions for centralization

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. If applicable, identify SAM functions that will need to be centralized and evaluate the implications of centralization to ensure it is feasible.
    2. If applicable, identify SAM functions that will be decentralized, if resources are available to manage those functions locally.

    Example:

    Centralized Functions
    • Operation of SAM database
    • SAM budget
    • Vendor selection
    • Contract negotiation and purchasing
    • Data analysis
    • Software receiving and inventory
    • Audits and risk management
    Decentralized functions
    • Procurement
    • Deployment and installation

    Software comprises the largest part of the infrastructure and operations budget

    After employee salaries (38%), the four next largest spend buckets have historically been infrastructure related. Adding salaries and external services, the average annual infrastructure and operations spend is over 50% of all IT spend.

    The largest portion of that spend is on software license and maintenance. As of 2016, software accounted for the roughly the same budget total as voice communications, data communications, and hardware combined. Managing software contracts is a crucial part of any mature budgeting process.

    Graph showing the percentage of all IT spend used for 'Ongoing software license and maintenance' annually. In 2010 it was 17%; in 2018 it was 21%. Graph showing the percentage of all IT spend used for 'Hardware maintenance / upgrades' annually. In 2010 it was 7%; in 2018 it was 8%. Graph showing the percentage of all IT spend used for 'Data communications' annually. In 2010 it was 7%; in 2018 it was 7%. Graph showing the percentage of all IT spend used for 'Voice communications' annually. In 2010 it was 5%; in 2018 it was 7%.

    Gain control of the budget to increase the success of SAM

    A sophisticated software asset management program will be able to uncover hidden costs, identify opportunities for rationalization, save money through reharvesting unused licenses, and improve forecasting of software usage to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to the ITAM function owning the budget:

    • Be more involved in negotiating pricing with vendors.
    • Build better relationships with stakeholders across the business.
    • Gain greater purchasing power and have a greater influence on purchasing decisions.
    • Forecast software requirements more accurately.
    • Inform benchmarks and metrics with more data.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of software needs.
    • Identify opportunities for cost savings through rationalization.

    Examine your budget from a SAM perspective to optimize software spend

    How does examining your budget from a SAM perspective benefit the business?

    • It provides a chance to examine vendor contracts as they break down contracts by projects and services, which gives a clearer picture of where software fits into the budget.
    • It also gives organizations a chance to review vendor agreements and identify any redundancies present in software supporting services.

    Review the budget:

    • When reviewing your budget, implement a contingency fund to mitigate risk from a possible breach of compliance.
    • If your organization incurs compliance issues that relate to specific services, these fines may be relayed back to the departments that own those services, affecting how much money each department has.
    • The more sure you are of your compliance position, the less likely you are to need a contingency fund, and vice versa.

    Info-Tech Best Practice

    Finance needs to be involved. Their questions may cover:

    • Where are the monthly expenditures? Where are our financial obligations? Do we have different spending amounts based on what time of year it is?

    Use the SAM Budget Workbook to uncover insights about your software spend

    Supporting Tool icon 1.3.2 Complete the SAM budget tool

    The SAM Budget Workbook is designed to assist in developing and justifying the budget for software assets for the upcoming year.

    Instructions

    1. Work through tabs 2-6, following the instructions as you go.
    2. Tab 2 involves selecting software vendors and services provided by software.
    3. Tab 3 involves classifying services by vendor and assigning a cost to them. Tab 3 also allows you to classify the contract status.
    4. Tab 4 is a cost variance tracking sheet for software contracts.
    5. Tabs 5 and 6 are monthly budget sheets that break down software costs by vendor and service, respectively.
    6. Tab 7 provides graphs to analyze the data generated by the tool.
    7. Use the results found on tab 7 to analyze your budget: are you spending too much with one service? Is there vendor overlap based on what project or service that software is reporting?
    Screenshots of the 'Budget of Services Supported by Software Vendors' and 'Software Expense cashflow reports by Vendor' pages from the SAM Budget Workbook. Screenshot of the 'Analysis of Data' page from the SAM Budget Workbook.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.3

    Sample of activity 1.1.3 'Determine the maturity of your SAM program'. Determine the maturity of your SAM program

    Using the SAM Maturity Assessment Tool, fill out a series of questions in a survey to assess the maturity of your current SAM program. The survey assesses seven categories that will allow you to align your strategy to your results.

    1.2.3

    Sample of activity 1.2.3 'Define SAM reports to track metrics'. Define SAM reports to track metrics

    Identify key stakeholders with reporting needs, metrics to track to fulfill reporting requirements, and a frequency for producing reports.

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Assess and Plan

    Proposed Time to Completion (in weeks): 4
    Step 1.1: Assess current state Step 1.2: Build team and define metrics Step 1.3: Plan and budget
    Start with an analyst kick-off call:
    • Outline SAM challenges
    • Overview of the project
    • Assess current maturity level
    Review findings with analyst:
    • Define roles and responsibilities of SAM staff
    • Identify metrics and reports to track
    Review findings with analyst:
    • Plan centralization of SAM program
    • Discuss SAM budgeting
    Then complete these activities…
    • Identify challenges
    • Identify objectives of SAM program
    • Assess maturity of current state
    Then complete these activities…
    • Define roles and responsibilities
    • Identify metrics and KPIs
    • Plan reporting
    Then complete these activities…
    • Identify SAM functions to centralize
    • Complete the SAM budgeting tool
    With these tools & templates:
    • SAM Maturity Assessment
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • SAM Budget Workbook

    Phase 2: Procure, Receive, and Deploy

    VISA used high-quality SAM data to optimize its software licensing

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    Visa formed a SAM team in 2011 to combat costly software audits.

    The team’s first task was to use the available SAM data and reconcile licenses deployed throughout the organization.

    Organizations as large as Visa constantly run into issues where they are grossly over or under licensed, causing huge financial risk.

    Solution

    Data collection and analysis were used as part of the license rationalization process. Using a variety of tools combined with a strong team allowed Visa to perform the necessary steps to gather license data and analyze usage.

    One of the key exercises was uniting procurement and deployment data and the teams responsible for each.

    End-to-end visibility allowed the data to be uniform. As a result, better decisions about license rationalization can be made.

    Results

    By improving its measurement of SAM data, Visa was able to dedicate more time to analyze and reconcile its licenses. This led to improved license management and negotiations that reflected actual usage.

    By improving license usage through rationalization, Visa reduced the cost of supporting additional titles.

    The SAM team also performed license reclamation to harvest and redistribute licenses to further improve usage. The team’s final task was to optimize audit responses.

    Step 2.1 Request and procure software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.1.1 Determine which software contracts should be centralized vs. localized
    • 2.1.2 Determine your software standards
    • 2.1.3 Define procurement policy
    • 2.1.4 Identify approvals and requests for authorization thresholds
    • 2.1.5 Build software procurement workflow for new contracts
    • 2.1.6 Define process for contract renewals and additional procurement scenarios
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    2.2

    Receive & Deploy

    Step Outcomes

    • Defined standards for software requests
    • A documented policy for software procurement including authorization thresholds
    • Documented process workflows for new contracts and contract renewals

    Procurement and SAM teams must work together to optimize purchasing

    Procurement and SAM must collaborate on software purchases to ensure software purchases meet business requirements and take into account all data on existing software and licenses to optimize the purchase and contract. Failure to work together can lead to unnecessary software purchases, overspending on purchases, and undesirable contract terms.

    SAM managers must collaborate with Procurement when purchasing software.

    SAM managers should:

    • Receive requests for software licenses
    • Ensure a duplicate license isn’t already purchased before going through with purchase
    • Ensure the correct license is purchased for the correct individuals
    • Ensure the purchasing information is tracked in the ITAM/SAM tool
    • Report on software usage to inform purchases
    Two cartoon people in work attire each holding a piece of a puzzle that fits with the other. Procurement must commit to be involved in the asset management process.

    Procurement should:

    • Review requests and ensure all necessary approvals have been received before purchasing
    • Negotiate optimal contract terms
    • Track and manage purchasing information and invoices and handle financial aspects
    • Use data from SAM team on software usage to decide on contract terms and optimize value

    Centralize procurement to decrease the likelihood of overspending

    Centralized negotiation and purchasing of software can ensure that the SAM team has visibility and control over the procurement process to help prevent overspending and uncontrolled agreements.

    Benefits of centralized procurement

    • Ability to easily manage software demand.
    • Provides capability to effectively manage your relationships with suppliers.
    • Allows for decreased contract processing times.
    • Provides easy access to data with a single consolidated system for tracking assets at an early stage.
    • Reduces number of rogue purchases by individual departments.
    • Efficiency through automation and coordinated effort to examine organization’s compliance and license position.
    • Higher degree of visibility and transparency into asset usage in the organization.

    Info-Tech Insights

    It may be necessary to procure some software locally if organizations have multiple locations, but try to centrally procure and manage the biggest contracts from vendors that are likely to audit the organization. Even with a decentralized model, ensure all teams communicate and that contracts remain visible centrally even if managed locally.

    Standards for software procurement help prevent overspending

    Software procurement is often more difficult for organizations than hardware procurement because:

    • Key departments that need to be involved in the purchasing process do not communicate or interact enough.
    • A fear of software auditing causes organizations to overspend to mitigate risk.
    • Standards are often not in place, with most purchases being made outside of the gold imaging standard.
    • A lack of discovery results in gross overspending on software licenses that are already present and underused.

    Info-Tech Insight

    One of the major challenges involved in implementing SAM is uniting multiple datasets and data sources across the enterprise. A conversation with each major business unit will help with the creation of software procurement standards that are acceptable to all.

    Determine which software contracts should be centralized vs. localized (optional)

    Associated Activity icon 2.1.1 Identify central standard enterprise offerings

    Participants: CIO, IT Director, SAM Manager, SAM Team

    Document: Document in the Standard Operating Procedures.

    1. As a group, list as many software contracts that are in place across the organization as can easily be identified, focusing on top vendors.
    2. Identify which existing software contracts are standard enterprise offerings that are procured and managed centrally and which are non-standard or localized applications.
    3. Looking at the list of non-standard software, identify if any can or should be rationalized or replaced with a standard offering.
    Standard enterprise offerings
    • Microsoft
    • IBM
    • Adobe
    • Dell
    • Cisco
    • VMware
    • Barracuda
    Localized or non-standard software

    Classify your approved software into tiers to improve workflow efficiency

    Not all titles are created equal; classifying your pre-approved and approved software titles into a tiered system will provide numerous benefits for your SAM program.

    The more prestigious the asset tier, the higher the degree of data capture, support, and maintenance required.

    • Mission-critical, high-priority applications are classified as gold standard.
    • Secondary applications or high priority are silver standard.
    • Low-usage applications or normal priority are bronze standard.

    E.g. An enterprise application that needs to be available 24/7, such as a learning management system, should be classified as a gold tier to ensure it has 24/7 support.

    Creating tiers assists stakeholders in justifying the following set of decision points:

    • Which assets will require added maintenance (e.g. software assurance for Microsoft)
    • Technical support requirements to meet business requirements
    • Lifecycle and upgrade cycle of the software assets.
    • Monitoring usage to determine whether licenses can be harvested
    • Authorizations required for purchase requests

    Determine your software standards

    Associated Activity icon 2.1.2 Identify standard software images for your organization

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a group, discuss and identify the relevant software asset tiers and number of tiers.
    2. For each tier, define:
      • Support requirements (hours and payments)
      • Maintenance requirements (mandatory or optional)
      • Lifecycle (when to upgrade, when to patch)
      • Financial requirements (CapEx/OpEx expenses)
      • Request authorizations (requestors and approvers)
    3. Sort the software contracts identified in the previous category into tiers, for example:
      • Mission-critical software (gold tier)
      • High-priority software (silver tier)
      • Normal-priority software (bronze tier)
    4. Use the SOP as an example.

    Determine which licensing options and methodologies fit into future IT strategy

    Not everyone is ready to embrace the cloud for all solutions; make sure to align cloud strategy to business requirements. Work closely with IT executives to determine appropriate contract terms, licensing options, and tracking processes.

    Vendors make changes to bundles and online services terms on a regular basis. Ensure you document your agreed upon terms to save your required functionality as vendor standard offerings change.

    • Any contracts getting moved to the cloud will need to undergo a contract comparison first.
    • The contract you signed last month could be completely different this month. Many cloud contracts are dynamic in nature.
    • Keep a copy of the electronic contract that you signed in a secure, accessible location.
    • Consider reaching a separate agreement with the vendor that they will ensure you maintain the results of the original agreement to prevent scope creep.

    Not all on-premises to cloud options transition linearly:

    • Features of perpetual licenses may not map to subscriptions
    • Product terms may differ from online services terms
    • Licensing may change from per device to per user
    • Vendor migrations may be more complex than anticipated

    Download the Own the Cloud: Strategy and Action Plan blueprint for more guidance

    Understand the three primary models of software usage agreements

    Licensed Open Source Shareware
    License Structure A software supplier is paid for the permission to use their software. The software is provided free of charge, but is still licensed. The software is provided free of charge, but is still licensed. Usage may be on a trial basis, with full usage granted after purchase.
    Source Code The source code is still owned by the supplier. Source code is provided, allowing users to change and share the software to suit their needs. Source code is property of the original developer/supplier.
    Technical Support Technical support is included in the price of the contract. Technical support may be provided, often in a community-based format from other developers of the open-source software in question. Support may be limited during trial of software, but upgraded once a purchase is made.

    Info-Tech Insight

    Open-source software should be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products, as well as any rules surrounding source code.

    Coordinate with purchasing department to define software procurement policy

    Associated Activity icon 2.1.3 Define procurement policy

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Define and document policies that will apply to IT software purchases, including policies around:

    • Software purchase approvals
    • Licenses for short-term contractors
    • On-premises vs. SaaS purchases
    • Shareware and freeware fees
    • Open-source software

    Use the example below as guidance and document in the SOP.

    • Software will not be acquired through user corporate credit cards, office supply, petty cash, or personal expense budgets. Purchases made outside of the acceptable processes will not be reimbursed and will be removed from company computers.
    • Contractors who are short term and paid through vendor contracts and invoices will supply their own licenses.
    • Software may be purchased as on-premises or as-a-service solutions as IT deems appropriate for the solution.
    • Shareware and freeware authors will be paid the fee they specify for use of their products.
    • Open-source software will be managed in the same manner as commercial software to understand licensing requirements and be aware of any changes to these agreements, such as commercialization of such products.

    Identify approvals and requests for authorization thresholds

    Associated Activity icon 2.1.4 Identify financial thresholds for approvals and requests

    Participants: Asset Manager, Purchasing, CIO, CFO, IT Director

    Document: Document in the Standard Operating Procedures.

    Identify and classify financial thresholds for contracts requiring approval. For each category of contract value, identify who needs to authorize the request. Discuss and document any other approvals necessary. An example is provided below.

    Example:
    Requests for authorization will need to be directed based on the following financial thresholds:

    Contract value Authorization
    <$50,000 IT Director
    $50,000 to $250,000 CIO
    $250,000 to $500,000 CIO and CFO
    >$500,000 Legal review

    Develop a defined process for software procurement

    A poorly defined software procurement workflow can result in overspending on unnecessary software licensing throughout the year. This can impact budgeting and any potential software refreshes, as businesses will often rely on purchasing what they can afford, not what they need.

    Benefits of a defined workflow

    • Standardized understanding of the authorization processes results in reduced susceptibility to errors and quicker processing times.
    • Compliance with legal regulations.
    • Protection from compliance violations.
    • Transparency with the end user by communicating the process of software procurement to the business.

    Elements to include in procurement workflows:

    • RFP
    • Authorizations and approvals
    • Contract review
    • Internal references to numbers, cost centers, locations, POs, etc.

    Four types of procurement workflows:

    1. New contract – Purchasing brand new software
    2. Add to contract – Adding new POs or line items to an existing contract
    3. Contract renewal – Renewing an existing contract
    4. No contract required – Smaller purchases that don’t require a signed contract

    Outline the procurement process for new contracts

    The procurement workflow may involve the Service Desk, procurement team, and asset manager.

    The following elements should be accounted for:

    • Assignee
    • Requestor
    • Category
    • Type
    • Model or version
    • Requisition number
    • Purchase order number
    • Unit price
    A flowchart outlining the procurement process for new contracts. There are three levels, at the top is 'Tier 2 or Tier 3', the middle is 'IT Procurement', the bottom is 'Asset Manager'. It begins in 'Tier 2 or Tier 3' with 'Approved request received', and if it is not declined it moves on to 'Purchasing request forwarded to Procurement' on the 'IT Procurement' level. If an RFP is required, it eventually moves to 'Receives contract' on the 'Asset Manager' level and ends with 'Document license requirements, notify IT Product Owner'.

    Build software procurement workflow for new contracts

    Associated Activity icon 2.1.5 Build new contract procurement workflow

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    1. As a team, outline each of the tasks in the process of procuring a new software asset using cue cards, sticky notes, or a whiteboard.
    2. Use the sample procurement workflow on the previous slide as an example if needed.
    3. Ensure the following elements required for the asset procurement process have been accounted for:
      • Assignee
      • Requestor
      • Category
      • Type
      • Model or version
      • Requisition number
      • Purchase order number
      • Unit price
    4. Review the workflow and make any adjustments necessary to improve the process. Document using Visio and add to the SOP.

    Review vendor contracts to right-size licensing procurement

    Many of your applications come from the same vendor, and a view into the business services provided by each software vendor contract will prove beneficial to the business.

    • You may uncover overlaps in services provided by software across departments.
    • The same service may be purchased from different vendors simply because two departments never compared notes!
    • This leaves a lot of money on the table from a lack of volume discounts.
    A graphic depicting a Venn diagram in which the 'Software' and 'Services' circles overlap, both of which stem from a 'Vendor Contract'.
    • Be cautious about approaching license budgeting strictly from a cost perspective. SAM is designed to right-size your licenses to properly support your organization.
    • One trap organizations often fall into is bundling discounts. Vendors will offer steep discounts if clients purchase multiple titles. On the surface, this might seem like a great offer.
    • However, what often happens is that organizations will bundle titles to get a steep discount on their prize title of the group.
    • The other titles become shelfware, and when the time comes to renew the contract, the maintenance fees on the shelfware titles will often make the contract more expensive than if only the prize title was purchased.

    Additionally, information regarding what licenses are being used for certain services may yield insight into potential redundancies. For example, two separate departments may have each have a different application deployed that supports the same service. This presents an opportunity for savings based on bulk licensing agreements, not to mention a simplified support environment by reducing the number of titles deployed in your environment.

    Define a procedure for tracking and negotiating contract renewals

    Participants: IT Director/CIO, Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Discuss and document a policy for tracking and negotiating contract renewals. Answer the following questions as guides:

    • How will renewal dates be tracked and monitored?
    • How soon should contracts be reviewed prior to renewal to determine appropriateness for use and compliance?
    • What criteria will be used to determine if the product should be renewed?
    • Who will be consulted for contract renewal decisions for major contracts?
    • How will licensing and support decisions be made?

    Optional contract review:

    1. Take a sample contract to renew. Create a list of services that are supported by the software. Look for overlaps, redundancies, shelfware, and potential bundling opportunities. Recall the issues outlined when purchasing bundled software.
    2. Create a list of action items to bring into the next round of contract negotiations with that vendor and identify a start date to begin reviewing these items.

    Define process for contract renewals and additional procurement scenarios

    Associated Activity icon 2.1.6 Build additional procurement workflows

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Build procurement workflows and define policies and procedures for additional purchasing scenarios beyond new contracts.

    This may include:

    1. Contract renewals
    2. Single purchase, non-contract procurement
    3. Adding to contracts

    Use the sample workflows in the Standard Operating Procedures as a guide.

    A flowchart outlining the procurement process for 'Software Contract Renewal'.

    A flowchart outlining the procurement process for 'Software single purchase, non-contract'.

    Negotiate for value to ensure quality license agreements

    Approach negotiating from a value-first, price-second perspective.

    Contract negotiations too often come down to a question of price. While you want to avoid overpaying for licenses, a worse offense is getting a steep discount for a bundle of applications where the majority will go unused.

    Vendors will try to sell a full stack of software at a steep discount to give the illusion of value. Often organizations bite off more than they can chew. When auditors come knocking, the business may be in compliance, but being over-licensed is a dangerous state to be in. Organizations end up over-licensed and in possession of numerous “shelfware” apps that sit on the proverbial shelf collecting dust while drawing expensive maintenance and licensing fees from the business.
    • Pressure from the business is also an issue. Negotiations can be rushed in an effort to fulfill an immediate need.
    • Make sure you clearly outline the level of compliance expected from the vendor.
    • Negotiate reduced-fee software support services. Your Service Desk can already handle the bulk of requests, and investing in a mature Service Desk will provide more lasting value than paying for expensive maintenance and support services that largely go unused.

    Learn to negotiate effectively to optimize contract renewals

    Leverage Info-Tech’s research, Master Contract Review and Negotiation for Software Agreements, to review your software contracts to leverage your unique position during negotiations and find substantial cost savings.

    This blueprint includes the following tools and templates:

    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer’s Checklist
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook

    Step 2.2 Receive and deploy software

    Phase 2:
    Procure, Receive & Deploy
    This step will walk you through the following activities:This step involves the following participants:

    2.1

    Request & Procure
    • 2.2.1 Identify storage locations for software information and media
    • 2.2.2 Design the workflow for receiving software
    • 2.2.3 Design and document the deployment workflow(s)
    • 2.2.4 Create a list of pre-approved, approved, and unapproved software titles
    • 2.2.5 Document the request and deployment process for non-standard software requests
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Purchasing (optional)
    • Service Desk Manager (optional)
    • Operations (optional)
    • Release & Deployment manager (optional)

    2.2

    Receive & Deploy

    Step Outcomes

    • A strategy for storing software information and media in the ITAM database and DML
    • A documented workflow for the software receiving process
    • Documented process workflows for software requests and deployment, including for large quantities of software
    • A list of pre-approved, approved, and unapproved software titles for deployment
    • A process for responding to non-standard software requests

    Verify product and information upon receipt

    Upon receipt of procured software:

    • Verify that the product is correct
    • Reconcile with purchase record to ensure the order has been completed
    • Verify that the invoice is correct
    • Update financial information such as budget and accounting records
    • Update ITAM database to show status as received
    • Record/attach license keys and software codes in ITAM database
    • Attach relevant documents to record in the ITAM database (license reports, invoices, end-user agreement, etc.)
    • Download and store any installation files, DVDs, and CDs
    • Once software has been installed, verify license is matched to discovered installed software within the ITAM database

    Info-Tech Best Practice

    While most software will be received through email and download, in some cases physical software may be received through courier or mail. Ensure processes and procedures are defined for both cases.

    Establish a secure repository for licenses and documentation

    All licenses, documentation, and digital media for authorized and supported software should be collected and stored in a central, secure location to minimize risk of theft, loss, or unauthorized installation or duplication of software.

    Where to store software data?

    The ITAM database should contain an up-to-date record of all software assets, including their associated:

    • Serial numbers
    • License keys and codes
    • Contracts and agreements

    The database allows you to view software that is installed and associated licenses.

    A definitive media library (DML) is a single logical storage area, which may consist of one or more locations in which definitive authorized versions of all software configuration items are securely stored and protected.

    The DML consists of file storage as well as physical storage of CDs and DVDs and must be continually updated to contain the latest information about each configuration item.

    The DML is used to organize content and link to automated deployment to easily install software.

    Use a definitive media library (DML) to assist in storage of software packages for deployment

    The DML will usually contain the most up-to-date versions to minimize errors created by having unauthorized, old, or problematic software releases being deployed into the live IT environment. The DML can be used for both full-packed product (FPP) software and in-house developed software, providing formalized data around releases of in-house software.

    The DML should consist of two main storage areas:

    1. Secure file storage
    2. Secure physical storage for any master CD/DVDs

    Additional Recommendations:

    • The process of building, testing, adapting, and final pre-production testing should provide your IT department with a solid final deployment package, but the archive will enable you to quickly pull in a previous version if necessary.
    • When upgrading software packages to include new patches or configurations, use the DML to ensure you're referencing a problem-free version.
    • Include the DML in your disaster recovery plan (DRP) and include testing of the DML as part of your DRP testing. If you need to rebuild servers from these files, offsite, you'll want to know your backup DML is sound.

    Ensure you have a strategy to create and update your DML

    Your DML should have a way to separate archived, new, and current software to allow for optimal organization of files and code, to ensure the correct software is installed, and to prepare for automated deployment through the service catalog.

    New software hasn’t been tested yet. Make it available for testing, but not widely available.

    Keep a record for archived software, but do not make it available for install.

    Current software is regularly used and should be available for install.

    Deployment

    • Are you using tools to integrate with the DML for deployment?
    • Store files that are ready for automated deployment in a separate location.

    Identify storage locations for software information and media

    Associated Activity icon 2.2.1 Identify software storage locations

    Participants: Asset Manager, IT Director

    Document: Document in the Standard Operating Procedures.

    1. Identify storage locations for asset data that is received (i.e. ITAM database, DML).
    2. Identify information that should be stored with each asset (i.e. license, serial number, invoice, end-user license agreement) and where this information should be stored.
    3. Identify fields that should be populated in the DML for each record:
      • Product name
      • Version
      • Description
      • Authorized by
      • Received by/date
      • Configuration item on which asset is installed
      • Media
      • Physical and backup locations
      • Verified by/date

    Define the standard process for receiving software

    Define the following in your receiving process:

    • Process for software received by email/download
    • Process for physical material received at Service Desk
    • Information to be recorded and where
    • Process following discrepancy of received software
    A flowchart outlining the standard process for receiving software. There are two levels, at the top is 'Desktop Support Team' and the bottom is 'Procurement'. It begins in 'Desktop Support Team' with 'Received at Service Desk' or 'Receive by email/download'. If the reconciliation is correct it eventually moves on to 'Fulfill service request, deliver and close ticket'. If the reconciliation is not correct it moves to 'Contact vendor with discrepancy details' in 'Procurement'. If a return is required 'Repackage and ship', or if not 'Notify Desktop Support Team of resolution'.

    Design the workflow for receiving software

    Associated Activity icon 2.2.2 Design the workflow for receiving software

    Participants: Asset Manager, Purchasing, Service Desk Manager, Operations (optional)

    Document: Document in the Standard Operating Procedures.

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Build release management into your software deployment process

    A sound software deployment process is tied to sound release management practices.

    Releases: A collection of authorized changes to an IT service. Releases are divided into:

    • Major software releases/upgrades: Normally containing large areas of new functionality, some of which may make intervening fixes to redundant problems.
    • Minor software releases/upgrades: Normally containing small enhancements and fixes, some of which may have already been issued as emergency fixes.
    • Emergency software fixes: Contain the corrections to a small number of known problems.

    Ensure that release management processes work with SAM processes:

    • If a release will impact licensing, the SAM manager must be made aware to make any necessary adjustments.
    • Deployment models should be in line with SAM strategy (i.e. is software rolled out to everyone or individually when upgrades are needed?).
    • How will user requests for upgrades be managed?
    • Users should be on the same software version to ensure file compatibility and smooth patch management.
    • Ideally, software should be no more than two versions back.

    Document the process workflow for software deployment

    Define the process for deploying software to users.

    Include the following in your workflow:

    • All necessary approvals
    • Source of software
    • Process for standard vs. non-standard software requests
    • Update ITAM database once software has been installed with license data and install information
    A flowchart outlining the process workflow for software deployment. There are four levels, at the top is 'Business', then 'Desktop Support Team', 'Procurement', and the bottom is 'Asset Manager'. It begins in 'Business' with 'Request for software', and if it is approved by the manager it moves to 'Check DB: Can a volume serial # be used?' in 'Desktop Support Team'. If yes, it eventually moves on to 'Close ticket' on the same level, if not it eventually moves to 'Initiate procurement process' in 'Procurement', 'Initiate receiving process' in 'Asset Manager', and finally to 'Run quarterly license review to purchase volume licenses'.

    Large-scale software rollouts should be run as projects

    Rollouts or upgrades of large quantities of software will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    A flowchart outlining large-scale software rollouts. There are three levels, at the top is 'IT Procurement', then 'Asset Manager', and the bottom is 'Software Packager'. It begins in 'IT Procurement' with 'Project plan approved', and if a bid is not required it skips to 'Sign contract/Create purchase order'. This eventually moves to 'Receive access to eLicense site/receive access to new product' in 'Asset Manager', and either to 'Approve invoice for payment, forward to accounting' on the same level or to 'Download software, license keys' in 'Software Packager' then eventually to 'Deploy'.

    Design and document the deployment workflow(s)

    Associated Activity icon 2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software deployment using notecards or on a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
      • Be sure to identify the type of release for standard software releases and patches.
      • Additionally, identify how additional software outside the scope of the base image will be addressed.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Document separately the process for large-scale software deployment if required.

    Develop standards to streamline your software estate

    Software should be approved and deployed based on approved standards to minimize over-deployed software and manage costs appropriately. A list of standard software improves the efficiency of the software approval process.

    • Pre-approved titles include basic platforms like Office or Adobe Reader that are often available in enterprise-wide license packages.
    • Approved titles include popular titles with license numbers that need to be managed on a role-by-role basis. For example, if most of your marketing team uses the Adobe Creative Suite, a user still needs to get approval before they can get a license.
    • Unapproved titles are managed on a case-by-case basis and are up to the discretion of the asset manager and other involved parties.

    Additionally, create a list of unauthorized software including titles not to be installed under any circumstances. This list should be designed with feedback from your end users and technical support staff. Front-line knowledge is crucial to identifying which titles are causing major problems.

    Create a list of pre-approved, approved, and unapproved software titles

    Associated Activity icon 2.2.4 Determine software categories for deployment

    Participants: IT Director, Asset Manager, Purchasing (optional), Service Desk Manager (optional), Release & Deployment Manager (optional)

    Document: Document in the Standard Operating Procedures.

    1. Define software categories that will be used to build software standards.
    2. Include definitions of each category.
    3. Add examples of software to each category to begin building list of approved software titles for deployment.

    Use the following example as a guide.

    Category Definition Software titles
    Pre-approved/standard
    • Supported and approved for install for all end users
    • Included on most, if not all devices
    • Typically installed as a base image
    • Microsoft Office (Outlook, Word, Excel, PowerPoint)
    • Adobe Reader
    • Windows
    Approved by role
    • Supported and approved for install, but only for certain groups of end users
    • Popular titles with license numbers that need to be managed on a role-by-role basis
    • Pre-approved for purchase with business manager’s approval
    • Adobe Creative Cloud Suite
    • Adobe Acrobat Pro
    • Microsoft Visio
    Unapproved/requires review
    • Not previously approved or installed by IT
    • Special permission required for installation based on demonstrable business need
    • Managed on a case-by-case basis
    • Up to the discretion of the asset manager and other involved parties
    • Dynamics
    • Zoom Text
    • Adaptive Insights
    Unauthorized
    • Not to be installed under any circumstances
    • Privately owned software
    • Pirated copies of any software titles
    • Internet downloads

    Define the review and approval process for non-standard software

    Software requiring review will need to be managed on a case-by-case basis, with approval dependent on software evaluation and business need.

    The evaluation and approval process may require input from several parties, including business analysts, Security, technical team, Finance, Procurement, and the manager of the requestor’s department.

    A flowchart outlining the review and approval process for non-standard software. There are five levels, at the top is 'Business Analyst/Project Manager', then 'Security Team', 'Technical Team', 'Financial & Contract Review' and the bottom is 'Procurement'. It begins in 'Business Analyst/Project Manager' with 'Request for non-standard software', and if the approved product is available it moves to 'Evaluate tool for security, data, and privacy compliance' in 'Security Team'. If more evaluation is necessary it moves to 'Evaluate tool for infrastructure and integration requirements' in 'Technical Team', and then 'Evaluate terms and conditions' in 'Financial & Contract Review'. At any point in the evaluation process it can move back to the 'Business Analyst/Project Manager' level for 'Assemble requirements details', and finally down to the 'Procurement' level for 'Execute purchase'.

    Document the request and deployment process for non-standard software

    Associated Activity icon 2.2.5 Document process for non-standard software requests

    Participants: Asset Manager, Service Desk Manager, Release & Deployment Manager

    Document: Document in the Standard Operating Procedures.

    Define the review and approval process for non-standard software requests.

    Use the workflow on the previous slide as a guide to map your own workflow process and document the steps in the Standard Operating Procedures.

    The following assessments may need to be included in the process:

    • Functionality and use requirements: May include suggestion back to the business before proceeding any further to see if similar, already approved software could be used in its place.
    • Technical specifications: Cloud, data center, hardware, backups, integrations (Active Directory, others), file, and program compatibility.
    • Security: Security team may need to assess to ensure nothing will install that will compromise data or systems security.
    • Privacy policy: Security and compliance team may need to evaluate the solution to ensure data will be secured and accessed only by authorized users.
    • Terms and conditions: The contracts team may evaluate terms and conditions to ensure contracts and end-user agreements do not violate existing standards.
    • Accessibility and compliance: Software may be required to meet accessibility requirements in accordance with company policies.

    BMW deployed a global data centralization program to achieve 100% license visibility

    Logo for BMW.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    BMW is a large German automotive manufacturer that employs over 100,000 people. It has over 7,000 software products deployed across 106,000 clients and servers in over 150 countries.

    When the global recession hit in 2008, the threat of costly audits increased, so BMW decided to boost its SAM program to cut licensing costs. It sought to centralize inventory data from operations across the globe.

    Solution

    A new SAM office was established in 2009 in Germany. The SAM team at BMW began by processing all the accumulated license and installation data from operations in Germany, Austria, and the UK. Within six months, the team had full visibility of all licenses and software assets.

    Compliance was also a priority. The team successfully identified where they could make substantial reductions in support and maintenance costs as well as remove surplus costs associated with duplicate licensing.

    Results

    BMW overcame a massive data centralization project to achieve 100% visibility of its global licensing estate, an incredible achievement given the scope of the operation.

    BMW experienced efficiency gains due to transparency and centralized management of licenses through the new SAM office.

    Additionally, internal investment in training and technical knowledge has helped BMW continuously improve the program. This has resulted in ongoing cost reductions for the manufacturer.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.5

    Sample of activity 2.1.5 'Build software procurement workflow for new contracts'. Build software procurement workflow for new contracts

    Use the sample workflow to document your own process for procurement of new software contracts.

    2.2.4

    Sample of activity 2.2.4 'Create a list of pre-approved, approved, and unapproved software titles'. Create a list of pre-approved, approved, and unapproved software titles

    Build definitions of software categories to inform software standards and brainstorm examples of each category.

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Procure, receive, and deploy

    Proposed Time to Completion (in weeks): 6
    Step 2.1: Request and procureStep 2.2: Receive and deploy
    Start with an analyst kick-off call:
    • Define standards for software requests
    • Build procurement policy
    • Define procurement processes
    Review findings with analyst:
    • Build processes for software receiving
    • Build processes for software requests and deployment
    • Define process for non-standard requests
    Then complete these activities…
    • Determine software standards
    • Define procurement policy
    • Identify authorization thresholds
    • Build procurement workflows for new contracts and renewals
    Then complete these activities…
    • Identify storage locations for software information
    • Design workflow for receiving software
    • Design workflow for software deployment
    • Create a list of approved and non-standard requests
    • Define process for non-standard requests
    With these tools & templates:
    • Standard Operating Procedures
    With these tools & templates:
    • Standard Operating Procedures

    Phase 3: Manage, Redeploy, and Retire

    Step 3.1 Manage and maintain software contracts

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.1.1 Define process for conducting software inventory
    • 3.1.2 Define policies for software maintenance and patches
    • 3.1.3 Document your patch management policy
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team
    • Release Manager (optional)
    • Security (optional)

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A process for conducting regular software inventory checks and analyzing the data to continually manage software assets and license compliance.
    • An understanding of software maintenance requirements
    • A policy for conducting regular software maintenance and patching
    • A documented patch management policy

    Manage your software licenses to decrease your risk of overspending

    Many organizations fail to track their software inventory effectively; the focus often remains on hardware due to its more tangible nature. However, annual software purchases often account for a higher IT spend than annual hardware purchases, so it’s important to track both.

    Benefits of managing software licenses

    • Better control of the IT footprint. Many companies already employ hardware asset management, but when they employ SAM, there is potential to save millions of dollars through optimal use of all technology assets.
    • Better purchasing decisions and negotiating leverage. Enhanced visibility into actual software needs means not only can companies procure and deploy the right increments of software in the right areas, but they can also do so more cost-effectively through tools such as volume purchase agreements or bundled services.
    • No refund policy combined with shelfware (software that sits unused “on the shelf”) is where software companies make their money.
    • Managing licenses will help prevent costly audit penalties. Special attention should be paid to software purchased from large vendors such as Microsoft, Oracle, Adobe, SAP, or IBM.

    Maintain a comprehensive, up-to-date software inventory to manage licenses effectively

    A clearly defined process for inventory management will reduce the risk of over buying licenses and falling out of compliance.

    • A detailed software inventory and tracking system should act as a single point of contact for all your license data.
    • Maintain a comprehensive inventory of installed software through complete and accurate records of all licenses, certifications, and software purchase transactions, storing these in a secure repository.
    • Periodically review installed software and accompanying licenses to ensure only legal and supported software is in use and to ensure ongoing compliance with the software management policy.

    Info-Tech Best Practice

    Have and maintain a list of supported software to guide what new software will be approved for purchase and what current software should be retained on the desktops, servers, and other processing devices.

    Conduct a baseline inventory of deployed software to know what you have

    You have to know what you have before you can manage it.

    A baseline inventory tells you exactly what software you have deployed and where it is being used. This can help to determine how to best optimize software and license usage.

    A software inventory will allow you to:

    • Identify all software residing on computers.
    • Compare existing software to the list of supported software.
    • Identify and delete illegal or unsupported software.
    • Identify and stop software use that violates license agreements, copyright law, or organizational policies.

    Two methods for conducting a software inventory:

    1. If you have several computers to analyze, use automated tools to conduct inventory for greater accuracy and efficiency. Software inventory or discovery tools scan installed software and generate inventory reports, while asset management tools will help you manage that data.
    2. Manual inventory may be possible if your organization has few computers.

    How to conduct a manual software inventory:

    1. Record serial number of device being analyzed.
    2. Record department and employee to whom the computer is assigned.
    3. Inspect contents of hard drive and/or server to identify software as well as hidden files and directories.
    4. Record licensing information for software found on workstation and server.
    5. Compare findings with list of supported software and licenses stored in repository.

    Keep the momentum going through regular inventory and licensing checks

    Take preventive action to avoid unauthorized software usage through regular software inventory and license management:

    • Regularly update the list of supported software and authorized use.
    • Monitor and optimize software license usage.
    • Continually communicate with and train employees around software needs and policies.
    • Maintain a regular inventory schedule to keep data up to date and remain compliant with licensing requirements – your specific schedule will depend on the size of the company and procurement schedule.
    • Conduct random spot inventories – even if you are using a tool, periodic spot checks should still be performed to ensure accuracy of inventory.
    • Periodically review software procurement records and ensure procurement process is being followed.
    • Continuously monitor software installations on networked computers through automated tools.
    • Ensure software licensing documentation and data is secure.

    Define process for conducting software inventory

    Associated Activity icon 3.1.1 Define process for regular software inventory

    Participants: IT Director, Asset Manager

    Document: Document in the Standard Operating Procedures.

    1. If a baseline software inventory has not been conducted, discuss and document a plan for completing the inventory.
      • Will the inventory be conducted manually or through automated tools?
      • If manually, what information will be collected and recorded? Which devices will be analyzed? Where will data be stored?
      • If automatically, which tools will be used? Will any additional information need to be collected? Who will have access to the inventory?
      • When will the inventory be conducted and by whom?
        • Monthly inventory may be required if there is a lot of change and movement, otherwise quarterly is usually sufficient.
    2. Document how inventory data will be analyzed.
      • How will data be compared against supported software?
      • How will software violations be addressed?
    3. Develop a plan for continual inventory spot checks and maintenance.
      • How often will inventory be conducted and/or analyzed?
      • How often will spot checks be performed?

    Don’t forget that software requires maintenance

    While maintenance efforts are typically focused around hardware, software maintenance – including upgrades and patches – must be built into the software asset management process to ensure software remains compliant with security and regulatory requirements.

    Software maintenance guidelines:

    • Maintenance agreements should be stored in the ITAM database.
    • Software should be kept as current as possible. It is recommended that software remain no more than two versions off.
    • Unsupported software should be uninstalled or upgraded as required.
    • Upgrades should be tested, especially for high-priority or critical applications or if integrated with other applications.
    • Change and release management best practices should be applied for all software upgrades and patches.
    • A process should be defined for how often patches will be applied to end-user devices.

    Integrate patch management with your SAM practice to improve security and reduce downtime

    The integration between patch management and asset management is incredibly valuable from a technology point of view. IT asset management (ITAM) tools create reports on the characteristics of deployed software. By combining these reports with a generalized software updater, you can automate most simple patches to save your team’s efforts for more-critical incidents. Usage reports can also help determine which applications should be reviewed and removed from the environment.

    • In recent years, patch management has grown in popularity due to widespread security threats, the resultant downtime, and expenses associated with them.
    • The main objective of patch management is to create a consistently configured environment that is secure against known vulnerabilities in operating systems and application software.

    Assessing new patches should include questions such as:

    • What’s the risk of releasing the patch? What is the criticality of the system? What end users will be affected?
    • How will we manage business disruption during an incident caused by a failed patch deployment?
    • In the event of service outage as a result of a failed patch deployment, how will we recover services effectively in business priority order?
    • What’s the risk of expediting the patch? Of not releasing the patch at all?

    Define policies for software maintenance and patches

    Associated Activity icon 3.1.2 Define software maintenance and patching policies

    Participants: IT Director, Asset Manager, Release Manager (optional), Security (optional)

    Document: Document in the Standard Operating Procedures.

    Software maintenance:

    Review the software maintenance guidelines in this section and in the SOP template. Discuss each policy and revise and document in accordance with your policies.

    Patch management:

    Discuss and document patch management policies:

    1. How often will end-user devices receive patches?
    2. How often will servers be patched?
    3. How will patches be prioritized? See example below.
      • Critical patches will be applied within two days of release, with testing prioritized to meet this schedule.
      • High-priority patches will be applied within 30 days of release, with testing scheduled to meet this requirement.
      • Normal-priority patches will be evaluated for appropriateness and will be installed as needed.

    Document your patch management policy

    Supporting Tool icon 3.1.3 Use the Patch Management Policy template to document your policy

    The patch management policy helps to ensure company computers are properly patched with the latest appropriate updates to reduce system vulnerability and to enhance repair application functionality. The policy aids in establishing procedures for the identification of vulnerabilities and potential areas of functionality enhancements, as well as the safe and timely installation of patches. The patch management policy is key to identifying and mitigating any system vulnerabilities and establishing standard patch management practices.

    Use Info-Tech’s Patch Management Policy template to get started.

    Sample of the 'Patch Management Policy' template.

    Step 3.2 Harvest, Redeploy, or Retire Software

    Phase 3:
    Manage, Redeploy & Retire
    This step will walk you through the following activities:This step involves the following participants:

    3.1

    Manage & Maintain Software
    • 3.2.1 Map your software license harvest and reallocation process
    • 3.2.2 Define the policy for retiring software
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    3.2

    Harvest, Redeploy, or Retire

    Step Outcomes

    • A defined process for harvesting and reallocating unused software licenses
    • A defined policy for how and when to retire unused or outdated software

    Harvest and reallocate software to optimize license usage

    Using a defined process for harvesting licenses will yield a crop of savings throughout the organization.

    Unused software licenses are present in nearly every organization and result in wasted resources and software spend. Recycling and reharvesting licenses is a critical process within software asset management to save your organization money.

    Licensing Recycling

    When computers are no longer in use and retired, the software licenses installed on the machines may be able to be reused.

    License recycling involves reusing these licenses on machines that are still in use or for new employees.

    License Harvesting

    License harvesting involves more actively identifying machines with licenses that are either not in use or under utilized, and recovering them to be used elsewhere, thus reducing overall software spend on new licenses.

    Use software monitoring data to identify licenses for reallocation in alignment with policies and agreements

    1. Monitor software usage
      Monitor and track software license usage to gain a clear picture of where and how existing software licenses are being used and identify any unused or underused licenses.
    2. Identify licenses for reharvesting
      Identify software licenses that can be reharvested and reallocated according to your policy.
    3. Uninstall software
      Notify user, schedule a removal time if approved, uninstall software, and confirm it has been removed.
    4. Reallocate license when needed

    Sources of surplus licenses for harvest:

    • Projects that required a license during a particular time period, but now do not require a license (i.e. the free version of the software will suffice)
    • Licenses assigned to users no longer with the organization
    • Software installed on decommissioned hardware
    • Installed software that hasn’t been used by the user in the last 90 days (or other defined period)
    • Over-purchased software due to poorly controlled software request, approval, or provisioning processes

    Info-Tech Insight

    Know the stipulations of your end-user license agreement (EULA) before harvesting and reallocating licenses. There may be restrictions on how often a license can be recycled in your agreement.

    Create a defined process for software license harvesting

    Define a standard reharvest timeline. For example, every 90 days, your SAM team can perform an internal audit using your SAM tool to gather data on software usage. If a user has not used a title in that time period, your team can remove that title from that user’s machine. Depending on the terms and conditions of the contract, the license can either be retired or harvested and reallocated.

    Ensure you have exception rules built in for software that’s cyclical in its usage. For example, Finance may only use tax software during tax season, so there’s no reason to lump it under the same process as other titles.

    It’s important to note that in addition to this process, you will need a software usage policy that supports your license harvest process.

    The value of license harvesting

    • Let’s say you paid for 1,000 licenses of a software title at a price of $200 per license.
    • Of this total, 950 have been deployed, and of that total, 800 are currently being used.
    • This means that 16% of deployed licenses are not in use – at a cost of $30,000.
    • With a defined license harvest process, this situation would have been prevented.

    Build a workflow to document the software harvest process

    Include the following in your process:

    • How will unused software be identified?
    • How often will usage reports be reviewed?
    • How will the user be notified of software to be removed?
    • How will the software be removed?
    A flowchart documenting the software harvest process. There are two levels, at the top is 'IT Asset Manager', and the bottom is 'Desktop Support Team'. It begins in 'IT Asset Manager' with 'Create/Review Usage Report', and if the client agrees to removal it moves to 'License deactivation required?' in 'Desktop Support Team'. Eventually you 'Close ticket' and it moves back up to 'Discovery tool will register change automatically' in 'IT Asset Manager'.

    Map your software license harvest and reallocation process

    Associated Activity icon 3.2.1 Build license harvest and reallocation workflow

    Participants: IT Director, Asset Manager, Service Desk Manager

    Document: Document in the Standard Operating Procedures.

    1. Outline each step in the process of software harvest and reallocation using notecards or a whiteboard. Be as granular as possible. On each card, describe the step and the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, considering people, processes, and available technology.
    4. Use the sample workflow on the previous slide as a guide if needed.

    The same flowchart documenting the software harvest process from the previous section.

    Improve your software retirement process to drive savings for the whole business

    Business Drivers for Software Disposal

    • Cost Reduction
      • Application retirement allows the application and the supporting hardware stack to be decommissioned.
      • This eliminates recurring costs such as licensing, maintenance, and application administration costs, representing potentially significant savings
    • Consolidation
      • Many legacy applications are redundant systems. For example, many companies have ten or more legacy financial systems from mergers/acquisitions.
      • Systems can be siloed, running incompatible software. Moving data to a common accessible repository streamlines research, audits, and reporting.
    • Compliance
      • An increased focus on regulations places renewed emphasis on e-discovery policies. Keeping legacy applications active just to retain data is an expensive proposition.
      • During application retirement, data is classified, assigned retention policies, and disposed of according to data/governance initiatives.
    • Risk Mitigation
      • Relying on IT to manage legacy systems is problematic. The lack of IT staff familiar with the application increases the potential risk of delayed responses to audits and e-discovery.
      • Retiring application data to a common platform lets you leverage skills you have current investments in. This enables you to be responsive to audit or litigation results.

    Retire your outdated software to decrease IT spend on redundant applications

    Benefits of software retirement:

    1. Assists the service desk in not having to support every release, version, or edition of software that your company might have used in the past.
    2. Stay current with product releases so your company is better placed to take advantage of improvements built-in to such products, rather than being limited by the lack of a newly introduced function.
    3. Removing software that is no longer of commercial benefit can offer a residual value through assets.

    Consequences of continuing to support outdated software:

    • Budgets are tied up to support existing applications and infrastructure, which leaves little room to invest in new technologies that would otherwise help grow business.
    • Much of this software includes legacy systems that were acquired or replaced when new applications were deployed. The value of these outdated systems decreases with every passing year, yet organizations often continue to support these applications.
      • Fear of compliance and data access are the most common reasons.
    • Unfortunately, the cost of doing so can consume over 50% of an overall IT budget.

    The solution to this situation is to retire outdated software.

    “Time and time again, I keep hearing stories from schools on how IT budgets are constantly being squeezed, but when I dig a little deeper, little or no effort is being made on accounting for software that might be on the kit we are taking away.” (Phil Goldsmith, Managing Director – ScrumpyMacs)

    Define the policy for retiring software

    Associated Activity icon 3.2.2 Document process for software retirement

    Participants: IT Director, Asset Manager, Operations

    Document: Document in the Standard Operating Procedures.

    1. Discuss and document the process for retiring software that has been deemed redundant due to changing business needs or an improvement in competitive options.
    2. Consider the following:
      • What criteria will determine when software is suited for retirement?
      • The contract should always be reviewed before making a decision to ensure proper notice is given to the vendor.
      • Notice should be provided as soon as possible to ensure no additional billing arrives for renewals.
      • How will software be removed from all devices? How soon must the software be replaced, if applicable?
      • How long will records be archived in the ITAM database?
    3. Document decisions in the Standard Operating Procedures.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.2

    Sample of activity 3.1.2 'Define policies for software maintenance and patches'. Define policies for software maintenance and patches

    Discuss best practices and define policies for conducting regular software maintenance and patching.

    3.2.1

    Sample of activity 3.3.1 'Assess the maturity of audit management processes and policies'. Map your software license harvest and reallocation process

    Build a process workflow for harvesting and reallocating unused software licenses.

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Manage, redeploy, and retire

    Proposed Time to Completion (in weeks): 4
    Step 3.1: Manage and maintain softwareStep 3.2: Harvest, redeploy, or retire
    Start with an analyst kick-off call:
    • Define a process for conducting software inventory
    • Define a policy for software maintenance
    • Build a patch management policy
    Review findings with analyst:
    • Build a process for harvesting and reallocating software licenses
    • Define a software retirement policy
    Then complete these activities…
    • Define process for conducting software inventory
    • Define policies for software maintenance
    • Document patch management policy
    Then complete these activities…
    • Map software harvest and reallocation process
    • Define software retirement policy
    With these tools & templates:
    • Standard Operating Procedures
    • Patch Management Policy
    With these tools & templates:
    • Standard Operating Procedures

    Phase 4: Build Supporting Processes & Tools

    Visa used an internal SAM strategy to win the audit battle

    Logo for VISA.

    Case Study

    Industry: Financial Services
    Source: SAM Summit 2014

    Challenge

    The overarching goal of any SAM program is compliance to prevent costly audit fines. The SAM team at Visa was made up of many individuals who were former auditors.

    To deal with audit requests from vendors, “understand how auditors do things and understand their approach,” states Joe Birdsong, SAM Director at Visa.

    Vendors are always on the lookout for telltale signs of a lucrative audit. For Visa, the key was to understand these processes and learn how to prepare for them.

    Solution

    Vendors typically look for the following when evaluating an organization for audit:

    1. A recent decrease in customer spend
    2. How easy the licensed software is to audit
    3. Organizational health

    Ultimately, an audit is an attack on the relationship between the vendor and organization. According to Birdsong: “Maybe they haven’t really touched base with your teams and had good contact and relationship with them, and they don’t really know what’s going on in your enterprise.”

    Results

    By understanding the motivations behind potential audits, Visa was able to form a strategy to increase transparency with the vendor.

    Regular data collection, almost real-time reporting, and open, quick communication with the vendor surrounding audits made Visa a low-risk client for vendors.

    Buy-in from management is also important, and the creation of an official SAM strategy helps maintain support. Thanks to its proactive SAM program, Visa saved $200 million in just three years.

    Step 4.1 Ensure compliance for audits

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.1.1 Define and document the internal audit process
    • 4.1.2 Define and document the external audit process
    • 4.1.3 Prepare an audit scoping email template
    • 4.1.4 Prepare an audit launch email template
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • An understanding of the audit process and importance of audit preparation
    • A defined process for conducting regular internal audits to prepare for and defend against external audits
    • A strategy and documented process for responding to external audit requests

    Take a lifecycle approach to your software compliance process

    Internal audits are an effective way for organizations to regularly assess their licensing position in preparation for an audit.

    1. Gather License Data
      Use your SAM tool to run a discovery check to determine the current state of your software estate.
    2. Improve Data Quality
      Scan the data for red flags. Improve its completeness, consistency, and quality.
    3. Identify Audit Risks
      Using corrected license data, examine your reports and identify areas of risk within the organization.
    4. Identify priority titles
      Determine which titles need attention first by using the output of the license rationalization step.
    5. Reconcile to eliminate gaps
      Ensure that the correct number of licenses are deployed for each title.
    6. Draft Vendor Response
      Prepare response to vendor for when an audit has been requested.

    Improve audit response maturity by leveraging technology and contract data

    By improving your software asset management program’s maturity, you will drive savings for the business that go beyond the negotiating table.

    Recognize the classic signs of each stage of audit response maturity to identify where your organization currently stands and where it can go.

    • Optimized: Automated tools generate compliance, usage, and savings reports. Product usage reports and alerts in place to harvest and reuse licenses. Detailed savings reports provided to executive team.
    • Proactive: Best practices enforced. Compliance positions are checked quarterly, and compliance reports are used to negotiate software contracts.
    • Reactive: Best practices identified but unused. Manual tools still primarily in use. Compliance reports are time-consuming and often inaccurate.
    • Chaotic: Purchases are ad hoc and transaction based. Minimal tracking in place, leading to time-consuming manual processes.

    Implement a proactive internal audit strategy to defend against external audits

    Audits – particularly those related to software – have been on the rise as vendors attempt to recapture revenue.

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Conducting routine internal audits will help prepare your organization for the real deal and may even prevent the audit from happening altogether. Hundreds of thousands of dollars can be saved through a proactive audit strategy with routine documentation in place.

    In addition to the fines incurred from a failed audit, numerous other negative consequences can arise:

    • Multiple audits: Failing an audit makes the organization more likely to be audited again.
    • Poor perception of IT: Unless non-compliance was previously disclosed to the business, IT can be deemed responsible.
    • Punitive injunctions: If a settlement is not reached, vendors will apply for an injunction, inhibiting use of their software.
    • Inability to justify purchases: IT can have difficulty justifying the purchase of additional resources after a failed audit.
    • Disruption to business: Precious time and resources will be spent dealing with the results of the audit.

    Perform routine internal compliance reports to decrease audit risk

    The intent of an internal audit is to stop the battle from happening before it starts. Waiting for a knock at the door from a vendor can be stressful, and it can do harm beyond a costly fine.

    • Internal audits help to ensure you’re keeping track of any software changes to keep your data and licensing up to date and avoid costly surprises if an external audit is requested.
    • Identify areas where processes are breaking down and address them before there’s a potential negative impact.
    • Identify control points in processes ahead of time to more easily identify access points where information should be verified.

    “You want to get [the] environment to a level where you’re comfortable sharing information with [a] vendor. Inviting them in to have a chat and exposing numbers means there’s no relationship there where they’re coming to audit you. They only come to audit you when they know there’s a gain to be had, otherwise what’s the point of auditing?
    I want customers to get comfortable with licensing and what they’re spending, and then there’s no problem exposing that to vendors. Vendors actually appreciate that.”
    (Ben Brand, SAM Practice Manager, Insight)

    Info-Tech Insight

    “The supreme art of war is to subdue the enemy without fighting.” – Sun Tzu

    Performing routine checks on your license compliance will drastically reduce the risk that your organization gets hit with a costly fine. Maintaining transparency and demonstrating compliance will fend off audit-hungry vendors.

    Define and document the internal audit process

    Associated Activity icon 4.1.1 Document process and procedures for internal audits

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for conducting internal software audits.
    Include the following:

    1. How often will audits be completed for each software published?
    2. When will audits be conducted?
    3. Who will conduct the audit? Who will be consulted?
    4. What will be included in the scope of the audit?

    Example:

    • Annual audits will be completed for each software publisher, scheduled as part of the license or maintenance agreement renewals.
    • Where annual purchases are not required, vendor audits for compliance will be conducted annually, with a date predetermined based on minimizing scheduling conflicts with larger audits.
    • Audit will be completed with input from product managers.
    • Audit will include:
      • Software compliance review: Licenses owned compared to product installed.
      • Version review: Determine if installed versions match company standards. If there is a need for upgrades, does the license permit upgrading?
      • Maintenance review: Does the maintenance match requirements for the next year’s plans and licenses in use?
      • Support review: Is the support contract appropriate for use?
      • Budget: Has budget been allocated; is there an adjustment required due to increases?

    Identify organizational warning signs to decrease audit risk

    Being prepared for an audit is critical. Internal preparation will not only help your organization reduce the risk associated with an audit but will also improve daily operations through focusing on diligent documentation and data collection.

    Certain triggers exist that indicate a higher risk of an audit occurring. It is important to recognize these warning signs so you can prepare accordingly.

    Health of organization
    If your organization is putting out fires and a vendor can sense it, they’ll see an audit as a highly lucrative exercise.

    Decrease in customer spend
    A decrease in spend means that an organization has a high chance of being under-licensed.

    License complexity
    The more complex the license, the harder it is to remain in compliance. Some vendors are infamous for their complex licensing agreements.

    Audit Strategy

    • Audits should neither be feared nor embraced.
    • An audit is an attack on your relationship with your vendor; your vendor needs to defend its best interests, but it would also rather maintain a satisfied relationship with its client.
    • A proactive approach to audits through routine reporting and transparency with vendors will alleviate all fear surrounding the audit process. It provides your vendor with compliance assurance and communicates that an audit won’t net the vendor enough revenue to justify the effort.

    Focus on three key tactics for success before responding to an audit

    Taking these due diligence steps will pay dividends downstream, reducing the risk of negative results such as release of confidential information.

    Form an Audit Team

    • Once an audit letter is received from a vendor or third party, a virtual team needs to be formed.
    • The team should be cross-functional, representing various core areas of the business.
    • Don’t forget legal counsel: they will assist in the review of audit provision(s) to determine your contractual rights and obligations with respect to the audit.

    Sign an NDA

    • An NDA should be signed by all parties, the organization, the vendor, and the auditor.
    • Don’t wait on a vendor to provide its NDA. The organization should have its own and provide it to both parties.
    • If the auditor is a third party, negotiate a three-way NDA. This will prevent data being shared with other third parties.

    Examine Contract History

    • Vendors will attempt to alter terms of contracts when new products are purchased.
    • Maintain your current agreement if they are more favorable by “grandfathering” your original agreement.
    • Oracle master level agreements are an example: master level agreements offer more favorable terms than more recent versions.

    Info-Tech Insight

    Even if you cannot get a third-party NDA signed, the negotiation process should delay the overall audit process by at least a month, buying your organization valuable time to gather license data.

    Be prepared for external audit requests with a defined process for responding

    1. Vendor-initiated audit request received and brought to attention of IT Asset Manager and CIO.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit (including software titles, geographic locations, entities, and completion date).
    4. Notify staff not to remove or acquire licenses for software under audit.
    5. Gather documentation and create report of all licensed software within audit scope.
      • Include original contract, most recent contract, and any addendums, purchase receipts, or reseller invoices, and publisher documentation such as manuals or electronic media.
    6. Compare documentation to installed software according to ITAM database.
    7. Validate any unusual or non-compliant software.
    8. Complete documentation requested by auditor and review results.

    Define and document the external audit process

    Associated Activity icon 4.1.2 Define external audit process

    Participants: CIO and/or IT Director, Asset Manager, IT Managers

    Document: Document in the Standard Operating Procedures.

    Define and document a process for responding to external software audit requests.
    Include the following:

    1. Who must be notified of the audit request when it is received?
    2. When must acknowledgement of the notice be sent and by whom?
    3. What must be defined under the scope of the audit (e.g. software titles, geographic locations, entities, completion date)?
    4. What communications must be sent to IT staff and end users to ensure compliance?
    5. What documentation should be gathered to review?
    6. How will documentation be verified against data?
    7. How will unusual or non-compliant software be identified and validated?
    8. Who needs to be informed of the results?

    Control audit scope with an audit response template

    Supporting Tool icon 4.1.3 Prepare an audit scoping email template

    Use the Software Audit Scoping Email Template to create an email directed at your external (or internal) auditors. Send the audit scoping email several weeks before an audit to determine the audit’s scope and objectives. The email should include:

    • Detailed questions about audit scope and objectives.
    • Critical background information on your organization/program.

    The email will help focus your preparation efforts and initiate your relationship with the auditors.

    Control scope by addressing the following:

    • Products covered by a properly executed agreement
    • Geographic regions
    • User groups
    • Time periods
    • Specific locations
    • A subset of users’ computers
    Sample of the 'Software Audit Scoping Email Template'.

    Keep leadership informed with an audit launch email

    Supporting Tool icon 4.1.4 Prepare an audit launch email template

    Approximately a week before the audit, you should email the internal leadership to communicate information about the start of the audit. Use the Software Audit Launch Email Template to create this email, including:

    • Staffing
    • Functional requirements
    • Audit contact person information
    • Scheduling details
    • Audit report estimated delivery time

    For more guidance on preparing for a software audit, see Info-Tech’s blueprint: Prepare and Defend Against a Software Audit.

    Sample of the 'Software Audit Launch Email Template'.

    A large bank employed proactive, internal audits to experience big savings

    Case Study

    Industry: Banking
    Source: Pomeroy

    Challenge

    A large American financial institution with 1,300 banking centers in 12 states, 28,000 end users, and 108,000 assets needed to improve its asset management program.

    The bank had employed numerous ITAM tools, but IT staff identified that its asset data was still fragmented. There was still incomplete insight into what assets the banked owned, the precise value of those assets, their location, and what they’re being used for.

    The bank decided to establish an asset management program that involved internal audits to gather more-complete data sets.

    Solution

    With the help of a vendor, the bank implemented cradle-to-grave asset tracking and lifecycle management, which provided discovery of almost $80 million in assets.

    The bank also assembled an ITAM team and a dedicated ITAM manager to ensure that routine internal audits were performed.

    The team was instrumental in establishing standardization of IT policies, hardware configuration, and service requirements.

    Results

    • The bank identified and now tracks over 108,000 assets.
    • The previous level of 80% accuracy in inventory tracking was raised to 96%.
    • Nearly $500,000 was saved through asset recovery and repurposing of 600 idle assets.
    • There are hundreds of thousands of dollars in estimated savings as the result of avoiding costly penalties from failed audits thanks to proactive internal audits.

    Step 4.2 Build communication plan and roadmap

    Phase 4:
    Build supporting processes & tools
    This step will walk you through the following activities:This step involves the following participants:

    4.1

    Compliance & audits
    • 4.2.1 Develop a communication plan to convey the right messages
    • 4.2.2 Anticipate end-user questions by preparing an FAQ list
    • 4.2.3 Build a software asset management policy
    • 4.2.4 Build additional SAM policies
    • 4.2.5 Develop a SAM roadmap to plan your implementation
    • IT Director, CIO
    • IT Managers and SAM Manager
    • SAM Team

    4.2

    Communicate & build roadmap

    Step Outcomes

    • A documented communications plan for relevant stakeholders to understand the benefits and changes the SAM program will bring
    • A list of anticipated end-user questions with responses
    • Documented software asset management policies
    • An implementation roadmap

    Communicate SAM processes to gain acceptance and support

    Communication is crucial to the integration and overall implementation of your SAM program. If staff and users do not understand the purpose of processes and policies, they will fail to provide the desired value.

    An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Communicate the following:

    1. Advertise successes

      • Regularly demonstrate the value of the SAM program with descriptive statistics focused on key financial benefits.
      • Share data with the appropriate personnel; promote success to obtain further support from senior management.
    2. Report and share asset data

      • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
      • These reports can help your organization prepare for audits, adjust budgeting, and detect unauthorized software.
    3. Communicate the value of SAM

      • Educate management and end users about how they fit into the bigger picture.
      • Individuals need to know which behaviors may put the organization at risk or adversely affect data quality.

    Educate staff and end users through SAM training to increase program success

    As part of your communication plan and overall SAM implementation, training should be provided to both staff and end users within the organization.

    • ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly.
    • All facets of the business, from management to new hires, should be provided with training to help them understand their role in the program’s success.
    • Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.
    • Even after the SAM program has been fully implemented, keep employees up to date with policies and processes through ongoing training sessions for both new hires and existing employees:
      • New hires: Provide new hires with all relevant SAM policies and ensure they understand the importance of software asset management.
      • Existing employees: Continually remind them of how SAM is involved in their daily operations and inform them of any changes to policies.

    Create your communications plan to anticipate challenges, remove obstacles, and ensure buy-in

    Provide separate communications to key stakeholder groups

    Why:
    • What problems are you trying to solve?
    What:
    • What processes will it affect (that will affect me)?
    Who:
    • Who will be affected?
    • Who do I go to if I have issues with the new process?
    Three circular arrows each linking t the next in a downward daisy chain. The type arrow has 'IT Staff' in the middle, the second 'Management', and the third 'End Users' When:
    • When will this be happening?
    • When will it affect me?
    How:
    • How will these changes manifest themselves?
    Goal:
    • What is the final goal?
    • How will it benefit me?

    Develop a communication plan to convey the right messages

    Associated Activity icon 4.2.1 Develop a communication plan to convey the right messages

    Participants: CIO, IT Director, Asset Manager, Service Desk Manager

    Document: Document in the SAM Communication Plan.

    1. Identify the groups that will be affected by the SAM program.
    2. For each group requiring a communication plan, identify the following:
    3. Benefits of SAM for that group of individuals (e.g. more efficient software requests).
    4. The impact the change will have on them (e.g. change in the way a certain process will work).
    5. Communication method (i.e. how you will communicate).
    6. Timeframe (i.e. when and how often you will communicate the changes).
    7. Complete this information in a table like the one below and document in the Communication Plan.
    Group Benefits Impact Method Timeline
    Executives
    • Improved audit compliance
    • Improved budgeting and forecasting
    • Review and sign off on policies
    End Users
    • Streamlined software request process
    • Follow software installation and security policies
    IT
    • Faster access to data and one source of truth
    • Modified processes
    • Ensure audits are completed regularly

    Anticipate end-user questions by preparing an FAQ list

    Associated Activity icon 4.2.2 Prepare an FAQ list

    Document: Document FAQ questions and answers in the SAM FAQ Template.

    ITAM imposes changes to end users throughout the business and it’s normal to expect questions about the new program. Prepare your team ahead of time by creating a list of FAQs.

    Some common questions include:

    • Why are you changing from the old processes?
    • Why now?
    • What are you going to ask me to do differently?
    • Will I lose any of my software?

    The benefits of preparing a list of answers to FAQs include:

    • A reduction in time spent creating answers to questions. If you focus on the most common questions, you will make efficient use of your team’s time.
    • Consistency in your team’s responses. By socializing the answers to FAQs, you ensure that no one on your team is out of the loop and the message remains consistent across the board.

    Include policy design and enforcement in your communication plan

    • Software asset management policies should define the actions to be taken to support software asset management processes and ensure the effective and efficient management of IT software assets across the asset lifecycle.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously and will help ensure the benefits of SAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard SAM policies for each department to follow will ensure the processes are enforced equally across the organization.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Build a software asset management policy

    Supporting Tool icon 4.2.3 Document a SAM policy

    Use Info-Tech’s Software Asset Management Policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's software asset management program.

    The template allows you to customize policy requirements for:

    • Procurement
    • Installation and Removal
    • Maintenance
    • Mergers and Acquisitions
    • Company Divestitures
    • Audits

    …as well as consequences for non-compliance.

    Sample of the 'Software Asset Management Policy' template.

    Use Info-Tech’s policy templates to build additional policies

    Supporting Tool icon 4.2.4 Build additional SAM policies

    Asset Security Policy
    The IT asset security policy will describe your organization's approach to ensuring the physical and digital security of your IT assets throughout their entire lifecycle.

    End-User Devices Acceptable Use Policy
    This policy should describe how business tools provided to employees are to be used in a responsible, ethical, and compliant manner, as well as the consequences of non-compliance.

    Purchasing Policy
    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Release Management Policy
    Use this policy template to define and document the purpose, scope, objectives, and roles and responsibilities for your organization's release management program.

    Internet Acceptable Use Policy
    Use this template to help keep the internet use policy up to date. This policy template includes descriptions of acceptable and unacceptable use, security provisions, and disclaimers on the right of the organization to monitor usage and liability.

    Samples of additional SAM policies, listed to the left.

    Implement SAM in a phased, constructive approach

    One of the most difficult decisions to make when implementing a SAM program is: “where do we start?”

    It’s not necessary to deploy a comprehensive SAM program to start. Build on the essentials to become more mature as you grow.

    SAM Program Maturity (highest to lowest)

    • Audits and reporting
      Gather and analyze data about software assets to ensure compliance for audits and to continually improve the business.
    • Contracts and budget
      Analyze contracts and licenses for software across the enterprise and optimize planning to enable cost reduction.
    • Lifecycle standardization
      Define standards and processes for all asset lifecycle phases from request and procurement through to retirement and redistribution.
    • Inventory and tracking
      Define assets you will procure, distribute, and track. Know what you have, where it is deployed, and keep track of contracts and all relevant data.

    Integrate your SAM program with the organization to assist its implementation

    SAM cannot perform on its own – it must be integrated with other functional areas of the organization to maintain its stability and support.

    • Effective SAM is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the procurement team’s processes and tools is required to track software purchases to mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and chargebacks.
    • Integration with the service desk is required to track and deploy software requests.

    Info-Tech Best Practice

    To integrate SAM effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” to demonstrate success to the business early and to gain buy-in from your team. Short-term gains should be designed to support long-term goals of your SAM program.

    Sample short-term goals
    • Identify inventory classification and tool
    • Create basic SAM policies and processes
    • Implement SAM auto-discovery tools
    Sample long-term goals
    • Software contract data integration
    • Continual improvement through review and revision
    • Software compliance reports, internal audits

    Develop a SAM roadmap to plan your implementation

    Associated Activity icon 4.2.5 Build a project roadmap
    1. Identify and review all initiatives that will be taken to implement or improve the software asset management program. These may fall under people, process, or technology-related tasks.
    2. Assign a priority level to each task (Quick Win, Low, Medium, High).
    3. Use the priority to sort tasks into start dates, breaking down by:
      1. Short, medium, or long-term
      2. 1 month, 3 months, 6 months, 12+ months
      3. Q1, Q2, Q3, Q4
    4. Review tasks and adjust start dates for some, if needed to set realistic and achievable timelines.
    5. Transfer tasks to a project plan or Gantt chart to formalize.
    Examples:
    Q1 Q2 Q3 Q4
    • Hire software asset manager
    • Document SOP
    • Define policies
    • Select a SAM tool
    • Create list of approved services and software
    • Define metrics
    • Inventory existing software and contracts
    • Build a patch policy
    • Build a service catalog
    • Contract renewal alignment
    • Run internal audit
    • Security review

    Review and maintain the SAM program to reach optimal maturity

    • SAM is a dynamic process. It must adapt to keep pace with the direction of the organization. New applications, different licensing needs, and a constant stream of new end users all contribute to complicating the licensing process.
    • As part of your organization’s journey to an optimized SAM program, put in place continual improvement practices to maintain momentum.

    A suggested cycle of review and maintenance for your SAM: 'Plan', 'Do', 'Check', 'Act'.

    Info-Tech Insight

    Advertising the increased revenue that is gained from good SAM practices is a powerful way to gain project buy-in.

    Keep the momentum going:

    • Clearly define ongoing responsibilities for each role.
    • Develop a training and awareness program for new employees to be introduced to SAM processes and policies.
    • Continually review and revise existing processes as necessary.
    • Measure the success of the program to identify areas for improvement and demonstrate successes.
    • Measure adherence to process and policies and enforce as needed.

    Reflect on the outcomes of implementing SAM to target areas for improvement and share knowledge gained within and beyond the SAM team. Some questions to consider include:

    1. How did the data compare to our expectations? Was the project a success?
    2. What obstacles were present that impacted the project?
    3. How can we apply lessons learned through this project to others in the future?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.2.1

    Sample of activity 4.2.1 'Develop a communication plan to convey the right messages'. Develop a communication plan to convey the right messages

    Identify stakeholders requiring communication and formulate a message and delivery method for each.

    4.2.5

    Sample of activity 4.2.5 'Develop a SAM roadmap to plan your implementation'. Develop a SAM roadmap to plan your implementation

    Outline the tasks necessary for the implementation of this project and prioritize to build a project roadmap.

    Phase 4 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build supporting processes & tools

    Proposed Time to Completion (in weeks): 4
    Step 4.1: Compliance & audits Step 4.2: Communicate & build roadmap
    Start with an analyst kick-off call:
    • Discuss audit process
    • Define a process for internal audits
    • Define a process for external audit response
    Review findings with analyst:
    • Build communication plan
    • Discuss policy needs
    • Build a roadmap
    Then complete these activities…
    • Document internal audit process
    • Document external audit process
    • Prepare audit templates
    Then complete these activities…
    • Develop communication plan
    • Prepare an FAQ list for end users
    • Build SAM policies
    • Develop a roadmap
    With these tools & templates:
    • Standard Operating Procedures
    • Software Audit Scoping Email Template
    • Software Audit Launch Email Template
    With these tools & templates:
    • SAM Communication Plan
    • Software Asset Management FAQ Template
    • Software Asset Management Policy
    • Additional Policy Templates

    Bibliography

    2013 Software Audit Industry Report.” Express Metrix, 2013. Web.

    7 Vital Trends Disrupting Today’s Workplace: Results and Data from 2013 TINYpulse Employee Engagement Survey.” TINYpulse, 2013. Web.

    Beaupoil, Christof. “How to measure data quality and protect against software audits.” Network World, 6 June 2011.

    Begg, Daniel. “Effective Licence Position (ELP) – What is it really worth?” LinkedIn, 19 January 2016.

    Boehler, Bernhard. “Advanced License Optimization: Go Beyond Compliance for Maximum Cost Savings.” The ITAM Review, 24 November 2014.

    Bruce, Warren. “SAM Baseline – process & best practice.” Microsoft. 2013 Australia Partner Conference.

    Case Study Top 20 U.S. Bank Tackles Asset Management.” Pomeroy, 2012. Web.

    Cherwell Software Software Audit Industry Report.” Cherwell Software, 2015. Web.

    Conrad, Sandi. “SAM starter kit: everything you need to get started with software asset management. Conrad & Associates, 2010.

    Corstens, Jan, and Diederik Van der Sijpe. “Contract risk & compliance software asset management (SAM).” Deloitte, 2012.

    Deas, A., T. Markowitzm and E. Black. “Software asset management: high risk, high reward.” Deloitte, 2014.

    Doig, Chris. “Why you should always estimate ROI before buying enterprise software” CIO, 13 August 2015.

    Fried, Chuck. “America Needs An Education On Software Asset Management (SAM).” LinkedIn. 16 June 2015.

    Lyons, Gwen. “Understanding the Drivers Behind Application Rationalization Critical to Success.” Flexera Software Blog, 31 October 2012.

    Bibliography

    Metrics to Measure SAM Success: eight ways to prove your SAM program is delivering business benefits.” Snow Software White Paper, 2015.

    Microsoft. “The SAM Optimization Model.” Microsoft Corporation White Paper, 2010.

    Miller, D. and M. Oliver. “Engaging Stakeholders for Project Success.” Project Management Institute White Paper, 2015.

    Morrison, Dan. “5 Common Misconceptions of Software Asset Management.” SoftwareOne. 12 May 2015.

    O’Neill, Leslie T. “Visa Case Study: SAM in the 21st Century.” International Business Software Managers Association (IBSMA), 30 July 2014.

    Reducing Hidden Operating Costs Through IT Asset Discovery.” NetSupport Inc., 2011.

    SAM Summit 2014, 23-25 June 2014, University of Chicago Gleacher Center Conference Facilities, Chicago, MI.

    Saxby, Heather. “20 Things Every CIO Needs to Know about Software Asset Management.” Crayon Software Experts, 13 May 2015.

    The 2016 State of IT: Managing the money monsters for the coming year.” Spiceworks, 2016.

    The Hidden Cost of Unused Software.” A 1E Report, 1E.com: 2014. Web.

    What does it take to achieve software license optimization?” Flexera White Paper, 2013.

    Research contributors and experts

    Photo of Michael Dean, Director, User Support Services, Des Moines University Michael Dean
    Director, User Support Services
    Des Moines University
    Simon Leuty
    Co-Founder
    Livingstone Tech
    Photo of Simon Leuty, Co-Founder, Livingstone Tech
    Photo of Clare Walsh, PR Consultant, Adesso Tech Ltd. Clare Walsh
    PR Consultant
    Adesso Tech Ltd.
    Alex Monaghan
    Director, Presales EMEA
    Product Support Solutions
    Photo of Alex Monaghan, Director, Presales EMEA, Product Support Solutions

    Research contributors and experts

    Photo of Ben Brand, SAM Practice Manager, Insight Ben Brand
    SAM Practice Manager
    Insight
    Michael Swanson
    President
    ISAM
    Photo of Michael Swanson, President, ISAM
    Photo of Bruce Aboudara, SVP, Marketing & Business Development, Scalable Software Bruce Aboudara
    SVP, Marketing & Business Development
    Scalable Software
    Will Degener
    Senior Solutions Consultant
    Scalable Software
    Photo of Will Degener, Senior Solutions Consultant, Scalable Software

    Research contributors and experts

    Photo of Peter Gregorowicz, Associate Director, Network & Client Services, Vancouver Community College Peter Gregorowicz
    Associate Director, Network & Client Services
    Vancouver Community College
    Peter Schnitzler
    Operations Team Lead
    Toyota Canada
    Photo of Peter Schnitzler, Operations Team Lead, Toyota Canada
    Photo of David Maughan, Head of Service Transition, Mott MacDonald Ltd. David Maughan
    Head of Service Transition
    Mott MacDonald Ltd.
    Brian Bernard
    Infrastructure & Operations Manager
    Lee County Clerk of Court
    Photo of Brian Bernard, Infrastructure & Operations Manager, Lee County Clerk of Court

    Research contributors and experts

    Photo of Leticia Sobrado, IT Data Governance & Compliance Manager, Intercept Pharmaceuticals Leticia Sobrado
    IT Data Governance & Compliance Manager
    Intercept Pharmaceuticals

    Take Control of Cloud Costs on AWS

    • Buy Link or Shortcode: {j2store}425|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $62,500 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Cloud Strategy
    • Parent Category Link: /cloud-strategy
    • Traditional IT budgeting and procurement processes don't work for public cloud services.
    • The self-service nature of the cloud means that often the people provisioning cloud resources aren't accountable for the cost of those resources.
    • Without centralized control or oversight, organizations can quickly end up with massive AWS bills that exceed their IT salary cost.

    Our Advice

    Critical Insight

    • Most engineers care more about speed of feature delivery and reliability of the system than they do about cost.
    • Often there are no consequences for over architecting or overspending on AWS.
    • Many organizations lack sufficient visibility into their AWS spend, making it impossible to establish accountability and controls.

    Impact and Result

    • Define roles and responsibilities.
    • Establish visibility.
    • Develop processes, procedures, and policies.

    Take Control of Cloud Costs on AWS Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should take control of cloud costs, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build cost accountability framework

    Assess your current state, define your cost allocation model, and define roles and responsibilities.

    • Cloud Cost Management Worksheet
    • Cloud Cost Management Capability Assessment
    • Cloud Cost Management Policy
    • Cloud Cost Glossary of Terms

    2. Establish visibility

    Define dashboards and reports, and document account structure and tagging requirements.

    • Service Cost Cheat Sheet

    3. Define processes and procedures

    Establish governance for tagging and cost control, define processes for right-sizing, and define processes for purchasing commitment discounts.

    • Right-Sizing Workflow (Visio)
    • Right-Sizing Workflow (PDF)
    • Commitment Purchasing Workflow (Visio)
    • Commitment Purchasing Workflow (PDF)

    4. Build implementation plan

    Document process interactions, establish program KPIs, and build implementation roadmap and communication plan.

    • Cloud Cost Management Task List

    Infographic

    Workshop: Take Control of Cloud Costs on AWS

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build Cost Accountability Framework

    The Purpose

    Establish clear lines of accountability and document roles and responsibilities to effectively manage cloud costs.

    Key Benefits Achieved

    Chargeback/showback model to provide clear accountability for costs.

    Understanding of key areas to focus on to improve cloud cost management capabilities.

    Activities

    1.1 Assess current state

    1.2 Determine cloud cost model

    1.3 Define roles and responsibilities

    Outputs

    Cloud cost management capability assessment

    Cloud cost model

    Roles and responsibilities

    2 Establish Visibility

    The Purpose

    Establish visibility into cloud costs and drivers of those costs.

    Key Benefits Achieved

    Better understanding of what is driving costs and how to keep them in check.

    Activities

    2.1 Develop architectural patterns

    2.2 Define dashboards and reports

    2.3 Define account structure

    2.4 Document tagging requirements

    Outputs

    Architectural patterns; service cost cheat sheet

    Dashboards and reports

    Account structure

    Tagging scheme

    3 Define Processes and Procedures

    The Purpose

    Develop processes, procedures, and policies to control cloud costs.

    Key Benefits Achieved

    Improved capability of reducing costs.

    Documented processes and procedures for continuous improvement.

    Activities

    3.1 Establish governance for tagging

    3.2 Establish governance for costs

    3.3 Define right-sizing process

    3.4 Define purchasing process

    3.5 Define notification and alerts

    Outputs

    Tagging policy

    Cost control policy

    Right-sizing process

    Commitment purchasing process

    Notifications and Alerts

    4 Build Implementation Plan

    The Purpose

    Document next steps to implement and improve cloud cost management program.

    Key Benefits Achieved

    Concrete roadmap to stand up and/or improve the cloud cost management program.

    Activities

    4.1 Document process interaction changes

    4.2 Define cloud cost program KPIs

    4.3 Build implementation roadmap

    4.4 Build communication plan

    Outputs

    Changes to process interactions

    Cloud cost program KPIs

    Implementation roadmap

    Communication plan

    Build a Better Manager

    • Buy Link or Shortcode: {j2store}603|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Train & Develop
    • Parent Category Link: /train-and-develop
    • Management skills training is needed, but organizations are struggling to provide training that makes a long-term difference in the skills managers actually use in their day to day.
    • Many training programs are ineffective because they offer the wrong content, deliver it in a way that is not memorable, and are not aligned with the IT department’s business objectives.

    Our Advice

    Critical Insight

    • More of the typical manager training is not enough to solve the problem of underprepared first-time IT managers.
    • You must overcome the key pitfalls of ineffective training to deliver training that is better than the norm.
    • Offer tailored training that focuses on skill building and is aligned with measurable business goals to make your manager training a tangible success.

    Impact and Result

    Use Info-Tech’s tactical, practical training materials to deliver training that is:

    • Specifically tailored to first-time IT managers.
    • Designed around practical application of new skills.
    • Aligned with your department’s business goals.

    Build a Better Manager Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Better Manager Capstone Deck – This deck will guide you through identifying the critical skills your managers need to succeed and planning out a training program tailored to your team and organization.

    This deck presents a behind-the-scenes explanation for the training materials, enabling a facilitator to deliver the training.

    • Build a Better Manager – Phases 1-3

    2. Facilitation Guides – These ready-to-deliver presentation decks span 8 modules. Each module covers a key management skill. The modules can be delivered independently or as a series.

    The modules are complete with presentation slides, speaker’s notes, and accompanying participant workbooks and provide everything you need to deliver the training to your team.

    • Accountability Facilitation Guide
    • Coaching and Feedback Facilitation Guide
    • Communicate Effectively Facilitation Guide
    • Manage Conflict Constructively Facilitation Guide
    • Your Role in Decision Making Facilitation Guide
    • Master Time Facilitation Guide
    • Performance Management Facilitation Guide
    • Your Role in the Organization Facilitation Guide

    3. Participant Workbooks and Supporting Materials – Each training module comes with a corresponding participant workbook to help trainees record insights and formulate individual skill development plans.

    Each workbook is tailored to the presentation slides in its corresponding facilitation guide. Some workbooks have additional materials, such as role play scenarios, to aid in practice. Every workbook comes with example entries to help participants make the most of their training.

    • Communicate Effectively Participant Workbook
    • Performance Management Participant Workbook
    • Coaching and Feedback Participant Workbook
    • Effective Feedback Training Role Play Scenarios
    • Your Role in the Organization Participant Workbook
    • Your Role in Decision Making Participant Workbook
    • Decision Making Case Study
    • Manage Conflict Constructively Participant Workbook
    • Conflict Resolution Role Play Scenarios
    • Master Time Participant Workbook
    • Accountability Participant Workbook
    [infographic]

    Workshop: Build a Better Manager

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Build a Better Manager

    The Purpose

    Attend training on the specific topics necessary for each individual management team.

    Each workshop consists of four days, one 3-hour training session per day. One module is delivered per day, selecting from the following pool of topics:

    Master Time

    Accountability

    Your Role in the Organization

    Your Role in Decision Making

    Manage Conflict Constructively

    Effective Communication

    Performance Management

    Coaching & Feedback

    Key Benefits Achieved

    Managers learn about best practices, practice their application, and formulate individual skill development plans.

    Activities

    1.1 Training on one topic per day, for four days (selected from a pool of eight possible topics)

    Outputs

    Completed workbook and action plan

    Further reading

    Build a Better Manager

    Support IT success with a solid management foundation.

    Analyst Perspective

    Training that delivers results.

    Jane Koupstova.

    Ninety-eight percent of managers say they need more training, but 93% of managers already receive some level of manager training. Unfortunately, the training typically provided, although copious, is not working. More of the same will never get you better outcomes.

    How many times have you sat through training that was so long, you had no hope of implementing half of it?

    How many times have you been taught best practices, with zero guidance on how to apply them?

    To truly support our managers, we need to rethink manager training. Move from fulfilling an HR mandate to providing truly trainee-centric instruction. Teach only the right skills – no fluff – and encourage and enable their application in the day to day.

    Jane Kouptsova
    Research Director, People & Leadership
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Common Obstacles

    Info-Tech’s Approach

    IT departments often promote staff based on technical skill, resulting in new managers feeling unprepared for their new responsibilities in leading people.

    The success of your organization hinges on managers’ ability to lead their staff; by failing to equip new managers adequately, you are risking the productivity of your entire department.

    Despite the fact that $14 billion is spent annually on leadership training in the US alone (Freedman, 2016), only one in ten CIOs believe their department is very effective at leadership, culture, and values (Info-Tech, 2019).

    Training programs do not deliver results due to trainee overwhelm, ineffective skill development, and a lack of business alignment.

    Use Info-Tech’s tactical, practical approach to management training to deliver training that:

    • Is specifically tailored to first-time IT managers.
    • Is designed around practical application of new skills.
    • Is aligned with your department’s business goals.
    • Equips your new managers with essential skills and foundational competencies

    Info-Tech Insight

    When it comes to manager training, more is not more. Attending training is not equal to being trained. Even good information is useless when it doesn’t get applied. If your role hasn’t required you to use your training within 48 hours, you were not trained on the most relevant skills.

    Effective managers drive effective departments by engaging their teams

    The image contains a screenshot to demonstrate effective managers.

    Engaged teams are:

    • 52% more willing to innovate*
    • 70% more likely to be at the organization a year from now**
    • 57% more likely to exceed their role’s expectations**

    Engaged teams are driven by managers:

    • 70% of team-level engagement is accounted for by managers***
    *McLean & Company; N=3,395; **McLean & Company; N=5,902; ***Gallup, 2018

    Despite the criticality of their role, IT organizations are failing at supporting new managers

    87% of middle managers wish they had more training when they were first promoted

    98% of managers say they need more training

    Source: Grovo, 2016

    IT must take notice:

    IT as an industry tends to promote staff on the basis of technical skill. As a result, new managers find themselves suddenly out of their comfort zone, tasked with leading teams using management skills they have not been trained in and, more often than not, having to learn on the job. This is further complicated because many new IT managers must go from a position of team member to leader, which can be a very complex transition.

    The truth is, many organizations do try and provide some degree of manager training, it just is not effective

    99% of companies offer management training*

    93% of managers attend it*

    $14 billion spent annually in the US on leadership training**

    Fewer than one in ten CIOs believe their IT department is highly effective at leadership, culture, and values.

    The image contains a screenshot of a pie chart that demonstrates the effectiveness of the IT department at leadership, culture, and values.

    *Grovo, 2016; **Chief Executive, 2016
    Info-Tech’s Management & Governance Diagnostic, N=337 CIOs

    There are three key reasons why manager training fails

    1. Information Overload

    Seventy-five percent of managers report that their training was too long to remember or to apply in their day to day (Grovo, 2016). Trying to cover too much useful information results in overwhelm and does not deliver on key training objectives.

    2. Limited Implementation

    Thirty-three percent of managers find that their training had insufficient follow-up to help them apply it on the job (Grovo, 2016). Learning is only the beginning. The real results are obtained when learning is followed by practice, which turns new knowledge into reliable habits.

    3. Lack of departmental alignment

    Implementing training without a clear link to departmental and organizational objectives leaves you unable to clearly communicate its value, undermines your ability to secure buy-in from attendees and executives, and leaves you unable to verify that the training is actually improving departmental effectiveness.

    Overcome those common training pitfalls with tactical solutions

    MOVE FROM

    TO

    1. Information Overload

    Timely, tailored topics

    The more training managers attend, the less likely they are to apply any particular element of it. Combat trainee overwhelm by offering highly tactical, practical training that presents only the essential skills needed at the managers’ current stage of development.

    2. Limited Implementation

    Skills-focused framework

    Many training programs end when the last manager walks out of the last training session. Ensure managers apply their new knowledge in the months and years after the training by relying on a research-based framework that supports long-term skill building.

    3. Lack of Departmental Alignment

    Outcome-based measurement

    Setting organizational goals and accompanying metrics ahead of time enables you to communicate the value of the training to attendees and stakeholders, track whether the training is delivering a return on your investment, and course correct if necessary.

    This research combats common training challenges by focusing on building habits, not just learning ideas

    Manager training is only useful if the skills it builds are implemented in the day-to-day.

    Research supports three drivers of successful skill building from training:

    Habits

    Organizational Support

    The training modules include committing to implementing new skills on the job and scheduling opportunities for feedback.

    Learning Structure

    Training activities are customizable, flexible, and accompanied by continuous learning self-evaluation.

    Personal Commitment

    Info-Tech’s methodology builds in activities that foster accountability and an attitude of continuous improvement.

    Learning

    Info-Tech Insight

    When it comes to manager training, stop thinking about learning, and start thinking about practice. In difficult situations, we fall back on habits, not theoretical knowledge. If a manager is only as good as their habits, we need to support them in translating knowledge into practice.

    This research focuses on building good management habits to drive enterprise success

    Set up your first-time managers for success by leveraging Info-Tech’s training to focus on three key areas of management:

    • Managing people as a team
    • Managing people as individuals
    • Managing yourself as a developing leader

    Each of these areas:

    • Is immediately important for a first-time manager
    • Includes practical, tactical skills that can be implemented quickly
    • Translates to departmental and organizational benefits

    Info-Tech Insight

    There is no such thing as “effective management training.” Various topics will be effective at different times for different roles. Delivering only the highest-impact learning at strategic points in your leadership development program will ensure the learning is retained and translates to results.

    This blueprint covers foundational training in three key domains of effective management

    Effective Managers

    • Self
      • Conflict & Difficult Conversations
      • Your Role in the Organization
      • Your Role in Decisions
    • Team
      • Communication
      • Feedback & Coaching
      • Performance Management
    • People
      • Master Time
      • Delegate
      • Accountability

    Each topic corresponds to a module, which can be used individually or as a series in any order.

    Choose topics that resonate with your managers and relate directly to their day-to-day tasks. Training on topics that may be useful in the future, while interesting, is less likely to generate lasting skill development.

    Info-Tech Best Practice

    This blueprint is not a replacement for formal leadership or management certification. It is designed as a practical, tactical, and foundational introduction to key management capabilities.

    Info-Tech’s training tools guide participants through successful skill building

    Practical facilitation guides equip you with the information, activities, and speaker’s notes necessary to deliver focused, tactical training to your management team.

    The participant’s workbook guides trainees through applying the three drivers of skill building to solidify their training into habits.

    Measure the effectiveness of your manager training with outcomes-focused metrics

    Linking manager training with measurable outcomes allows you to verify that the program is achieving the intended benefits, course correct as needed, and secure buy-in from stakeholders and participants by articulating and documenting value.

    Use the metrics suggested below to monitor your training program’s effectiveness at three key stages:

    Program Metric

    Calculation

    Program enrolment and attendance

    Attendance at each session / Total number enrolled in session

    First-time manager (FTM) turnover rate

    Turnover rate: Number of FTM departures / Total number of FTMs

    FTM turnover cost

    Number of departing FTMs this year * Cost of replacing an employee

    Manager Effectiveness Metric

    Calculation

    Engagement scores of FTM's direct reports

    Use Info-Tech's Employee Engagement surveys to monitor scores

    Departures as a result of poor management

    Number of times "manager relationships" is selected as a reason for leaving on an exit survey / Total number of departures

    Cost of departures due to poor management

    Number of times "manager relationships" is selected as a reason for leaving on an exit survey * Cost associated with replacing an employee

    Organizational Outcome Metric

    Calculation

    On-target delivery

    % projects completed on-target = (Projects successfully completed on time and on budget / Total number of projects started) * 100

    Business stakeholder satisfaction with IT

    Use Info-Tech’s business satisfaction surveys to monitor scores

    High-performer turnover rate

    Number of permanent, high-performing employee departures / Average number of permanent, high-performing employees

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.” “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.” “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.” “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Review selected modules and discuss training delivery.

    Call #3: Review training delivery, discuss lessons learned. Review long-term skill development plan.

    A Guided Implementation (GI) is a series

    of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 1 to 3 calls over the course of several months, depending on training schedule.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2 Day 3 Day 4

    3-Hour Training Session

    3-Hour Training Session

    3-Hour Training Session

    3-Hour Training Session

    Activities

    Training on topic 1 (selected from a pool of 8 possible topics)

    Training on topic 2 (selected from a pool of 8 possible topics)

    Training on topic 3 (selected from a pool of 8 possible topics)

    Training on topic 4 (selected from a pool of 8 possible topics)

    Deliverables

    Completed workbook and action plan

    Completed workbook and action plan

    Completed workbook and action plan

    Completed workbook and action plan

    Pool of topics:

    • Master Time
    • Accountability
    • Your Role in the Organization
    • Your Role in Decision Making
    • Manage Conflict Constructively
    • Effective Communication
    • Performance Management
    • Coaching & Feedback

    Phase 1

    Prepare to facilitate training

    Phase 1 Phase 2 Phase 3
    • Select training topics
    • Customize the training facilitation guide for your organization
    • Deliver training modules
    • Confirm skill development action plan with trainees
    • Secure organizational support from trainees' supervisors

    Outcomes of this phase:

    • Training facilitation deck customized to organizational norms
    • Training workbook distributed to participants
    • Training dates and facilitator finalized

    1.1 Select training modules

    1-3 hours

    1. Review the module descriptions on the following slides.
    2. Identify modules that will address managers’ most pressing development needs.
      To help make this decision, consult the following:
      • Trainees’ development plans
      • Trainees’ supervisors
    Input Output
    • Module descriptions
    • Trainees’ development goals and needs
    • Prioritized list of training modules
    Materials Participants
    • Prioritized list of training modules
    • Training sponsor
    • Trainees’ supervisors

    Effective Communication

    Effective communication is the cornerstone of good management

    Effective communication can make or break your IT team’s effectiveness and engagement and a manager’s reputation in the organization. Effective stakeholder management and communication has a myriad of benefits – yet this is a key area where IT leaders continue to struggle.


    There are multiple ways in which you communicate with your staff. The tactics you will learn in this section will help you to:

    1. Understand communication styles. Every staff member has a predisposition in terms of how they give, receive, and digest information. To drive effective communication new managers need to understand the profiles of each of their team members and adjust their communicate style to suit.
    2. Understand what your team members want communicated to them and how. Communication is highly personal, and a good manager needs to clearly understand what their team wants to be informed about, their desired interactions, and when they need to be involved in decision making. They also must determine the appropriate channels for communication exchanges.
    3. Make meetings matter. Many new managers never receive training on what differentiates a good and bad meeting. Effective meetings have a myriad of benefits, but more often than not meetings are ineffective, wasting both the participants’ and organizer’s time. This training will help you to ensure that every team meeting drives a solid outcome and gets results.

    Benefits:

    • Better buy-in, understanding, and communication.
    • Improved IT reputation with the organization.
    • Improved team engagement.
    • Improved stakeholder satisfaction.
    • Better-quality decision making.
    • Improved transparency, trust, and credibility.
    • Less waste and rework.
    • Greater ability to secure support and execute the agenda.
    • More effective cooperation on activities, better quality information, and greater value from stakeholder input.
    • Better understanding of IT performance and contribution.

    Effective Communication

    Effective manager communication has a direct impact on employee engagement

    35% Of organizations say they have lost an employee due to poor internal communication (project.co, 2021).

    59% Of business leaders lose work time to mistakes caused by poor communication (Grammarly, 2022).

    $1.2 trillion Lost to US organizations as a result of poor communication (Grammarly, 2022).

    Effective Communication

    Effective communication is crucial to all parts of the business

    Operations

    Human Resources

    Finance

    Marketing

    Increases production by boosting revenue.

    Reduces the cost of litigation and increases revenue through productivity improvements.

    Reduces the cost of failing to comply with regulations.

    Increases attraction and retention of key talent.

    Effective Communication

    The Communicate Effectively Facilitation Guide covers the following topics:

    • Understand Communication Styles
    • Tailor Communication Methods to Activities
    • Make Meetings Matter

    Learning outcomes:

    Main goal: Become a better communicator across a variety of personal styles and work contexts.

    Key objectives:

    • Reaffirm why effective communication matters.
    • Work with people with different communication styles.
    • Communicate clearly and effectively within a team.
    • Make meetings more effective.

    Info-Tech Insight

    First-time IT managers face specific communication challenges that come with managing people for the first time: learning to communicate a greater variety of information to different kinds of people, in a variety of venues. Tailored training in these areas helps managers focus and fast-track critical skill development.

    Performance Management

    Meaningful performance measures drive employee engagement, which in turn drives business success

    Meaningful performance measures help employees understand the rationale behind business decisions, help managers guide their staff, and clarify expectations for employees. These factors are all strong predictors of team engagement:

    The image contains a screenshot to demonstrate the relationship and success between performance measures and employee engagement.

    Performance Management

    Clear performance measures benefit employees and the organization

    Talent Management Outcomes

    Organizational Outcomes

    Performance measure are key throughout the talent management process.

    Candidates:

    • Want to know how they will be assessed
    • Rely on measures to become productive as soon as possible

    Employees:

    • Benefit from training centered on measures that are aligned with business outcomes
    • Are rewarded, recognized, and compensated based on measurable guidelines

    Promotions and Evaluations:

    • Are more effective when informed by meaningful performance measures that align with what leadership believes is important

    Performance measures benefit the organization by:

    • Helping employees know the steps to take to improve their performance
    • Ensuring alignment between team objectives and organizational goals
    • Providing a standardized way to support decision making related to compensation, promotions, and succession planning
    • Reducing “gaming” of metrics, when properly structured, thereby reducing risk to the organization
    • Affording legal defensibility by providing an objective basis for decision making

    Performance Management

    The Performance Management Facilitation Guide covers the following topics:

    • Develop Meaningful Goals
    • Set Meaningful Metrics

    Learning outcomes:

    Main goal: Become proficient in setting, tracking, and communicating around performance management goals.

    Key objectives:

    • Understand the role of managers and employees in the performance management process.
    • Learn to set SMART, business-aligned goals for your team.
    • Learn to help employees set useful individual goals.
    • Learn to set meaningful, holistic metrics to track goal progression.
    • Understand the relationship between goals, metrics, and feedback.

    Info-Tech Insight

    Goal and metric development holds special significance for first-time IT managers because it now impacts not only their personal performance, but that of their employees and their team collectively. Training on these topics with a practical team- and employee-development approach is a focused way to build these skills.

    Coaching & Feedback

    Coaching and feedback are effective methods to influence employees and drive business outcomes

    COACHING is a conversation in which a manager asks an employee questions to guide them to solve problems themselves, instead of just telling them the answer.

    Coaching increases employee happiness, and decreases turnover.1

    Coaching promotes innovation.2

    Coaching increases employee engagement, effort and performance.3

    FEEDBACK is information about the past, given in the present, with the goal of influencing behavior or performance for the future. It includes information given for reinforcement and redirection.

    Honest feedback enhances team psychological safety.4

    Feedback increases employee engagement.5

    Feedback boosts feelings of autonomy and drives innovation.6

    1. Administrative Sciences, 2022
    2. International Review of Management and Marketing, 2020
    3. Current Psychology, 2021
    4. Quantum Workplace, 2021
    5. Issues and Perspectives in Business and Social Sciences, 2022
    6. Sustainability, 2021

    Coaching & Feedback

    The Coaching & Feedback Facilitation Guide covers the following topics:

    • The 4 A’s of Coaching
    • Effective Feedback

    Learning outcomes:

    Main goal: Get prepared to coach and offer feedback to your staff as appropriate.

    Key objectives:

    • Understand the difference between coaching and feedback and when to apply each one.
    • Learn the importance of a coaching mindset.
    • Learn effective coaching via the 4 A’s framework.
    • Understand the actions that make up feedback and the factors that make it successful.
    • Learn to deal with resistance to feedback.

    Info-Tech Insight

    First-time managers often shy away from giving coaching and feedback, stalling their team’s performance. A focused and practical approach to building these skills equips new managers with the tools and confidence to tackle these challenges as soon as they arise.

    Your Role in the Organization

    IT managers who understand the business context provide more value to the organization

    Managers who don’t understand the business cannot effect positive change. The greater understanding that IT managers have of business context, the more value they provide to the organization as seen by the positive relationship between IT’s understanding of business needs and the business’ perception of IT value.

    The image contains a screenshot of a scatter plot grid demonstrating business satisfaction with IT Understanding of Needs across Overall IT Value.

    Source: Info-Tech Research Group

    Your Role in the Organization

    Knowing your stakeholders is key to understanding your role in the business and providing value to the organization

    To understand your role in the business, you need to know who your stakeholders are and what value you and your team provide to the organization. Knowing how you help each stakeholder meet their wants needs and goals means that you have the know-how to balance experience and outcome-based behaviors. This is the key to being an attentive leader.


    The tactics you will learn in this section will help you to:

    1. Know your stakeholders. There are five key stakeholders the majority of IT managers have: management, peers, direct reports, internal users, and external users or customers. Managers need to understand the goals, needs, and wants of each of these groups to successfully provide value to the organization.
    2. Understand the value you provide to each stakeholder. Stakeholder relationship management requires IT managers to exhibit drive and support behaviors based on the situation. By knowing how you drive and support each stakeholder, you understand how you provide value to the organization and support its mission, vision, and values.
    3. Communicate the value your team provides to the organization to your team. Employees need to understand the impact of their work. As an IT manager, you are responsible for communicating how your team provides value to the organization. Mission statements on how you provide value to each stakeholder is an easy way to clearly communicate purpose to your team.

    Benefits:

    • Faster and higher growth.
    • Improved team engagement.
    • Improved stakeholder satisfaction.
    • Better quality decision making.
    • More innovation and motivation to complete goals and tasks.
    • Greater ability to secure support and execute on goals and tasks.
    • More effective cooperation on activities, better quality information, and greater value from stakeholder input.
    • Better understanding of IT performance and contribution.

    Your Role in the Organization

    The Your Role in the Organization Facilitation Guide covers the following topics:

    • Know Your Stakeholders
    • Understand the Value You Provide to the Organization
    • Develop Learnings Into Habits

    Learning outcomes:

    Main goal: Understand how your role and the role of your team serves the business.

    Key objectives:

    • Learn who your stakeholders are.
    • Understand how you drive and support different stakeholder relationships.
    • Relate your team’s tasks back to the mission, vision, and values of the organization.
    • Create a mission statement for each stakeholder to bring back to your team.

    Info-Tech Insight

    Before training first-time IT managers, take some time as the facilitator to review how you will serve the wants and needs of those you are training and your stakeholders in the organization.

    Decision Making

    Bad decisions have tangible costs, so managers must be trained in how to make effective decisions

    To understand your role in the decision-making process, you need to know what is expected of you and you must understand what goes into making a good decision. The majority of managers report they have no trouble making decisions and that they are good decision makers, but the statistics say otherwise. This ease at decision making is due to being overly confident in their expertise and an inability to recognize their own ignorance.1


    The tactics you will learn in this section will help you to:

    1. Effectively communicate decisions. Often, first-time managers are either sharing their decision recommendations with their manager or they are communicating a decision down to their team. Managers need to understand how to have these conversations so their recommendations provide value to management and top-down decisions are successfully implemented.
    2. Provide valuable feedback on decisions. Evaluating decisions is just as critical as making decisions. If decisions aren’t reviewed, there is no data or feedback to discover why a decision was a success or failure. Having a plan in place before the decision is made facilitates the decision review process and makes it easier to provide valuable feedback.
    3. Avoid common decision-making mistakes. Heuristics and bias are common decision pitfalls even senior leaders are susceptible to. By learning what the common decision-making mistakes are and being able to recognize them when they appear in their decision-making process, first-time managers can improve their decision-making ability.

    20% Of respondents say their organizations excel at decision making (McKinsey, 2018).

    87% “Diverse teams are 87% better at making decisions” (Upskillist, 2022).

    86% of employees in leadership positions blame the lack of collaboration as the top reason for workplace failures (Upskillist, 2022).

    Decision Making

    A decision-making process is imperative, even though most managers don’t have a formal one

    1. Identify the Problem and Define Objectives
    2. Establish Decision Criteria
    3. Generate and Evaluate Alternatives
    4. Select an Alternative and Implement
    5. Evaluate the Decision

    Managers tend to rely on their own intuition which is often colored by heuristics and biases. By using a formal decision-making process, these pitfalls of intuition can be mitigated or avoided. This leads to better decisions.

    First-time managers are able to apply this framework when making decision recommendations to management to increase their likelihood of success, and having a process will improve their decisions throughout their career and the financial returns correlated with them.

    Decision Making

    Recognizing personal heuristics and bias in the decision-making process improves more than just decision results

    Employees are able to recognize bias in the workplace, even when management can’t. This affects everything from how involved they are in the decision-making process to their level of effort and productivity in implementing decisions. Without employee support, even good decisions are less likely to have positive results. Employees who perceive bias:

    Innovation

    • Hold back ideas and solutions
    • Intentionally fail to follow through on important projects and tasks

    Brand Reputation

    • Speak negatively about the company on social media
    • Do not refer open positions to qualified persons in their network

    Engagement

    • Feel alienated
    • Actively seek new employment
    • Say they are not proud to work for the company

    Decision Making

    The Decision Making Facilitation Guide covers the following topics:

    • Effectively Communicate Decisions
    • Provide Valuable Feedback on Decisions
    • Avoid Common Decision-Making Mistakes

    Learning outcomes:

    Main goal: Understand how to successfully perform your role in the decision process.

    Key objectives:

    • Understand the decision-making process and how to assess decisions.
    • Learn how to communicate with your manager regarding your decision recommendations.
    • Learn how to effectively communicate decisions to your team.
    • Understand how to avoid common decision-making errors.

    Info-Tech Insight

    Before training a decision-making framework, ensure it is in alignment with how decisions are made in your organization. Alternatively, make sure leadership is on board with making a change.

    Manage Conflict Constructively

    Enable leaders to resolve conflicts while minimizing costs

    If you are successful in your talent acquisition, you likely have a variety of personalities and diverse individuals within your IT organization and in the business, which means that conflict is inevitable. However, conflict does not have to be negative – it can take on many forms. The presence of conflict in an organization can actually be a very positive thing: the ability to freely express opinions and openly debate can lead to better, more strategic decisions being made.

    The effect that the conflict is having on individuals and the work environment will determine whether the conflict is positive or counterproductive.

    As a new manager you need to know how to manage potential negative outcomes of conflict by managing difficult conversations and understanding how to respond to conflict in the workplace.


    The tactics you will learn in this section will help you to:

    1. Apply strategies to prepare for and navigate through difficult conversations.
    2. Expand your comfort level when handling conflict, and engage in constructive conflict resolution approaches.

    Benefits:

    • Relieve stress for yourself and your co-workers.
    • Save yourself time and energy.
    • Positively impact relationships with your employees.
    • Improve your team dynamic.
    • Remove roadblocks to your work and get things done.
    • Save the organization money.
    • Improve performance.
    • Prevent negative issues from reoccurring.

    Manage Conflict Constructively

    Addressing difficult conversations is beneficial to you, your people, and the organization

    When you face a difficult conversation you…

    • Relieve stress on you and your co-workers.
    • Save yourself time and energy.
    • Positively impact relationships with your employees.
    • Improve your team dynamic.
    • Remove roadblocks to your work
    • Save the organization money.
    • Improve performance.
    • Prevent negative issues from reoccurring.

    40% Of employees who experience conflict report being less motivated as a result (Acas, 2021).

    30.6% Of employees report coming off as aggressive when trying to resolve a conflict
    (Niagara Institute, 2022).

    Manage Conflict Constructively

    The Manage Conflict Constructively Facilitation Guide covers the following topics:

    • Know Your Ideal Time Mix
    • Calendar Diligence
    • Effective Delegation
    • Limit Interruptions

    Learning outcomes:

    Main goal: Effectively manage your time and know which tasks are your priority and which tasks to delegate.

    Key objectives:

    • Understand common reasons for difficult conversations.
    • Learn Info-Tech’s six-step process to best to prepare for difficult conversations.
    • Follow best practices to approach difficult conversations.
    • Learn the five approaches to conflict management.
    • Practice conflict management skills.

    Info-Tech Insight

    Conflict does not have to be negative. The presence of conflict in an organization can actually be a very positive thing: the ability to freely express opinions and openly debate can lead to better, more strategic decisions being made.

    Master Time

    Effective leaders spend their time in specific ways

    How effective leaders average their time spent across the six key roles:

    Leaders with effective time management skills spend their time across six key manager roles: strategy, projects, management, operations, innovation, and personal. While there is no magic formula, providing more value to the business starts with little practices like:

    • Spending time with the right stakeholders and focusing on the right priorities.
    • Evaluating which meetings are important and productive.
    • Benchmarking yourself against your peers in the industry so you constantly learn from them and improve yourself.


    The keys to providing this value is time management and delegation. The tactics in this section will help first-time managers to:

    1. Discover your ideal time. By analyzing how you currently spend your time, you can see which roles you are under/over using and, using your job description and performance metrics, discover your ideal time mix.
    2. Practice calendar diligence. Time blocking is an effective way to use your time, see your week, and quickly understand what roles you are spending your time in. Scheduling priority tasks first gives insight into which tasks should be delegated.
    3. Effectively delegation. Clear expectations and knowing the strengths of your team are the cornerstone to effective delegation. By understanding the information you need to communicate and identifying the best person on your team to delegate to, tasks and goals will be successfully completed.
    4. Limit interruptions. By learning how to limit interruptions from your team and your manager, you are better able to control your time and make sure your tasks and goals get completed.

    Strategy

    23%

    Projects

    23%

    Management

    19%

    Operations

    19%

    Innovation

    13%

    Personal

    4%

    Source: Info-Tech, N=85

    Master Time

    Signs you struggle with time management

    Too many interruptions in a day to stay focused.

    Too busy to focus on strategic initiatives.

    Spending time on the wrong things.

    The image contains a screenshot of a bar graph that demonstrates struggle with time management.

    Master Time

    The Master Time Facilitation Guide covers the following topics:

    • Understand Communication Styles
    • Tailor Communication Methods to Activities
    • Make Meetings Matter

    Learning outcomes:

    Main goal: Become a better communicator across a variety of personal styles and work contexts.

    Key objectives:

    • Understand how you spend your time.
    • Learn how to use your calendar effectively.
    • Understand the actions to take to successfully delegate.
    • Learn how to successfully limit interruptions.

    Info-Tech Insight

    There is a right and wrong way to manage your calendar as a first-time manager and it has nothing to do with your personal preference.

    Accountability

    Accountability creates organizational and team benefits

    Improves culture and innovation

    Improves individual performance

    Increases employee engagement

    Increases profitability

    Increases trust and productivity

    Enables employees to see how they contribute

    Increases ownership employees feel over their work and outcomes

    Enables employees to focus on activities that drive the business forward

    Source: Forbes, 2019

    Accountability

    Accountability increases employee empowerment

    Employee empowerment is the number one driver of employee engagement. The extent to which you can hold employees accountable for their own actions and decisions is closely related to how empowered they are and how empowered they feel; accountability and empowerment go hand in hand. To feel empowered, employees must understand what is expected of them, have input into decisions that affect their work, and have the tools they need to demonstrate their talents.

    The image contains a screenshot to demonstrate how accountability increases employee empowerment.

    Source: McLean & Company Engagement Database, 2018; N=71,794

    Accountability

    The Accountability Facilitation Guide covers the following topics:

    • Create Clarity and Transparency
    • Articulate Expectations and Evaluation
    • Help Your Team Remove Roadblocks
    • Clearly Introduce Accountability to Your Team

    Learning outcomes:

    Main goal: Create a personal accountability plan and learn how to hold yourself and your team accountable.

    Key objectives:

    • Understand why accountability matters.
    • Learn how to create clarity and transparency.
    • Understand how to successfully hold people accountable through clearly articulating expectations and evaluation.
    • Know how to remove roadblocks to accountability for your team.

    Info-Tech Insight

    Accountability is about focusing on the results of a task, rather than just completing the task. Create team accountability by keeping the team focused on the result and not “doing their jobs.” First-time managers need to clearly communicate expectations and evaluation to successfully develop team accountability.

    Use the Build a Better Manager Participant Workbooks to help participants set accountabilities and track their progress

    A key feature of this blueprint is built-in guidance on transferring your managers’ new knowledge into practical skills and habits they can fall back on when their job requires it.

    The Participant Workbooks, one for each module, are structured around the three key principles of learning transfer to help participants optimally structure their own learning:

    • Track your learning. This section guides participants through conducting self-assessments, setting learning goals, recording key insights, and brainstorming relapse-prevention strategies
    • Establish your personal commitment. This section helps participants record the actions they personally commit to taking to continually practice their new skills
    • Secure organizational support. This section guides participants in recording the steps they will take to seek out support from their supervisor and peers.

    The image contains a screenshot of the Build a Better Manager Participant Workbooks.

    Info-Tech Insight

    Participants should use this workbook throughout their training and continue to review it for at least three months after. Practical skills take an extended amount of time to solidify, and using the workbook for several months will ensure that participants stay on track with regular practice and check-ins.

    Set your trainees up for success by reviewing these training best practices

    Cultural alignment

    It is critical that the department leadership team understand and agree with the best practices being presented. Senior team leads should be comfortable coaching first-time managers in implementing the skills developed through the training. If there is any question about alignment with departmental culture or if senior team leads would benefit from a refresher course, conduct a training session for them as well.

    Structured training

    Ensure the facilitator takes a structured approach to the training. It is important to complete all the activities and record the outputs in the workbook where appropriate. The activities are structured to ensure participants successfully use the knowledge gained during the workshop to build practical skills.

    Attendees

    Who should attend the training? Although this training is designed for first-time IT managers, you may find it helpful to run the training for the entire management team as a refresher and to get everyone on the same page about best practices. It is also helpful for senior leadership to be aware of the training because the attendees may come to their supervisors with requests to discuss the material or coaching around it.

    Info-Tech Insight

    Participants should use this workbook throughout their training and continue to review it for at least three months after. Practical skills take an extended amount of time to solidify, and using the workbook for several months will ensure that participants stay on track with regular practice and check-ins.

    1.2 Customize the facilitation guides

    1-3 hours

    Prior to facilitating your first session, ensure you complete the following steps:

    1. Read through all the module content, including the speaker’s notes, to familiarize yourself with the material and ensure the tactics presented align with your department’s culture and established best practices.
    2. Customize the slides with a pencil icon with information relevant to your organization.
    3. Ensure you are comfortable with all material to be presented and are prepared to answer questions. If you require clarification on any of the material, book a call with your Info-Tech analyst for guidance.
    4. Ensure you do not delete or heavily customize the self-assessment activities and the activities in the Review and Action Plan section of the module. These activities are structured around a skill building framework and designed to aid your trainees in applying their new knowledge in their day to day. If you have any concerns about activities in these sections, book a call with your Info-Tech analyst for guidance.
    Input Output
    • List of selected modules
    • Customized facilitation guides
    Materials Participants
    • Facilitation guides from selected modules
    • Training facilitator

    1.3 Prepare to deliver training

    1-3 hours

    Complete these steps in preparation for delivering the training to your first-time managers:

    1. Select a facilitator.
      • The right person to facilitate the meeting depends on the dynamics within your department. Having a senior IT leader can lend additional weight to the training best practices but may not be feasible in a large department. In these cases, an HR partner or external third party can be asked to facilitate.
    2. Distribute the workbooks to attendees before the first training session.
      • Change the header on the workbook templates to your own organization’s, if desired.
      • Email the workbooks to attendees prior to the first session. There is no pre-work to be completed.
    Input Output
    • List of selected modules
    • Facilitator selected
    • Workbook distributed
    Materials Participants
    • Workbooks from selected modules
    • Training sponsor
    • Training facilitator

    Phase 2

    Deliver training

    Phase 1 Phase 2 Phase 3
    • Select training topics
    • Customize the training facilitation guide for your organization
    • Deliver training modules
    • Confirm skill development action plan with trainees
    • Secure organizational support from trainees' supervisors

    Outcomes of this phase:

    • Training delivered
    • Development goals set by attendees
    • Action plan created by attendees

    2.1 Deliver training

    3 hours

    When you are ready, deliver the training. Ensure you complete all activities and that participants record the outcomes in their workbooks.

    Tips for activity facilitation:

    • Encourage and support participation from everyone. And be sure no one on the team dismisses anyone’s thoughts or opinions – they present the opportunity for further discussion and deeper insight.
    • Debrief after each activity, outlining any lessons learned, action items, and next steps.
    • Encourage participants to record all outcomes, key insights, and action plans in their workbooks.
    Input Output
    • Facilitation guides and workbooks for selected modules
    • Training delivered
    • Workbooks completed
    Materials Participants
    • Facilitation guides and workbooks for selected modules
    • Training facilitator
    • Trainees

    Phase 3

    Enable long-term skill development

    Phase 1Phase 2Phase 3
    • Select training topics
    • Customize the training facilitation guide for your organization
    • Deliver training modules
    • Confirm skill development action plan with trainees
    • Secure organizational support from trainees' supervisors

    Outcomes of this phase:

    • Attendees reminded of action plan and personal commitment
    • Supervisors reminded of the need to support trainees' development

    3.1 Email trainees with action steps

    0.5 hours

    After the training, send an email to attendees thanking them for participating and summarizing key next steps for the group. Use the template below, or write your own:

    “Hi team,

    I want to thank you personally for attending the Communicate Effectively training module. Our group led some great discussion.

    A reminder that the next time you will reconvene as a group will be on [Date] to discuss your progress and challenges to date.

    Additionally, your manager is aware and supportive of the training program, so be sure to follow through on the commitments you’ve made to secure the support you need from them to build your new skills.

    I am always open for questions if you run into any challenges.

    Regards,

    [Your name]”

    InputOutput
    • The date of participants’ next discussion meeting
    • Attendees reminded of next meeting date and encouraged to follow through on action plan
    MaterialsParticipants
    • Training facilitator

    3.2 Secure support from trainees’ supervisors

    0.5 hours

    An important part of the training is securing organizational support, which includes support from your trainees’ supervisors. After the trainees have committed to some action items to seek support from their supervisors, it is important to express your support for this and remind the supervisors of their role in guiding your first-time managers. Use the template below, or write your own, to remind your trainees’ supervisors of this at the end of training (if you are going through all three modules in a short period of time, you may want to wait until the end of the entire training to send this email):

    “Hi team,

    We have just completed Info-Tech’s first-time manager training with our new manager team. The trainees will be seeking your support in developing their new skills. This could be in the form of coaching, feedback on their progress, reviewing their development plan, etc.

    Supervisor support is a crucial component of skill building, so I hope I can count on all of you to support our new managers in their learning. If you are not sure how to handle these requests, or would like a refresher of the material our trainees covered, please let me know.

    I am always open for questions if you run into any challenges.

    Regards,

    [Your name]”

    InputOutput
    • List of trainees’ direct supervisors
    • Supervisors reminded to support trainees’ skill practice
    MaterialsParticipants
    • Training facilitator

    Contributors

    Brad Armstrong

    Brad Armstrong, Senior Engineering Manager, Code42 Software

    I am a pragmatic engineering leader with a deep technical background, now focused on building great teams. I'm energized by difficult, high-impact problems at scale and with the cloud technologies and emerging architectures that we can use to solve them. But it's the power of people and organizations that ultimately lead to our success, and the complex challenge of bringing all that together is the work I find most rewarding.

    We thank the expert contributors who chose to keep their contributions anonymous.

    Bibliography

    360Solutions, LLC. “The High Cost of Poor Communication: How to Improve Productivity and Empower Employees Through Effective Communication.” 360Solutions, 2009. Web.

    Ali, M., B. Raza, W. Ali, and N. Imtaiz. Linking Managerial Coaching with Employees’ Innovative Work Behaviors through Affective Supervisory Commitment: Evidence from Pakistan. International Review of Management and Marketing, vol. 10, no. 4, 2020, pp. 11-16.

    Allen, Frederick E. “The Terrible Management Technique That Cost Microsoft Its Creativity.” Forbes.com, 3 July 2012. Web.

    Allen, Renee. “Generational Differences Chart.” West Midland Family Center, n.d. Web.

    American Management Association. “Leading the Four Generations at Work.” American Management Association, Sept. 2014. Web.

    Aminov, Iskandar, Aaron De Smet, Gregor Jost, and David Mendelsohn. “Decision making in the age of urgency.” McKinsey & Company, 30 April 2019. Web.

    AON Hewitt. “Aon Hewitt Study Reveals Strong Link Between Employee Engagement and Employee Perceptions of Total Rewards. Honest Leader Communication Also Influences Engagement.” PR Newswire, 8 April 2015. Web.

    Armstrong, Brad. “How to Fail as a New Engineering Manager.” Noteworthy - The Journal Blog, 19 Feb. 2018. Web.

    Asmus, Mary Jo. “Coaching vs. Feedback.” Aspire-CS, 9 Dec. 2009. Web.

    Baldwin, Timothy T., et al. “The State of Transfer of Training Research: Moving Toward More Consumer-Centric Inquiry.” Human Resource Development Quarterly, vol. 28, no. 1, March 2017, pp. 17-28. Crossref, doi:10.1002/hrdq.21278.

    Batista, Ed. “Building a Feedback-Rich Culture from the Middle.” Ed Batista, April 2015. Web.

    Bilalic, Merim, Peter McLeod, and Fernand Gobet. Specialization Effect and Its Influence on Memory and Problem Solving in Expert Chess Players. Wiley Online Journal, 23 July 2009, doi: https://doi.org/10.1111/j.1551-6709.2009.01030.x

    Blume, Brian D., et al. “Transfer of Training: A Meta-Analytic Review.” Journal of Management, vol. 36, no. 4, July 2010, pp. 1065-105. Crossref, doi:10.1177/0149206309352880.

    BOH Training Guide. Wild Wing, Jan. 2017. Web.

    Bosler, Shana. “9 Strategies to Create Psychological Safety at Work.” Quantum Workplace, 3 June 2021. Web.

    Building Communication Skills. ACQUIRE Project/EngenderHealth, n.d. Web.

    Bucaro, Frank C. “The real issue in conflict is never about things…” Frank Bucaro blog, 7 March 2014. Web.

    Burke, Lisa A., and Holly M. Hutchins. “Training Transfer: An Integrative Literature Review.” Human Resource Development Review, vol. 6, no. 3, Sept. 2007, pp. 263-96. Crossref, doi:10.1177/1534484307303035.

    Caprino, Kathy. “Separating Performance Management from Compensation: New Trend for Thriving Organizations.” Forbes, 13 Dec. 2016. Web.

    Caprino, Kathy. “Why the Annual Review Process Damages Employee Engagement.” Forbes, 1 March 2016. Web.

    Carpineanu, Silvana. “7 Mistakes You Might Be Making When Writing A Meeting Agenda.” Time Doctor, 12 January 2021. Web.

    Cecchi-Dimeglio, Paola. “How Gender Bias Corrupts Performance Reviews, and What to Do About It.” Harvard Business Review, 12 April 2017. Web.

    Chartered Institute of Personnel and Development (CIPD). “PESTLE Analysis.” Chartered Institute of Personnel and Development, 2010. Web.

    Chiaburu, Dan S., et al. “Social Support in the Workplace and Training Transfer: A Longitudinal Analysis: Social Support and Training Transfer.” International Journal of Selection and Assessment, vol. 18, no. 2, June 2010, pp. 187-200. Crossref, doi:10.1111/j.1468-2389.2010.00500.x.

    Christensen, Ulrik Juul. “How to Teach Employees Skills They Don’t Know They Lack.” Harvard Business Review, 29 Sept. 2017. Web.

    CIPD. “Rapid evidence assessment of the research literature on the effect of goal setting on workplace performance.” Charted Institute of Personnel and Development, Dec. 2016. Web.

    CIPD. Annual Survey Report: Learning & Development 2015. Charted Institute of Personnel and Development, 2015. Web.

    Communication and Organizational Skills: NPHW Training Manual. Population Health Research Institute (PHRI), 17 Sept. 2015. Web.

    Cookson, Phil. “It’s time to see performance management as a benefit, not a burden.” CIPD. 17 March 2017. Web.

    Communication Statistics 2021. Project.co, 2021. Web.

    Connors, Roger. “Why Accountability?” The Oz Principle, Partners In Leadership, 2014.

    Coutifaris, Constantinos G. V., and Adam M. Grant “Taking Your Team Behind the Curtain: The Effects of Leader Feedback-Sharing and Feedback-Seeking on Team Psychological Safety.” Organization Science, vol. 33,
    no. 4, 2021, pp. 1574-1598. https://doi.org/10.1287/orsc.2021.1498

    Coy, Charles. “Peer Feedback: 6 Tips for Successful Crowdsourcing.” Rework, 25 June 2014. Web.

    “CQ Learn What Really Matters.” CQ Evidence-Based Management Learning Platform, n.d. Web.

    Darwant, Sarah. Coaching Training Course Book. Elite Training, 2012. Web.

    De Smet, Aaron, et al. How Companies Manage the Front Line Today: McKinsey Survey Results. McKinsey, Feb. 2010. Web.

    DeNault, Charles. “Employee Coaching Survey Results: Important and Engaging.” Saba, 22 April 2015. Web.

    Dermol, Valerij, and Tomaž Čater. “The Influence of Training and Training Transfer Factors on Organisational Learning and Performance.” Personnel Review, vol. 42, no. 3, April 2013, pp. 324–48. Crossref, doi:10.1108/00483481311320435.

    dgdotto. “Fail to Plan, Plan to Fail.” visual.ly, 30 April 2013. Web.

    Duggan, Kris. “Why the Annual Performance Review is Going Extinct.” Fast Company, 20 Oct. 2015. Web.

    Duhigg, Charles. “What Google Learned From Its Quest to Build the Perfect Team.” The New York Times, 25 Feb. 2016. Web.

    Earley, P. Christopher, and Randall S. Peterson. “The Elusive Cultural Chameleon: Cultural Intelligence as a New Approach to Intercultural Training for the Global Manager.” Academy of Management Learning & Education, vol. 3, no. 1, March 2004, pp. 100-15. Crossref, doi:10.5465/amle.2004.12436826.

    Edmondson, Amy. “Psychological Safety and Learning Behavior in Work Teams.” Administrative Science Quarterly, vol. 44, no. 2, June 1999, pp. 350-383. Web.

    “Effective Employee Communications Fosters Corporate Reputation.” The Harris Poll, 10 June 2015. Web.

    Eichenwald, Kurt. “How Microsoft Lost its Mojo: Steve Ballmer and Corporate American’s Most Spectacular Decline.” Vanity Fair, 24 July 2012. Web.

    Essential Supervisory Skills. University of Washington, 2016. Web.

    “Estimating the Costs of Workplace Conflict.” Acas, 11 May 2021. Web.

    Falcone, Paul. “Viewpoint: How to Redesign Your Performance Appraisal Template.” Society for Human Resource Management, 7 June 2017. Web.

    Fermin, Jeff. “Statistics On The Importance Of Employee Feedback.” Officevibe, 7 Oct. 2014. Web.

    Filipkowski, Jenna, et al. Building a Coaching Culture with Millennial Leaders. Human Capital Institute, 18 Sept. 2017. Web.

    First Time Manager Training to Help New Managers Develop Essential Skills. The Ken Blanchard Companies, n.d. Web.

    Fisher, Dan. Feedback vs. Coaching, What’s the Difference? Menemsha Group, 28 June 2018. Web.

    Freedman, Erica. “How to Build an Internal Leadership Development Program.” Chief Executive, 2016. Web.

    "Futureproof Your Organization with These 8 Manager Effectiveness Metrics.” Visier Inc., 8 Aug. 2017. Web.

    Gallo, Amy. “How to Manage Your Former Peers.” Harvard Business Review, Dec. 2012. Web.

    Gandhi, Vipula. “Want to Improve Productivity? Hire Better Managers.” Gallup, 3 Aug. 2018. Web.

    Gallup. State of the Global Workplace. 1st edition, Gallup Press, 2017. Web.

    Global Workplace Analytics. “Latest Telecommuting Statistics.” Global Workplace Analytics. Sept. 2013. Web.

    Goldsmith, Marshall. “Try Feedforward Instead of Feedback.” Leader to Leader Institute, 5 April 2011. Web.

    Goldsmith, Marshall. "11 Guidelines for Influencing Top Decision Makers." Marshall Goldsmith, n.d. Web.

    Goldsmith, Marshall. "I Know Less Than You Do – and It’s Okay!" Marshall Goldsmith, n.d. Web.

    Goldsmith, Marshall. "Is It Worth It to Add Value? Not Always." Marshall Goldsmith, n.d. Web.

    Goler, L., J. Gale, and A. Grant. “Let’s Not Kill Performance Evaluations Yet.” Harvard Business Review, Nov. 2016. Web.

    Good Manager, Bad Manager. Grovo, 2016. Web.

    Google People Operations. “Guide: Understand Team Effectiveness.” Google, n.d. Web.

    Google’s New Manager Student Workbook. re:Work with Google, n.d. Web.

    Google’s New Manager Training Facilitator Guide. re:Work with Google, n.d. Web.

    Gossen, Paul. A Coaching Culture Transformation ~ Case Study. Athena Training and Consulting, 1 April 2011. Web.

    Goudreau, Jenna. “How to Communicate in the New Multi-Generational Office.” Forbes Magazine, Feb. 2013. Web.

    Govaerts, Natalie, and Filip Dochy. “Disentangling the Role of the Supervisor in Transfer of Training.” Educational Research Review, vol. 12, June 2014, pp. 77-93. Crossref, doi:10.1016/j.edurev.2014.05.002.

    Grenchus, Gabrielle. “Keep employees engaged with clear priorities and crowdsourced recognition.” IBM thinkLeaders. 8 June 2015. Web.

    Grossman, Rebecca, and Eduardo Salas. “The Transfer of Training: What Really Matters: The Transfer of Training.” International Journal of Training and Development, vol. 15, no. 2, June 2011, pp. 103-20. Crossref, doi:10.1111/j.1468-2419.2011.00373.x.

    Grote, Dick. “3 Popular Goal-Setting Techniques Managers Should Avoid.” Harvard Business Review. 2 Jan. 2017. Web.

    Hall, John. “Why Accountability Is Vital To Your Company.” Forbes, 6 Oct. 2019. Web.

    Hancock, Bryan, et al. “The Fairness Factor in Performance Management.” McKinsey, 5 April 2018. Web.

    Harkins, Phil. “10 Leadership Techniques for Building High-Performing Teams.” Linkage Inc., 2014. Web.

    HCI. Building a Coaching Culture with Managers and Leaders. Human Capital Institute, 2016. Web.

    Heathfield, Susan M. “Tips to Create Successful Performance Appraisal Goals.” The Balance, Aug. 2016. Web.

    Hills, Jan. Brain-Savvy Business: 8 Principles From Neuroscience and How to Apply Them. Head Heart + Brain, 2016. Print.

    Hoffman, Mitchell, and Steven Tadelis. People Management Skills, Employee Attrition, and Manager Rewards: An Empirical Analysis. p. 96.

    “How to Create an Effective Feedback Culture.” eXplorance Inc. Feb. 2013. Web.

    “Importance of Performance Management Process & Best Practices To Optimize Monitoring Performance Work Reviews/Feedback and Goal Management.” SAP Success Factors, n.d. Web.

    Jacobson, Darcy. “How Bad Performance Management Killed Microsoft’s Edge.” Globoforce Blog, 5 July 2012. Web.

    Jaidev, Uma Pricilda, and Susan Chirayath. Pre-Training, During-Training and Post-Training Activities as Predictors of Transfer of Training. no. 4, 2012, p. 18.

    Jensen, Michael C. “Paying People to Lie: The Truth about the Budgeting Process.” European Financial Management, vol. 9, no. 3, 2003, pp. 379-406. Print.

    Kahneman, Daniel, and Ram Charan. HBR's 10 Must Reads on Making Smart Decisions. Harvard Business Review, 26 March 2013. Ebook.

    Kirkpatrick, J., and W. Kirkpatrick. “The Kirkpatrick Four Levels: A Fresh Look After 50 Years 1959-2009.” Kirkpatrickpartners.com, 2009. Web.

    Kirwan, Cyril. Improving Learning Transfer. Routledge, 2016.

    Kline, Theresa J.B., and Lorne M. Sulsky. “Measurement and Assessment Issues in Performance Appraisal.” Canadian Psychology, vol. 50, no. 3, 2009, pp. 161-171. Proquest. Web.

    Kowalski, Kyle. “Create a Daily Routine with Calendar Time Blocking (+ 7 Pro Tips).” Sloww, 29 May 2018. Web.

    Krentz, Susanna E., et al. ”Staying on Course with Strategic Metrics.” Healthcare Financial Management, vol. 60, no. 5, 2006, pp. 86-94. Proquest. Web.

    Kuligowski, Kiely. Tips for First-Time Managers. 15 Feb. 2019. Web.

    Laker, Dennis R., and Jimmy L. Powell. “The Differences between Hard and Soft Skills and Their Relative Impact on Training Transfer.” Human Resource Development Quarterly, vol. 22, no. 1, March 2011, pp. 111-22. Crossref, doi:10.1002/hrdq.20063.

    Lawrence, Paul. “Managerial coaching – A literature review.” International Journal of Evidence Based Coaching and Mentoring, vol. 15, no. 2, 2017, pp. 43-66. Web.

    Ledford, Gerald E. Jr., George Benson, and Edward E. Lawler III. “Cutting-Edge Performance Management.” WorldatWork Research, Aug. 2016. Web.

    Lee, W.R.; Choi, S.B.; Kang, S.-W. How Leaders’ Positive Feedback Influences Employees’ Innovative Behavior: The Mediating Role of Voice Behavior and Job Autonomy. Sustainability, vol. 13, no. 4, 2021, pp. 1901. https://doi.org/10.3390/su13041901

    Leopold, Till Alexander, Vesselina Ratcheva, and Saadia Zahidi. The Future of Jobs. World Economic Forum, 2016. Web.

    Levy, Dan. “How to Build a Culture That Embraces Feedback.” Inc. Magazine, March 2014. Web.

    Lighthouse Research & Advisory. “Insights from the CHRO Panel at Workhuman 2017.” Lighthouse Research & Advisory, June 2017. Web.

    Lipman, Victor. “For New Managers, Boundaries Matter (A Lot).” Forbes, 19 March 2018. Web.

    Lipman, Victor. “The Hardest Thing For New Managers.” Forbes, 1 June 2016. Web.

    Lipman, Victor. “The Move To New Manager May Be The Hardest Transition In Business.” Forbes, 2 Jan. 2018. Web.

    Lyons, Rich. “Feedback: You Need To Lead It.” Forbes, 10 July 2017. Web.

    “Managing Email Effectively.” MindTools, n.d. Web.

    Managing Performance Workbook. Trainer Bubble, 16 Feb. 2013. Web.

    Mayfield, Clifton, et al. “Psychological Collectivism and Team Effectiveness: Moderating Effects of Trust and Psychological Safety.” Journal of Organizational Culture, Communications and Conflict, vol. 20, no. 1, Jan. 2016, pp. 78-94. Web.

    McAlpin, Kevin and Hans Vaagenes. “Critical Decision Making.” Performance Coaching International. 17 Nov. 2017. Web.

    McCoy, Jim. “How to Align Employee Performance with Business Strategy.” Workforce Management, vol. 86, no. 12, 2007, pp. S5. Proquest. Web.

    “Measuring Time-To-Full Productivity.” FeverBee, n.d. Web.

    Meister, Jeanne. The 2020 Workplace: How Innovative Companies Attract, Develop, and Keep Tomorrow's Employees Today. HarperBusiness, 2010. Print.

    Meyer, Erin. “The Four Keys To Success With Virtual Teams.” Forbes Magazine, 19 Aug. 2010. Web.

    Morris, Donna. “Death to the Performance Review: How Adobe Reinvented Performance Management and Transformed Its Business.” WorldatWork, 2016, p. 10. Web.

    Myers-Briggs Company. “New Research: Time Spent on Workplace Conflict Has Doubled Since 2008.” Yahoo! Finance, 18 Oct. 2022. Web.

    Murdoch, Elisabeth. “Elisabeth Murdoch's MacTaggart lecture: full text.” The Guardian, 23 Aug. 2012. Web.

    NASA Governance and Strategic Management Handbook (NPD 1000.0B). NASA, June 2014. Web.

    NASA Space Flight Program and Project Management Handbook (NASA/SP-2014-3705). NASA, Sept. 2014. Web.

    New Manager Training: Management & Leadership Skills. Schulich School of Business, n.d. Web.

    O’Hanlon, Margaret. “It’s a Scandal! Manager Training Exposed! [Implementation Part 4].” Compensation Cafe, 16 Feb. 2012. Web.

    Ordonez, Lisa D., et al. “Goals Gone Wild: The Systematic Side Effects of Over-Prescribing Goal Setting.” Social Science Research Network. Harvard Business School, 11 Feb. 2009. Web.

    Paczka, Nina. “Meeting in the Workplace | 2023 Statistics.” LiveCareer, 25 July 2022. Web.

    Pavlou, Christina. “How to Calculate Employee Turnover Rate | Workable.” Recruiting Resources: How to Recruit and Hire Better, 13 July 2016. Web.

    Performance Management 101 Workbook. Halogen Software, 2015. Web.

    Personal Development and Review. Oxford Learning Institute, n.d. Web.

    Personal Development Plan. MindTools, 2014. Web.

    Porath, Christine, et al. “The Effects of Civility on Advice, Leadership, and Performance.” Journal of Applied Psychology, vol. 44, no. 5, Sept. 2015, pp. 1527-1541. Web.

    Project Management Institute. “PMI’s Pulse of The Profession: In-Depth Report.” PMI, May 2013. Web. June 2015.

    Quay, C. C., and A. Yusof. “The influence of employee participation, rewards and recognition, job security, and performance feedback on employee engagement.” Issues and Perspectives in Business and Social Sciences, vol. 2, no. 1, 2022, pp. 20. https://doi.org/10.33093/ipbss.2022.2.1.3

    Quinn, R. E., and J. Rohrbaugh. “A spatial model of effectiveness criteria: Towards a competing values approach to organizational analysis.” Management Science, vol. 29, 1983, pp. 363–377.

    Re:Work Guide: Develop and Support Managers. re:Work with Google, n.d. Web.

    Reardon, Kathleen Kelley. “7 Things to Say When a Conversation Turns Negative.” Harvard Business Review, 11 May 2016. Web.

    Reh, F. John. “Here Is a List of Mistakes New Managers Make and How to Avoid Them.” The Balance Careers, 30 Dec. 2018. Web.

    Richards, Leigh. “Why Is Employee Empowerment a Common Cornerstone of Organizational Development & Change Programs?” Houston Chronicle, Hearts Newspapers, LLC. 5 July 2013. Web.

    Robson, Fiona. Southwood School – A Case Study: Performance Management Systems. Society for Human Resource Management, 2009. Crossref, doi:10.4135/9781473959552.

    Rock, David, and Beth Jones. “Why More and More Companies are Ditching Performance Ratings.” Harvard Business Review, 8 Sept. 2015. Web.

    Rock, David. “SCARF: A Brain-Based Model for Collaborating With and Influencing Others.” NeuroLeadership Journal, 2008. Web..

    Romão, Soraia, Neuza Ribeiro, Daniel Roque Gomes, and Sharda Singh. “The Impact of Leaders’ Coaching Skills on Employees’ Happiness and Turnover Intention.” Administrative Sciences, vol. 12, no. 84, 2022. https://doi.org/10.3390/ admsci12030084

    Romero, Joseluis. “Yes - you can build a feedback culture.” Skills 2 Lead, Aug. 2014. Web.

    Runde, Craig E., and Tim A. Flanagan. “Conflict Competent Leadership.” Leader to Leader, Executive Forum, Winter 2008. PDF.

    Saks, Alan M., and Lisa A. Burke-Smalley. “Is Transfer of Training Related to Firm Performance?: Transfer and Firm Performance.” International Journal of Training and Development, vol. 18, no. 2, June 2014, pp. 104–15. Crossref, doi:10.1111/ijtd.12029.

    Saks, Alan M., et al. “The Transfer of Training: The Transfer of Training.” International Journal of Training and Development, vol. 18, no. 2, June 2014, pp. 81–83. Crossref, doi:10.1111/ijtd.12032.

    Salomonsen, Summer. Grovo’s First-Time Manager Microlearning® Program Will Help Your New Managers Thrive in 2018. Grovo, 2018. Web.

    Schwartz, Dan. “3 Topics Every New Manager Training Should Include.” Training Industry, 12 April 2017. Web.

    Scott, Dow, Tom McMullen, and Mark Royal. “Retention of Key Talent and the Role of Rewards.” WorldatWork, June 2012. Web.

    “Seeking Agility in Performance Management.” Human Resource Executive, 2016. Web.

    “Should You Always Involve Your Team in Decision Making?” Upskillist, 25 April 2022. Web.

    “SHRM Workplace Forecast.” The Top Workplace Trends According to HR Professionals, May 2013. Web.

    Singhal, Nikhyl. “Eight Tips for First Time Managers.” Medium, 20 Aug. 2017. Web.

    Singhania, Prakriti, et al. “2020 Global Marketing Trends.” Deloitte, 2019. Web.

    SMART Goals: A How to Guide. University of California, n.d. Web.

    Smith, Benson, and Tony Rutigliano. “Scrap Your Performance Appraisal System.” Gallup, 2002. Article.

    “State of the Modern Meeting 2015.” BlueJeans, Aug. 2015. Web.

    Sternberg, Larry, and Kim Turnage. “Why Make Managers A Strategic Priority?” Great Leadership, 12 Oct. 2017. Web.

    Sullivan, Dr. John. “Facebook’s Difference: A Unique Approach For Managing Employees.”TLNT, Sept. 2013. Web.

    Tal, David. “A 'Culture of Coaching' Is Your Company's Most Important Ingredient for Success.” Entrepreneur, 27 Sept. 2017. Web.

    Tenut, Jeff. “How Management Development Training Reduces Turnover.” DiscoverLink, 3 July 2018. Web.

    “The 5 Biggest Biases That Affect Decision-Making.” NeuroLeadership Institute, 2 August 2022. Web.

    “The Different Impact of Good and Bad Leadership.” Barna Group, 2015. Web.

    “The Engaged Workplace.” Gallup, 2017. Web.

    “The Individual Development Plan Guide.” Wildland Fire Leadership Development Program, April 2010, p. 15.

    The State of Business Communication. Grammarly, 2022. Web.

    Thomas, Kenneth. “Conflict and Conflict Management.” The Handbook of Industrial and Organizational Psychology, Rand McNally, 1976. In “The Five Conflict-Handling Modes.” The Myers Briggs Company, n.d. PDF.

    Thompson, Rachel. “What Is Stakeholder Management?” MindTools, n.d. Web.

    Tollet, Francoise. “Distracted? Learn how to (re)focus.” Business Digest, 12 July 2021. Podcast.

    Tonhauser, Cornelia, and Laura Buker. Determinants of Transfer of Training: A Comprehensive Literature Review, p. 40.

    Towers Watson. “Clear Direction in a Complex World: How Top Companies Create Clarity, Confidence and Community to Build Sustainable Performance.” Change and Communication ROI Study Report, 2011-2012. Web.

    Trudel, Natalie. “Improve Your Coaching Skills by Understanding the Psychology of Feedback.” TLNT, 12 July 2017. Web.

    “Understanding When to Give Feedback.” Harvard Business Review, Dec. 2014. Web.

    Vacassin, Daniel. “There are no 'good' performance management systems – there are just good line managers.” LinkedIn, 4 Oct. 2016. Web.

    van der Locht, Martijn, et al. “Getting the Most of Management Training: The Role of Identical Elements for Training Transfer.” Personnel Review, vol. 42, no. 4, May 2013, pp. 422–39. Crossref, doi:10.1108/PR-05-2011-0072.

    Vaughan, Liam. “Banks Find New Ways to Measure Staff.” Financial News, 10 Jan. 2011. Web.

    Watkins, Michael, et al. “Hit the Ground Running:Transitioning to New Leadership Roles.” IMD Business School, May 2014. Web.

    Whitney, Kelley. “Kimberly-Clark Corp.: Redesigning Performance Management.” Talent Management Magazine, vol. 2, no. 1, 2006. Web.

    “Whole Foods 2015 Report.” The Predictive Index, n.d. Web.

    “Whole Foods Market Reports Fourth Quarter and Fiscal Year 2016 Results.” Whole Foods, 2 Feb. 2016. Web.

    Wisniewski, Dan. “Here's why everybody hates meetings.” HR Morning, 14 Dec. 2012. Web.

    Woolum, Janet, and Brent Stockwell. Aligning Performance Measurement to Mission, Goals, and Strategy Workbook. Arizona State University, Jan. 2016. Web.

    Worall, Les, et al. The Quality of Working Life. Chartered Management Institute, 2016. Web.

    “Workplace Conflict Statistics: How We Approach Conflict at Work.” Niagara Institute, 11 Aug. 2022. Web.

    “You Waste a Lot of Time at Work Infographic.” Atlassian, 23 August 2012. Web.

    Zenger, Jack, and Joe Folkman. “Feedback: The Leadership Conundrum.” Talent Quarterly: The Feedback Issue, 2015. Web.

    Zuberbühler, P., et al. “Development and validation of the coaching-based leadership scale and its relationship with psychological capital, work engagement, and performance.” Current Psychology, vol. 42, no. 10, 2021, pp. 1-22.

    Create a Customized Big Data Architecture and Implementation Plan

    • Buy Link or Shortcode: {j2store}388|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Data Management
    • Parent Category Link: /data-management
    • Big data architecture is different from traditional data for several key reasons, including:
      • Big data architecture starts with the data itself, taking a bottom-up approach. Decisions about data influence decisions about components that use data.
      • Big data introduces new data sources such as social media content and streaming data.
      • The enterprise data warehouse (EDW) becomes a source for big data.
      • Master data management (MDM) is used as an index to content in big data about the people, places, and things the organization cares about.
      • The variety of big data and unstructured data requires a new type of persistence.
    • Many data architects have no experience with big data and feel overwhelmed by the number of options available to them (including vendor options, storage options, etc.). They often have little to no comfort with new big data management technologies.
    • If organizations do not architect for big data, there are a couple of main risks:
      • The existing data architecture is unable to handle big data, which will eventually result in a failure that could compromise the entire data environment.
      • Solutions will be selected in an ad hoc manner, which can cause incompatibility issues down the road.

    Our Advice

    Critical Insight

    • Before beginning to make technology decisions regarding the big data architecture, make sure a strategy is in place to document architecture principles and guidelines, the organization’s big data business pattern, and high-level functional and quality of service requirements.
    • The big data business pattern can be used to determine what data sources should be used in your architecture, which will then dictate the data integration capabilities required. By documenting current technologies, and determining what technologies are required, you can uncover gaps to be addressed in an implementation plan.
    • Once you have identified and filled technology gaps, perform an architectural walkthrough to pull decisions and gaps together and provide a fuller picture. After the architectural walkthrough, fill in any uncovered gaps. A proof-of-technology project can be started as soon as you have evaluation copies (or OSS) products and at least one person who understands the technology.

    Impact and Result

    • Save time and energy trying to fix incompatibilities between technology and data.
    • Allow the Data Architect to respond to big data requests from the business more quickly.
    • Provide the organization with valuable insights through the analytics and visualization technologies that are integrated with the other building blocks.

    Create a Customized Big Data Architecture and Implementation Plan Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Recognize the importance of big data architecture

    Big data is centered on the volume, variety, velocity, veracity, and value of data. Achieve a data architecture that can support big data.

    • Storyboard: Create a Customized Big Data Architecture and Implementation Plan

    2. Define architectural principles and guidelines while taking into consideration maturity

    Understand the importance of a big data architecture strategy. Assess big data maturity to assist with creation of your architectural principles.

    • Big Data Maturity Assessment Tool
    • Big Data Architecture Principles & Guidelines Template

    3. Build the big data architecture

    Come to accurate big data architecture decisions.

    • Big Data Architecture Decision Making Tool

    4. Determine common services needs

    What are common services?

    5. Plan a big data architecture implementation

    Gain business satisfaction with big data requests. Determine what steps need to be taken to achieve your big data architecture.

    • Big Data Architecture Initiative Definition Tool
    • Big Data Architecture Initiative Planning Tool

    Infographic

    Workshop: Create a Customized Big Data Architecture and Implementation Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Recognize the Importance of Big Data Architecture

    The Purpose

    Set expectations for the workshop.

    Recognize the importance of doing big data architecture when dealing with big data.

    Key Benefits Achieved

    Big data defined.

    Understanding of why big data architecture is necessary.

    Activities

    1.1 Define the corporate strategy.

    1.2 Define big data and what it means to the organization.

    1.3 Understand why doing big data architecture is necessary.

    1.4 Examine Info-Tech’s Big Data Reference Architecture.

    Outputs

    Defined Corporate Strategy

    Defined Big Data

    Reference Architecture

    2 Design a Big Data Architecture Strategy

    The Purpose

    Identification of architectural principles and guidelines to assist with decisions.

    Identification of big data business pattern to choose required data sources.

    Definition of high-level functional and quality of service requirements to adhere architecture to.

    Key Benefits Achieved

    Key Architectural Principles and Guidelines defined.

    Big data business pattern determined.

    High-level requirements documented.

    Activities

    2.1 Discuss how maturity will influence architectural principles.

    2.2 Determine which solution type is best suited to the organization.

    2.3 Define the business pattern driving big data.

    2.4 Define high-level requirements.

    Outputs

    Architectural Principles & Guidelines

    Big Data Business Pattern

    High-Level Functional and Quality of Service Requirements Exercise

    3 Build a Big Data Architecture

    The Purpose

    Establishment of existing and required data sources to uncover any gaps.

    Identification of necessary data integration requirements to uncover gaps.

    Determination of the best suited data persistence model to the organization’s needs.

    Key Benefits Achieved

    Defined gaps for Data Sources

    Defined gaps for Data Integration capabilities

    Optimal Data Persistence technology determined

    Activities

    3.1 Establish required data sources.

    3.2 Determine data integration requirements.

    3.3 Learn which data persistence model is best suited.

    3.4 Discuss analytics requirements.

    Outputs

    Data Sources Exercise

    Data Integration Exercise

    Data Persistence Decision Making Tool

    4 Plan a Big Data Architecture Implementation

    The Purpose

    Identification of common service needs and how they differ for big data.

    Performance of an architectural walkthrough to test decisions made.

    Group gaps to form initiatives to develop an Initiative Roadmap.

    Key Benefits Achieved

    Common service needs identified.

    Architectural walkthrough completed.

    Initiative Roadmap completed.

    Activities

    4.1 Identify common service needs.

    4.2 Conduct an architectural walkthrough.

    4.3 Group gaps together into initiatives.

    4.4 Document initiatives on an initiative roadmap.

    Outputs

    Architectural Walkthrough

    Initiative Roadmap

    Change Management

    • Buy Link or Shortcode: {j2store}3|cart{/j2store}
    • Related Products: {j2store}3|crosssells{/j2store}
    • Up-Sell: {j2store}3|upsells{/j2store}
    • Download01-Title: Change Management Executive Brief
    • Download-01: Visit Link
    • member rating overall impact (scale of 10): 9.6/10
    • member rating average dollars saved: $35,031
    • member rating average days saved: 34
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    Every company needs some change management. Both business and IT teams benefit from knowing what changes when.

    incident, problem, problemchange

    Build a Cloud Security Strategy

    • Buy Link or Shortcode: {j2store}169|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $38,592 Average $ Saved
    • member rating average days saved: 44 Average Days Saved
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting
    • Leveraging the cloud introduces IT professionals to a new world that they are tasked with securing.
    • With many cloud vendors proposing to share the security responsibility, it can be a challenge for organizations to develop a clear understanding of how they can best secure their data off premises.

    Our Advice

    Critical Insight

    • Cloud security is not fundamentally different from security on premises.
    • While some of the mechanics are different, the underlying principles are the same. Accountability doesn’t disappear.
    • By virtue of its broad network accessibility, the cloud does expose decisions to extreme scrutiny, however.

    Impact and Result

    • The business is adopting a cloud environment and it must be secured, which includes:
      • Ensuring business data cannot be leaked or stolen.
      • Maintaining privacy of data and other information.
      • Securing the network connection points.
    • This blueprint and associated tools are scalable for all types of organizations within various industry sectors.

    Build a Cloud Security Strategy Research & Tools

    Start Here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a cloud security strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Explore security considerations for the cloud

    Explore how the cloud changes the required controls and implementation strategies for a variety of different security domains.

    • Build a Cloud Security Strategy – Phase 1: Explore Security Considerations for the Cloud
    • Cloud Security Information Security Gap Analysis Tool
    • Cloud Security Strategy Template

    2. Prioritize initiatives and construct a roadmap

    Develop your organizational approach to various domains of security in the cloud, considering the cloud’s unique risks and challenges.

    • Build a Cloud Security Strategy – Phase 2: Prioritize Initiatives and Construct a Roadmap
    [infographic]

    Workshop: Build a Cloud Security Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define Your Approach

    The Purpose

    Define your unique approach to improving security in the cloud.

    Key Benefits Achieved

    An understanding of the organization’s requirements for cloud security.

    Activities

    1.1 Define your approach to cloud security.

    1.2 Define your governance requirements.

    1.3 Define your cloud security management requirements.

    Outputs

    Defined cloud security approach

    Defined governance requirements

    2 Respond to Cloud Security Challenges

    The Purpose

    Explore challenges posed by the cloud in various areas of security.

    Key Benefits Achieved

    An understanding of how the organization needs to evolve to combat the unique security challenges of the cloud.

    Activities

    2.1 Explore cloud asset management.

    2.2 Explore cloud network security.

    2.3 Explore cloud application security.

    2.4 Explore log and event management.

    2.5 Explore cloud incident response.

    2.6 Explore cloud eDiscovery and forensics.

    2.7 Explore cloud backup and recovery.

    Outputs

    Understanding of cloud security strategy components (cont.).

    3 Build Cloud Security Roadmap

    The Purpose

    Identify initiatives to mitigate challenges posed by the cloud in various areas of security.

    Key Benefits Achieved

    A roadmap for improving security in the cloud.

    Activities

    3.1 Define tasks and initiatives.

    3.2 Finalize your task list

    3.3 Consolidate gap closure actions into initiatives.

    3.4 Finalize initiative list.

    3.5 Conduct a cost-benefit analysis.

    3.6 Prioritize initiatives and construct a roadmap.

    3.7 Create effort map.

    3.8 Assign initiative execution waves.

    3.9 Finalize prioritization.

    3.10 Incorporate initiatives into a roadmap.

    3.11 Schedule initiatives.

    3.12 Review your results.

    Outputs

    Defined task list.

    Cost-benefit analysis

    Roadmap

    Effort map

    Initiative schedule

    Spread Best Practices With an Agile Center of Excellence

    • Buy Link or Shortcode: {j2store}152|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $97,499 Average $ Saved
    • member rating average days saved: 26 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization is looking to create consistency across all Agile teams to drive greater business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support structures and facilitated through shared learning and capabilities.

    Our Advice

    Critical Insight

    • Social capital can be an enabler, but also a barrier. People can only manage a finite number of relationships; ensure that the connections the Center of Excellence (CoE) facilitates are purposeful.
    • Don’t over govern. Empowerment is critical to enable improvements; set boundaries and let teams work inside them with autonomy.
    • Legitimize through listening. A CoE will not be leveraged unless it aligns with the needs of its users. Invest the time to align with the functional expectations of your Agile teams.

    Impact and Result

    • Create a set of service offerings aligned with both corporate objectives and the functional expectations of its customers to ensure broad support and utility of the invested resources.
    • Understand some of the cultural and processual challenges you will face when forming a center of excellence, and address them using Info-Tech’s Agile adoption model.

    Spread Best Practices With an Agile Center of Excellence Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build an Agile Center of Excellence, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Strategically align the Center of Excellence

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    • Spread Best Practices With an Agile Center of Excellence – Phase 1: Strategically Align the Center of Excellence

    2. Standardize the Center of Excellence’s service offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization.

    • Spread Best Practices With an Agile Center of Excellence – Phase 2: Standardize the Center of Excellence’s Service Offerings

    3. Operate the Center of Excellence

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change.

    • Spread Best Practices With an Agile Center of Excellence – Phase 3: Operationalize Your Agile Center of Excellence
    • ACE Satisfaction Survey
    • CoE Maturity Diagnostic Tool
    • ACE Benefits Tracking Tool
    • ACE Communications Deck
    [infographic]

    Workshop: Spread Best Practices With an Agile Center of Excellence

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Vision of CoE

    The Purpose

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision.

    Understand how your key stakeholders will impact the longevity of your CoE.

    Determine your CoE structure and staff.

    Key Benefits Achieved

    Top-down alignment with strategic aims of the organization.

    A set of high-level use cases to form the CoE’s service offerings around.

    Visualization of key stakeholders, with their current and desired power and involvement documented.

    Activities

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your Agile Center of Excellence (ACE) and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Outputs

    Prioritized business objectives

    Business-aligned use cases to form CoE’s service offerings

    Stakeholder map of key influencers

    2 Define Service Offerings of CoE

    The Purpose

    Document the functional expectations of the Agile teams.

    Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.

    Create a capability map that visualizes and prioritizes your key service offerings.

    Key Benefits Achieved

    Understanding of some of the identified concerns, pain points, and potential opportunities from your stakeholders.

    Refined use cases that define the service offerings the CoE provides to its customers.

    Prioritization for the creation of service offerings with a capability map.

    Activities

    2.1 Classified pains and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Outputs

    Classified pains and opportunities

    Refined use cases based on pains and opportunities identified during ACE requirements gathering

    ACE Capability Map

    3 Define Engagement Plans

    The Purpose

    Align service offerings with an Agile adoption model so that teams have a structured way to build their skills.

    Standardize the way your organization will interact with the Center of Excellence to ensure consistency in best practices.

    Key Benefits Achieved

    Mechanisms put in place for continual improvement and personal development for your Agile teams.

    Interaction with the CoE is standardized via engagement plans to ensure consistency in best practices and predictability for resourcing purposes.

    Activities

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Outputs

    Adoption-aligned service offerings

    Role-based engagement plans

    4 Define Metrics and Plan Communications

    The Purpose

    Develop a set of metrics for the CoE to monitor business-aligned outcomes with.

    Key Benefits Achieved

    The foundations of continuous improvement are established with a robust set of Agile metrics.

    Activities

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Outputs

    Business objective-aligned metrics

    CoE performance metrics

    Agile adoption metrics

    Assessment of organizational design

    CoE communication plan

    Further reading

    Spread Best Practices With an Agile Center of Excellence

    Achieve ongoing alignment between Agile teams and the business with a set of targeted service offerings.

    ANALYST PERSPECTIVE

    "Inconsistent processes and practices used across Agile teams is frequently cited as a challenge to adopting and scaling Agile within organizations. (VersionOne’s 13th Annual State of Agile Report [N=1,319]) Creating an Agile Center of Excellence (ACE) is a popular way to try to impose structure and improve performance. However, simply establishing an ACE does not guarantee you will be successful with Agile. When setting up an ACE you must: Define ACE services based on identified stakeholder needs. Staff the ACE with respected, “hands on” people, who deliver identifiable value to your Agile teams. Continuously evolve ACE service offerings to maximize stakeholder satisfaction and value delivered."

    Alex Ciraco, Research Director, Applications Practice Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • A CIO who is looking for a way to optimize their Agile capabilities and ensure ongoing alignment with business objectives.
    • An applications director who is looking for mechanisms to inject continuous improvement into organization-wide Agile practices.

    This Research Will Help You:

    • Align your Agile support structure with business objectives and the functional expectations of its users.
    • Standardize the ways in which Agile teams develop and learn to create consistency in purpose and execution.
    • Track and communicate successes to ensure the long-term viability of an Agile Center of Excellence (ACE).

    This Research Will Also Assist

    • Project managers who are tasked with managing Agile projects.
    • Application development managers who are struggling with establishing consistency, transparency, and collaboration across their teams.

    This Research Will Help Them:

    • Provide service offerings to their team members that will help them personally and collectively to develop desired skills.
    • Provide oversight and transparency into Agile projects and outcomes through ongoing monitoring.

    Executive summary

    Situation

    • Your organization has had some success with Agile, but needs to drive consistency across Agile teams for better business results and alignment.
    • You are seeking to organically grow Agile capabilities within the organization through a set of support services and facilitated through shared learning and capabilities.

    Complication

    • Organizational constraints, culture clash, and lack of continuous top-down support are hampering your Agile growth and maturity.
    • Attempts to create consistency across Agile teams and processes fail to account for the expectations of users and stakeholders, leaving them detached from projects and creating resistance.

    Resolution

    • Align the service offerings of your ACE with both corporate objectives and the functional expectations of its stakeholders to ensure broad support and utilization of the invested resources.
    • Understand some of the culture and process challenges you will face when forming an ACE, and address them using Info-Tech’s Agile adoption journey model.
    • Track the progress of the ACE and your Agile teams. Use this data to find root causes for issues, and ideate to implement solutions for challenges as they arise over time.
    • Effectively define and propagate improvements to your Agile teams in order to drive business-valued results.
    • Communicate progress to interested stakeholders to ensure long-term viability of the Center of Excellence (CoE).

    Info-Tech Insight

    1. Define ACE services based on stakeholder needs.Don’t assume you know what your stakeholders need without talking to them.
    2. Staff the ACE strategically. Choose those who are thought leaders and proven change agents.
    3. Continuously improve based on metrics and feedback.Constantly monitor how your ACE is performing and adjust to feedback.

    Info-Tech’s Agile Journey related Blueprints

    1. Stabilize

    Implement Agile Practices That Work

    Begin your Agile transformation with a comprehensive readiness assessment and a pilot project to adopt Agile development practices and behaviors that fit.

    2. Sustain

    YOU ARE HERE

    Spread Best Practices with an Agile Center of Excellence

    Form an ACE to support Agile development at all levels of the organization with thought leadership, strategic development support & process innovation.

    3. Scale

    Enable Organization-Wide Collaboration by Scaling Agile

    Extend the benefits of your Agile pilot project into your organization by strategically scaling Agile initiatives that will meet stakeholders’ needs.

    4. Satisfy

    Transition to Product Delivery Introduce product-centric delivery practices to drive greater benefits and better delivery outcomes.

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    2.1 Define an adoption plan for Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives

    Supporting Capabilities and Practices

    Modernize Your SDLC

    Remodel the stages of your lifecycle to standardize your definition of a successful product.

    Build a Strong Foundation for Quality

    Instill quality assurance practices and principles in each stage of your software development lifecycle.

    Implement DevOps Practices That Work

    Fix, deploy, and support applications quicker though development and operations collaboration.

    What is an Agile Center of Excellence?

    NOTE: Organizational change is hard and prone to failure. Determine your organization’s level of readiness for Agile transformation (and recommended actions) by completing Info-Tech’s Agile Transformation Readiness Tool.

    An ACE amplifies good practices that have been successfully employed within your organization, effectively allowing you to extend the benefits obtained from your Agile pilot(s) to a wider audience.

    From the viewpoint of the business, members of the ACE provide expertise and insights to the entire organization in order to facilitate Agile transformation and ensure standard application of Agile good practices.

    From the viewpoint of your Agile teams, it provides a community of individuals that share experiences and lessons learned, propagate new ideas, and raise questions or concerns so that delivering business value is always top of mind.

    An ACE provides the following:

    1. A mechanism to gather thought leadership to maximize the accessibility and reach of your Agile investment.
    2. A mechanism to share innovations and ideas to facilitate knowledge transfer and ensure broadly applicable innovations do not go to waste.
    3. Strategic alignment to ensure that Agile practices are driving value towards business objectives.
    4. Purposeful good practices to ensure that the service offerings provided align with expectations of both your Agile practitioners and stakeholders.

    SIDEBAR: What is a Community of Practice? (And how does it differ from a CoE?)

    Some organizations prefer Communities of Practice (CoP) to Centers of Excellence (CoE). CoPs are different from CoEs:

    A CoP is an affiliation of people who share a common practice and who have a desire to further the practice itself … and of course to share knowledge, refine best practices, and introduce standards. CoPs are defined by their domain of interest, but the membership is a social structure comprised of volunteer practitioners

    – Wenger, E., R. A. McDermott, et al. (2002) Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    CoPs differ from a CoE mainly in that they tend to have no geographical boundaries, they hold no hierarchical power within a firm, and they definitely can never have structure determined by the company. However, one of the most obvious and telling differences lies in the stated motive of members – CoPs exist because they have active practitioner members who are passionate about a specific practice, and the goals of a CoP are to refine and improve their chosen domain of practice – and the members provide discretionary effort that is not paid for by the employer

    – Matthew Loxton (June 1, 2011) CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    What to know about CoPs:

    1. Less formal than a CoE
      • Loosely organized by volunteer practitioners who are interested in advancing the practice.
    2. Not the Authoritative Voice
      • Stakeholders engage the CoP voluntarily, and are not bound by them.
    3. Not funded by Organization
      • CoP members are typically volunteers who provide support in addition to their daily responsibilities.
    4. Not covered in this Blueprint
      • In depth analysis on CoPs is outside the scope of this Blueprint.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • Many organizations encounter challenges to scaling Agile

    Tackle the following barriers to Agile adoption with a business-aligned ACE.

    List based on reported impediments from VersionOne’s 13th Annual State of Agile Report (N=1,319)

    1. Organizational culture at odds with Agile values
    • The ACE identifies and measures the value of Agile to build support from senior business leaders for shifting the organizational culture and achieving tangible business benefits.
  • General organizational resistance to change
    • Resistance comes from a lack of trust. Optimized value delivery from Info-Tech’s Agile adoption model will build the necessary social capital to drive cultural change.
  • Inadequate management support and sponsorship
    • Establishing an ACE will require senior management support and sponsorship. Its formation sends a strong signal to the organizational leadership that Agile is here to stay.
  • Lack of skills/experience with Agile methods
    • The ACE provides a vehicle to absorb external training into an internal development program so that Agile capabilities can be grown organically within the organization.
  • Inconsistent processes and practices across teams
    • The ACE provides support to individual Agile teams and will guide them to adopt consistent processes and practices which have a proven track record in the organization.
  • Insufficient training and education
    • The ACE will assist teams with obtaining the Agile skills training they need to be effective in the organization, and support a culture of continuous learning.
  • Overcome your Agile scaling challenges with a business aligned ACE

    An ACE drives consistency and transparency without sacrificing the ability to innovate. It can build on the success of your Agile pilot(s) by encouraging practices known to work in your organization.

    Support Agile Teams

    Provide services designed to inject evolving good practices into workflows and remove impediments or roadblocks from your Agile team’s ability to deliver value.

    Maintain Business Alignment

    Maintain alignment with corporate objectives without impeding business agility in the long term. The ACE functions as an interface layer so that changing expectations can be adapted without negatively impacting Agile teams.

    Facilitate Learning Events

    Avoid the risk of innovation and subject-matter expertise being lost or siloed by facilitating knowledge transfer and fostering a continuous learning environment.

    Govern Improvements

    Set baselines, monitor metrics, and run retrospectives to help govern process improvements and ensure that Agile teams are delivering expected benefits.

    Shift Culture

    Instill Agile thinking and behavior into the organization. The ACE must encourage innovation and be an effective agent for change.

    Use your ACE to go from “doing” Agile to “being” Agile

    Organizations that do Agile without embracing the changes in behavior will not reap the benefits.

    Doing what was done before

    • Processes and Tools
    • Comprehensive Documentation
    • Contract Negotiation
    • Following a Plan

    Being Prescriptive

    Going through the motions

    • Uses SCRUM and tools such as Jira
    • Plans multiple sprints in detail
    • Talks to stakeholders once in a release
    • Works off a fixed scope BRD

    Doing Agile

    Living the principles

    • Individuals and Interactions
    • Working Software
    • Customer Collaboration
    • Responding to Change

    Being Agile

    “(‘Doing Agile’ is) just some rituals but without significant change to support the real Agile approach as end-to-end, business integration, value focus, and team empowerment.” - Arie van Bennekum

    Establishing a CoE does not guarantee success

    Simply establishing a Center of Excellence for any discipline does not guarantee its success:

    The 2019 State of DevOps Report found that organizations which had established DevOps CoEs underperformed compared to organizations which adopted other approaches for driving DevOps transformation. (Accelerate State of DevOps Report 2019 [N=~1,000])

    Still, Agile Centers of Excellence can and do successfully drive Agile adoption in organizations. So what sets the successful examples apart from the others? Here’s what some have to say:

    The ACE must be staffed with qualified people with delivery experience! … [It is] effectively a consulting practice, that can evolve and continuously improve its services … These services are collectively about ‘enablement’ as an output, more than pure training … and above all, the ability to empirically measure the progress” – Paul Blaney, TD Bank

    “When leaders haven’t themselves understood and adopted Agile approaches, they may try to scale up Agile the way they have attacked other change initiatives: through top-down plans and directives. The track record is better when they behave like an Agile team. That means viewing various parts of the organization as their customers.” – HBR, “Agile at Scale”

    “the Agile CoE… is truly meant to be measured by the success of all the other groups, not their own…[it] is meant to be serving the teams and helping them improve, not by telling them what to do, but rather by listening, understanding and helping them adapt.” - Bart Gerardi, PMI

    The CoE must also avoid becoming static, as it’s crucial the team can adjust as quickly as business and customer needs change, and evolve the technology as necessary to remain competitive.” – Forbes, “RPA CoE (what you need to know)”

    "The best CoEs are formed from thought leaders and change agents within the CoE domain. They are the process and team innovators who will influence your CoE roadmap and success. Select individuals who feel passionate about Agile." – Hans Eckman, InfoTech

    To be successful with your ACE, do the following…

    Info-Tech Insight

    Simply establishing an Agile Center of Excellence does not guarantee its success. When setting up your ACE, optimize its impact on the organization by doing the following 3 things:

    1. Define ACE services based on stakeholder needs. Be sure to broadly survey your stakeholders and identify the ACE functions and services which will best meet their needs. ACE services must clearly deliver business value to the organization and the Agile teams it supports.
    2. Staff the ACE strategically. Select ACE team members who have real world, hands-on delivery experience, and are well respected by the Agile teams they will serve. Where possible, select internal thought leaders in your organization who have the credibility needed to effect positive change.
    3. Continuously improve ACE services based on metrics and feedback. The value your ACE brings to the organization must be clear and measurable, and do not assume that your functions and services will remain static. You must regularly monitor both your metrics and feedback from your Agile teams, and adjust ACE behavior to improve/maximize these over time.

    Spread Best Practices With an Agile Center of Excellence

    This blueprint will walk you through the steps needed to build the foundations for operational excellence within an Agile Center of Excellence.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Info-Tech’s Practice Adoption Journey

    Use Info-Tech’s Practice Adoption Journey model to establish your ACE. Building social capital (stakeholders’ trust in your ability to deliver positive outcomes) incrementally is vital to ensure that everyone is aligned to new mindsets and culture as your Agile practices scale.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Continuously improve the ACE to ensure long-term viability

    Improvement involves the continuous evaluation of the performance of your teams, using well-defined metrics and reasonable benchmarks that are supplemented by analogies and root-cause analysis in retrospectives.

    Monitor

    Monitor your metrics to ensure desired benefits are being realized. The ACE is responsible for ensuring that expected Agile benefits are achievable and on track. Monitor against your defined baselines to create transparency and accountability for desired outcomes.

    Iterate

    Run retrospectives to drive improvements and fixes into Agile projects and processes. Metrics falling short of expectations must be diagnosed and their root causes found, and fixes need to be communicated and injected back into the larger organization.

    Define

    Define metrics and set targets that align with the goals of the ACE. These metrics represent the ACEs expected value to the organization and must be measured against on a regular basis to demonstrate value to your key stakeholders.

    Beware the common risks of implementing your ACE

    Culture clash between Agile teams and larger organization

    Agile leverages empowered teams, meritocracy, and broad collaboration for success, but typical organizations are siloed and hierarchical with top down decision making. There needs to be a plan to enable a smooth transition from the current state towards the Agile target state.

    Persistence of tribal knowledge

    Agile relies on easy and open knowledge sharing, but organizational knowledge can sit in siloes. Employees may also try to protect their expertise for job security. It is important to foster knowledge sharing to ensure that critical know-how is accessible and doesn’t leave the organization with the individual.

    Rigid management structures

    Rigidity in how managers operate (performance reviews, human resource management, etc.) can result in cultural rejection of Agile. People need to be assessed on how they enable their teams rather than as individual contributors. This can help ensure that they are given sufficient opportunities to succeed. More support and less strict governance is key.

    Breakdown due to distributed teams

    When face-to-face interactions are challenging, ensure that you invest in the right communication technologies and remove cultural and process impediments to facilitate organization-wide collaboration. Alternative approaches like using documentation or email will not provide the same experience and value as a face-to-face conversation.

    The State of Maine used an ACE to foster positive cultural change

    CASE STUDY

    Industry - Government

    Source - Cathy Novak, Agile Government Leadership

    The State of Maine’s Agile Center of Excellence

    “The Agile CoE in the State of Maine is completely focused on the discipline of the methodology. Every person who works with Agile, or wants to work with Agile, belongs to the CoE. Every member of the CoE tells the same story, approaches the methodology the same way, and uses the same tools. The CoE also functions as an Agile research lab, experimenting with different standards and tools.

    The usual tools of project management – mission, goals, roles, and a high-level definition of done – can be found in Maine’s Agile CoE. For story mapping, teams use sticky notes on a large wall or whiteboard. Demonstrating progress this way provides for positive team dynamics and a psychological bang. The State of Maine uses a project management framework that serves as its single source of truth. Everyone knows what’s going on at all times and understands the purpose of what they are doing. The Agile team is continually looking for components that can be reused across other agencies and programs.”

    Results:

    • Realized positive culture change, leading to more collaborative and supportive teams.
    • Increased visibility of Agile benefits across functional groups.
    • Standardized methodology across Agile teams and increased innovation and experimentation with new standards and tools.
    • Improved traceability of projects.
    • Increased visibility and ability to determine root causes of problems and right the course when outcomes are not meeting expectations.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Spread Best Practices With an Agile Center of Excellence – project overview

    1. Strategically align the Center of Excellence 2. Standardize the CoEs service offerings 3. Operate the Center of Excellence
    Best-Practice Toolkit

    1.1 Determine the vision of your ACE.

    1.2 Define the service offerings of your ACE.

    2.1 Define an adoption plan for your Agile teams.

    2.2 Create an ACE engagement plan.

    2.3 Define metrics to measure success.

    3.1 Optimize the success of your ACE.

    3.2 Plan change to enhance your Agile initiatives.

    3.3 Conduct ongoing retrospectives of your ACE.

    Guided Implementations
    • Align your ACE with the business.
    • Align your ACE with its users.
    • Dissect the key attributes of Agile adoption.
    • Form engagement plans for your Agile teams.
    • Discuss effective ACE metrics.
    • Conduct a baseline assessment of your Agile environment.
    • Interface ACE with your change management function.
    • Build a communications deck for key stakeholders.
    Onsite Workshop Module 1: Strategically align the ACE Module 2: Standardize the offerings of the ACE Module 3: Prepare for organizational change
    Phase 1 Outcome: Create strategic alignment between the CoE and organizational goals.

    Phase 2 Outcome: Build engagement plans and key performance indicators based on a standardized Agile adoption plan.

    Phase 3 Outcome: Operate the CoEs monitoring function, identify improvements, and manage the change needed to continuously improve.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Module 1 Workshop Module 2 Workshop Module 3 Workshop Module 4
    Activities

    Determine vision of CoE

    1.1 Identify and prioritize organizational business objectives.

    1.2 Form use cases for the points of alignment between your ACE and business objectives.

    1.3 Prioritize your ACE stakeholders.

    Define service offerings of CoE

    2.1 Form a solution matrix to organize your pain points and opportunities.

    2.2 Refine your use cases to identify your ACE functions and services.

    2.3 Visualize your ACE functions and service offerings with a capability map.

    Define engagement plans

    3.1 Further categorize your use cases within the Agile adoption model.

    3.2 Create an engagement plan for each level of adoption.

    Define metrics and plan communications

    4.1 Define metrics that align with your Agile business objectives.

    4.2 Define target ACE performance metrics.

    4.3 Define Agile adoption metrics.

    4.4 Assess the interaction and communication points of your Agile team.

    4.5 Create a communication plan for change.

    Deliverables
    1. Prioritized business objectives
    2. Business-aligned use cases to form CoEs service offerings
    3. Prioritized list of stakeholders
    1. Classified pains and opportunities
    2. Refined use cases based on pains and opportunities identified during ACE requirements gathering
    3. ACE capability map
    1. Adoption-aligned service offerings
    2. Role-specific engagement plans
    1. Business objective-aligned metrics
    2. ACE performance metrics
    3. Agile adoption metrics
    4. Assessment of organization design
    5. ACE Communication Plan

    Phase 1

    Strategically Align the Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Begin by strategically aligning your Center of Excellence

    The first step to creating a high-functioning ACE is to create alignment and consensus amongst your key stakeholders regarding its purpose. Engage in a set of activities to drill down into the organization’s goals and objectives in order to create a set of high-level use cases that will evolve into the service offerings of the ACE.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Strategically align the ACE

    Proposed Time to Completion (in weeks): 1

    Step 1.1: Determine the vision of your ACE

    Start with an analyst kick off call:

    • Align your ACE with the business.

    Then complete these activities…

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Step 1.2: Define the service offerings of your ACE

    Start with an analyst kick off call:

    • Align your ACE with its users.

    Then complete these activities…

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Phase 1 Results & Insights:

    • Aligning your ACE with the functional expectations of its users is just as critical as aligning with the business. Invest the time to understand how the ACE fits at all levels of the organization to ensure its highest effectiveness.

    Phase 1, Step 1: Determine the vision of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.1.1 Optional: Baseline your ACE maturity.

    1.1.2 Identify and prioritize organizational business objectives.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives.

    1.1.4 Prioritize your ACE stakeholders.

    1.1.5 Select a centralized or decentralized model for your ACE.

    1.1.6 Staff your ACE strategically.

    Outcomes:

    • Gather your leadership to position the ACE and align it with business priorities.
    • Form a set of high-level use cases for services that will support the enablement of business priorities.
    • Map the stakeholders of the ACE to visualize expected influence and current support levels for your initiative.

    What does an ACE do? Six main functions derived from Info-Tech’s CLAIM+G Framework

    1. Learning
    • Provide training and development and enable engagement based on identified interaction points to foster organizational growth.
  • Tooling
    • Promote the use of standardized tooling to improve efficiency and consistency throughout the organization.
  • Supporting
    • Enable your Agile teams to access subject-matter expertise by facilitating knowledge transfer and documenting good practices.
  • Governing
    • Create operational boundaries for Agile teams, and monitor their progress and ability to meet business objectives within these boundaries.
  • Monitoring
    • Demonstrate the value the CoE is providing through effective metric setting and ongoing monitoring of Agile’s effectiveness.
  • Guiding
    • Provide guidance, methodology, and knowledge for teams to leverage to effectively meet organizational business objectives.
  • OPTIONAL: If you have an existing ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    1.1.1 Existing CoE Maturity Assessment

    Purpose

    If you already have established an ACE, use Info-Tech’s CoE Maturity Diagnostic Tool to baseline its current maturity level (this will act as a baseline for comparison after you complete this Blueprint). Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    The image is a screen capture of the CoE Maturity Diagnostic Tool

    Download the CoE Maturity Diagnostic Tool.

    Get your Agile leadership together and position the ACE

    Stakeholder Role Why they are essential players
    CIO/ Head of IT Program sponsor: Champion and set the tone for the Agile program. Critical in gaining and maintaining buy-in and momentum for the spread of Agile service offerings. The head of IT has insight and influence to drive buy-in from executive stakeholders and ensure the long-term viability of the ACE.
    Applications Director Program executor: Responsible for the formation of the CoE and will ensure the viability of the initial CoE objectives, use cases, and service offerings. Having a coordinator who is responsible for collating performance data, tracking results, and building data-driven action plans is essential to ensuring continuous success.
    Agile Subject-Matter Experts Program contributor: Provide information on the viability of Agile practices and help build capabilities on existing best practices. Agile’s success relies on adoption. Leverage the insights of people who have implemented and evangelized Agile within your organization to build on top of a working foundation.
    Functional Group Experts Program contributor: Provide information on the functional group’s typical processes and how Agile can achieve expected benefits. Agile’s primary function is to drive value to the business – it needs to align with the expected capabilities of existing functional groups in order to enhance them for the better.

    Align your ACE with your organization’s strategy

    This research set will assist you with aligning your ACEs services to the objectives of the business in order to justify the resources and funding required by your Agile program.

    Business Objectives → Alignment ←ACE Functions

    Business justification to continue to fund a Center of Excellence can be a challenge, especially with traditional thinking and rigid stakeholders. Hit the ground running and show value to your key influencers through business alignment and metrics that will ensure that the ACE is worth continuous investment.

    Alignment leads to competitive advantage

    The pace of change in customer expectations, competitive landscapes, and business strategy is continuously increasing. It is critical to develop a method to facilitate ongoing alignment to shifting business and development expectations seamlessly and ensure that your Agile teams are able to deliver expected business value.

    Activity: Identify and prioritize organizational business objectives

    1.1.2 2 Hours

    Input

    • Organizational business objectives

    Output

    • Prioritized business objectives

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. List the primary high-level business objectives that your organization aims to achieve over the course of the following year (focusing on those that ACE can impact/support).
    2. Prioritize these business objectives while considering the following:
    • Criticality of completion: How critical is the initiative in enabling the business to achieve its goals?
    • Transformational impact: To what degree is the foundational structure of the business affected by the initiative (rationale: Agile can support impact on transformational issues)?
  • Document the hypothesized role of Agile in supporting these business objectives. Take the top three prioritized objectives forward for the establishment of your ACE. While in future years or iterations you can inject more offerings, it is important to target your service offerings to specific critical business objectives to gain buy-in for long-term viability of the CoE.
  • Sample Business Objectives:

    • Increase customer satisfaction.
    • Reduce time-to-market of product releases.
    • Foster a strong organizational culture.
    • Innovate new feature sets to differentiate product. Increase utilization rates of services.
    • Reduce product delivery costs.
    • Effectively integrate teams from a merger.
    • Offer more training programs for personal development.
    • Undergo a digital transformation.

    Understand potential hurdles when attempting to align with business objectives

    While there is tremendous pressure to align IT functions and the business due to the accelerating pace of change and technology innovation, you need to be aware that there are limitations in achieving this goal. Keep these challenges at the top of mind as you bring together your stakeholders to position the service offerings of your ACE. It is beneficial to make your stakeholders self-aware of these biases as well, so they come to the table with an open mind and are willing to find common ground.

    The search for total alignment

    There are a plethora of moving pieces within an organization and total alignment is not a plausible outcome.

    The aim of a group should not be to achieve total alignment, but rather reframe and consider ways to ensure that stakeholders are content with the ways they interact and that misalignment does not occur due to transparency or communication issues.

    “The business” implies unity

    While it may seem like the business is one unified body, the reality is that the business can include individuals or groups (CEO, CFO, IT, etc.) with conflicting priorities. While there are shared business goals, these entities may all have competing visions of how to achieve them. Alignment means compromise and agreement more than it means accommodating all competing views.

    Cost vs. reputation

    There is a political component to alignment, and sometimes individual aspirations can impede collective gain.

    While the business side may be concerned with cost, those on the IT side of things can be concerned with taking on career-defining projects to bolster their own credentials. This conflict can lead to serious breakdowns in alignment.

    Panera Bread used Agile to adapt to changing business needs

    CASE STUDY

    Industry Food Services

    Source Scott Ambler and Associates, Case Study

    Challenge

    Being in an industry with high competition, Panera Bread needed to improve its ability to quickly deliver desired features to end customers and adapt to changing business demands from high internal growth.

    Solution

    Panera Bread engaged in an Agile transformation through a mixture of Agile coaching and workshops, absorbing best practices from these engagements to drive Agile delivery frameworks across the enterprise.

    Results

    Adopting Agile delivery practices resulted in increased frequency of solution delivery, improving the relationship between IT and the business. Business satisfaction increased both with the development process and the outcomes from delivery.

    The transparency that was needed to achieve alignment to rapidly changing business needs resulted in improved communication and broad-scale reduced risk for the organization.

    "Agile delivery changed perception entirely by building a level of transparency and accountability into not just our software development projects, but also in our everyday working relationships with our business stakeholders. The credibility gains this has provided our IT team has been immeasurable and immediate."

    – Mike Nettles, VP IT Process and Architecture, Panera Bread

    Use Info-Tech’s CoE Operating Model to define the service offerings of your ACE

    Understand where your inputs and outputs lie to create an accessible set of service offerings for your Agile teams.

    Functional Input

    • Application Development
    • Project Management
    • CIO
    • Enterprise Architecture
    • Data Management
    • Security
    • Infrastructure & Operations
    • Who else?

    The image shows a graphic of the COE Operating Model, showing the inputs and outputs, including Other CoEs (at top); Stakeholder Needs (at left); Metrics and Feedback (at bottom); and ACE Functions and Services (at right)

    Input arrows represent functional group needs, feedback from Agile teams, and collaboration with other CoEs and CoPs

    Output arrows represent the services the CoE delivers and the benefits realized across the organization.

    ACE Operating Model: Governance & Metrics

    Governance & Metrics involves enabling success through the management of the ACEs resources and services, and ensuring that organizational structures evolve in concert with Agile growth and maturity. Your focus should be on governing, measuring, implementing, and empowering improvements.

    Effective governance will function to ensure the long-term effectiveness and viability of your ACE. Changes and improvements will happen continuously and you need a way to decide which to adopt as best practices.

    "Organizations have lengthy policies and procedures (e.g. code deployment, systems design, how requirements are gathered in a traditional setting) that need to be addressed when starting to implement an Agile Center of Excellence. Legacy ideas that end up having legacy policy are the ones that are going to create bottlenecks, waste resources, and disrupt your progress." – Doug Birgfeld, Senior Partner, Agile Wave

    Governance & Metrics

    • Manage organizational Agile standards, policies, and procedures.
    • Define organizational boundaries based on regulatory, compliance, and cultural requirements.
    • Ensure ongoing alignment of service offerings with business objectives.
    • Adapt organizational change management policies to reflect Agile practices.
    • CoE governance functions include:
      • Policy Management
      • Change Management
      • Risk Management
      • Stakeholder Management
      • Metrics/Feedback Monitoring

    ACE Operating Model: Services

    Services refers to the ability to deliver resourcing, guidance, and assistance across all Agile teams. By creating a set of shared services, you enable broad access to specialized resources, knowledge, and insights that will effectively scale to more teams and departments as Agile matures in your organization.

    A Services model:

    • Supports the organization by standardizing and centralizing service offerings, ensuring consistency of service delivery and accessibility across functional groups.
    • Provides a mechanism for efficient knowledge transfer and on-demand support.
    • Helps to drive productivity and project efficiencies through the organization by disseminating best practices.

    Services

    • Provide reference, support, and re-assurance to implement and adapt organizational best practices.
    • Interface relevant parties and facilitate knowledge transfer through shared learning and communities of practice.
    • Enable agreed-upon service levels through standardized support structures.
    • Shared services functions include:
      • Engagement Planning
      • Knowledge Management
      • Subject-Matter Expertise
      • Agile Team Evaluation

    ACE Operating Model: Technology

    Technology refers to a broad range of supporting tools to enable employees to complete their day-to-day tasks and effectively report on their outcomes. The key to technological support is to strike the right balance between flexibility and control based on your organization's internal and external constraints (policy, equipment, people, regulatory, etc.).

    "We sometimes forget the obvious truth that technology provides no value of its own; it is the application of technology to business opportunities that produces return on investment." – Robert McDowell, Author, In Search of Business Value

    Technology

    • Provide common software tools to enable alignment to organizational best practices.
    • Enable access to locally desired tools while considering organizational, technical, and scaling constraints.
    • Enable communication with a technical subject matter expert (SME).
    • Enable reporting consistency through training and maintenance of reporting mechanisms.
    • Technology functions can include:
      • Vendor Management
      • Application Support
      • Tooling Standards
      • Tooling Use Cases

    ACE Operating Model: Staff

    Staff is all about empowerment. The ACE should support and facilitate the sharing of ideas and knowledge sharing. Create processes and spaces where people are encouraged to come together, learn from, and share with each other. This setting will bring up new ideas to enhance productivity and efficiency in day-to-day activities while maintaining alignment with business objectives.

    "An Agile CoE is legitimized by its ability to create a space where people can come together, share, and learn from one another. By empowering teams to grow by themselves and then re-connect with each other you allow the creativity of your employees to flow back into the CoE." – Anonymous, Founder, Agile consultancy group

    Staff

    • Develop and provide training and day-to-day coaching that are aligned with organizational engagement and growth plans.
    • Include workflow change management to assist traditional roles with accommodating Agile practices.
    • Support the facilitation of knowledge transfer from localized Agile teams into other areas of the organization.
    • Achieve team buy-in and engagement with ACE services and capabilities. Provide a forum for collaboration and innovation.
    • People functions can include:
      • Onboarding
      • Coaching
      • Learning Facilitation

    Form use cases to align your ACE with business objectives

    What is a use case?

    A use case tells a story about how a system will be used to achieve a goal from the perspective of a user of that system. The people or other systems that interact with the use case are called “actors.” Use cases describe what a system must be able to do, not how it will do it.

    How does a use case play a role in building your ACE?

    Use cases are used to guide design by allowing you to highlight the intended function of a service provided by the Center of Excellence while maintaining a business focus. Jumping too quickly to a solution without fully understanding user and business needs leads to the loss of stakeholder buy-in and the Centers of Excellence rejection by teams.

    Hypothesized ACE user needs →Use Case←Business objective

    Activity: Form use cases for the points of alignment between your ACE and business objectives

    1.1.3 2 Hours

    Input

    • Prioritized business objectives
    • ACE functions

    Output

    • ACE use cases

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives and the six functions of a CoE, create high-level use cases for each point of alignment that describe how the Center of Excellence will better facilitate the realization of that business objective.
    2. For each use case, define the following:
      • Name: Generalized title for the use case.
      • Description: A high-level description of the expected CoE action.
    AGILE CENTER OF EXCELLENCE FUNCTIONS:
    Guiding Learning Tooling Supporting Governing Monitoring
    BUSINESS OBJECTIVES Reduce time-to-market of product releases
    Reduce product delivery costs
    Effectively integrate teams from a merger

    Activity: Form use cases for the points of alignment between your ACE and business objectives (continued)

    1.1.3 2 Hours

    The image shows the Reduce time-to-market of product releases row from the table in the previous section, filled in with sample information.

    Your goal should be to keep these as high level and generally applicable as possible as they provide an initial framework to further develop your service offerings. Begin to talk about the ways in which the ACE can support the realization of your business objectives and what those interactions may look like to customers of the ACE.

    Involve all relevant stakeholders to discuss the organizational goals and objectives of your ACE

    Avoid the rifts in stakeholder representation by ensuring you involve the relevant parties. Without representation and buy-in from all interested parties, your ACE may omit and fail to meet long-term organizational goals.

    By ensuring every group receives representation, your service offerings will speak for the broad organization and in turn meet the needs of the organization as a whole.

    • Business Units: Any functional groups that will be expected to engage with the ACE in order to achieve their business objectives.
    • Team Leads: Representation from the internal Agile community who is aware of the backgrounds, capabilities, and environments of their respective Agile teams.
    • Executive Sponsors: Those expected to evangelize and set the tone and direction for the ACE within the executive ranks of the organization. These roles are critical in gaining buy-in and maintaining momentum for ACE initiatives.

    Organization

    • ACE
      • Executive Sponsors
      • Team Leads
      • Business Units

    Activity: Prioritize your ACE stakeholders

    1.1.4 1 Hour

    Input

    • Prioritized business objectives

    Output

    • Prioritized list of stakeholders

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, brainstorm, as a group, the potential list of stakeholders (representatives from business units, team leads, and executive sponsors) that would need to be involved in setting the tone and direction of your ACE.
    2. Evaluate each stakeholder in terms of power, involvement, impact, and support.
    • Power: How much influence does the stakeholder have? Enough to drive the CoE forward or into the ground?
    • Involvement: How interested is the stakeholder? How involved is the stakeholder in the project already?
    • Impact: To what degree will the stakeholder be impacted? Will this significantly change how they do their job?
    • Support: Is the stakeholder a supporter of the project? Neutral? A resister?
  • Map each stakeholder to an area on the power map on the next slide based on his or her level of power and involvement.
  • Vary the size of the circle to distinguish stakeholders that are highly impacted by the ACE from those who are not. Color each circle to show each stakeholder’s estimated or gauged level of support for the project.
  • Prioritize your ACE stakeholders (continued)

    1.1.4 1 Hour

    The image shows a matrix on the left, and a legend on the right. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort.

    Should your ACE be Centralized or Decentralized?

    An ACE can be organized differently depending on your organization’s specific needs and culture.

    The SAFe Model:©

    “For smaller enterprises, a single centralized [ACE] can balance speed with economies of scale. However, in larger enterprises—typically those with more than 500 – 1,000 practitioners—it’s useful to consider employing either a decentralized model or a hub-and-spoke model.”

    The image shows 3 models: centralized, represented by a single large circle; decentralized, represented by 5 smaller circles; and hub-and-spoke, represented by a central circle, connected to 5 surrounding circles.

    © Scaled Agile, Inc.

    The Spotify Model:

    Spotify avoids using an ACE and instead spreads agile practices using Squads, Tribes, Chapters, Guilds, etc.

    It can be a challenging model to adopt because it is constantly changing, and must be fundamentally supported by your organization’s culture. (Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.)

    Detailed analysis of The Spotify Model is out of scope for this Blueprint.

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    Activity: Select a Centralized or Decentralized ACE Model

    1.1.5 30 minutes

    Input

    • Prioritized business objectives
    • Use Cases
    • Organization qualities

    Output

    • Centralized or decentralized ACE model

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Using your prioritized business objectives, your ACE use cases, your organization size, structure, and culture, brainstorm the relative pros and cons of a centralized vs decentralized ACE model.
    2. Consider this: to improve understanding and acceptance, ask participants who prefer a centralized model to brainstorm the pros and cons of a decentralized model, and vice-versa.
    3. Collectively decide whether your ACE should be centralized, decentralized or hub-and-spoke and document it.
    Centralized ACE Decentralized ACE
    Pros Cons Pros Cons
    Centralize Vs De-centralize Considerations Prioritized Business Objectives
    • Neutral (objectives don’t favor either model)
    • Neutral (objectives don’t favor either model)
    ACE Use Cases
    • Neutral (use cases don’t favor either model)
    • Neutral (use cases don’t favor either model)
    Organization Size
    • Org. is small enough for centralized ACE
    • Overkill for a small org. like ours
    Organization Structure
    • All development done in one location
    • Not all locations do development
    Organization Culture
    • All development done in one location
    • Decentralized ACE may have yield more buy-in

    SELECTED MODEL: Centralized ACE

    Activity: Staff your ACE strategically

    1.1.6 1 Hour

    Input

    • List of potential ACE staff

    Output

    • Rated list of ACE staff

    Materials

    • Whiteboard
    • Markers

    Participants

    • Agile leadership group
    1. Identify your list of potential ACE staff (this may be a combination of full time and contract staff).
    2. Add/modify/delete the rating criteria to meet your specific needs.
    3. Discuss and adjust the relative weightings of the rating criteria to best suit your organization’s needs.
    4. Rate each potential staff member and compare results to determine the best suited staff for your ACE.
    Candidate: Jane Doe
    Rating Criteria Criteria Weighting Candidate's Score (1-5)
    Candidate has strong theoretical knowledge of Agile. 8% 4
    Candidate has strong hands on experience with Agile. 18% 5
    Candidate has strong hands on experience with Agile. 10% 4
    Candidate is highly respected by the Agile teams. 18% 5
    Candidate is seen as a thought leader in the organization. 18% 5
    Candidate is seen as a change agent in the organization. 18% 5
    Candidate has strong desire to be member of ACE staff. 10% 3
    Total Weighted Score 4.6

    Phase 1, Step 2: Define the service offerings of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    1.2.1 Form the Center of Excellence.

    1.2.2 Gather and document your existing Agile practices for the CoE.

    1.2.3 Interview stakeholders to align ACE requirements with functional expectations.

    1.2.4 Form a solution matrix to organize your pain points and opportunities.

    1.2.5 Refine your use cases to identify your ACE functions and services.

    1.2.6 Visualize your ACE functions and service offerings with a capability map.

    Outcomes:

    • Collect data regarding the functional expectations of the Agile teams.
    • Refine your business-aligned use cases with your collected data to achieve both business and functional alignment.
    • Create a capability map that visualizes and prioritizes your key service offerings.

    Structure your ACE with representation from all of your key stakeholders

    Now that you have a prioritized list of stakeholders, use their influence to position the ACE to ensure maximum representation with minimal bottlenecks.

    By operating within a group of your key players, you can legitimize your Center of Excellence by propagating the needs and interests of those who interface and evangelize the CoE within the larger organization.

    The group of key stakeholders will extend the business alignment you achieved earlier by refining your service offerings to meet the needs of the ACEs customers. Multiple representations at the table will generate a wide arrangement of valuable insights and perspectives.

    Info-Tech Insight

    While holistic representation is necessary, ensure that the list is not too comprehensive and will not lead to progress roadblocks. The goal is to ensure that all factors relevant to the organization are represented; too many conflicting opinions may create an obstruction moving forward.

    ACE

    • Executive Sponsors
    • Team Leads
    • Business Units

    Determine how you will fund your ACE

    Choose the ACE funding model which is most aligned to your current system based on the scenarios provided below. Both models will offer the necessary support to ensure the success of your Agile program going forward.

    Funding Model Funding Scenario I Funding Scenario II
    Funded by the CIO Funded by the CIO office and a stated item within the general IT budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.
    Funded by the PMO Charged back to supported functional groups with all costs allocated to each functional group’s budget. Charged back to supported functional groups with all costs allocated to each functional group’s budget.

    Info-Tech Insight

    Your funding model may add additional key influencers into the mix. After you choose your funding model, ensure that you review your stakeholder map and add anyone who will have a direct impact in the viability and stability of your ACE.

    Determine how you will govern your ACE

    An Agile Center of Excellence is unique in the way you must govern the actions of its customers. Enable “flexible governance” to ensure that Agile teams have the ability to locally optimize and innovate while still operating within expected boundaries.

    ACE Governing Body

    ↑ Agile Team → ACE ← Agile Team ↑

    Who should take on the governance role?

    The governing body can be the existing executive or standing committees, or a newly formed committee involving your key ACE influencers and stakeholders.

    Flexible governance means that your ACE set boundaries based on your cultural, regulatory, and compliance requirements, and your governance group monitors your Agile teams’ adherence to these boundaries.

    Governing Body Responsibilities

    • Review and approve ACE strategy annually and ensure that it is aligned with current business strategy.
    • Provide detailed quality information for board members.
    • Ensure that the ACE is adequately resourced and that the organization has the capacity to deliver the service offerings.
    • Assure that the ACE is delivering benefits and achieving targets.
    • Assure that the record keeping and reporting systems are capable of providing the information needed to properly assess the quality of service.

    Modify your resourcing strategy based on organizational need

    Your Agile Center of Excellence can be organized either in a dedicated or a virtual configuration, depending on your company’s organizational structure and complexity.

    There is no right answer to how your Center of Excellence should be resourced. Consider your existing organizational structure and culture, the quality of relationships between functional groups, and the typical budgetary factors that would weigh on choosing between a virtual and dedicated CoE structure.

    COE Advantages Disadvantages
    Virtual
    • No change in organization structure required, just additional task delegation to your Agile manager or program manager.
    • Less effort and cost to implement.
    • Investment in quality is proportional to return.
    • Resources are shared between practice areas, and initiatives will take longer to implement.
    • Development and enhancement of best practices can become difficult without a centralized knowledge repository.
    Dedicated
    • Demonstrates a commitment to the ACEs long-term existence.
    • Allows for dedicated maintenance of best practices.
    • Clear lines of accountability for Agile processes.
    • Ability to develop highly skilled employees as their responsibilities are not shared.
    • Requires dedicated resources that can in turn be more costly.
    • Requires strong relationships with the functional groups that interface with the ACE.

    Staffing the ACE: Understand virtual versus dedicated ACE organizational models

    Virtual CoE

    The image shows an organizational chart titled Virtual CoE, with Head of IT at the top, then PMO and CoE Lead/Apps Director at the next level. The chart shows that there is crossover between the CoE Lead's reports, and the PMO's, indicated through dotted lines that connect them.

    • Responsibilities for CoE are split and distributed throughout departments on a part-time basis.
    • CoE members from the PMO report to apps director who also functions as the CoE lead on a part-time basis.

    The image shows a organizational chart titled Dedicated CoE, with all CoE members under the CoE.

    • Requires re-organization and dedicated full-time staff to run the CoE with clear lines of responsibility and accountability.
    • Hiring or developing highly skilled employees who have a sole function to facilitate and monitor quality best practices within the IT department may be necessary.

    Activity: Form the Center of Excellence

    1.2.1 1 Hour

    Input

    • N/A

    Output

    • ACE governance and resourcing plan

    Materials

    • Whiteboard

    Participants

    • Agile leadership group
    1. As a group, discuss if there is an existing body that would be able to govern the Center of Excellence. This body will monitor progress on an ongoing basis and assess any change requests that would impact the CoEs operation or goals.
    • List current governing bodies that are closely aligned with your current Agile environment and determine if the group could take on additional responsibilities.
    • Alternatively, identify individuals who could form a new ACE governing body.
  • Using the results of Exercise 1.1.6 in Step 1, select the individuals who will participate in the Center of Excellence. As a rough rule of thumb for sizing, an ACE staffed with 3-5 people can support 8-12 Agile Teams.
  • Document results in the ACE Communications Deck.

    Leverage your existing Agile practices and SMEs when establishing the ACE

    The synergy between Agile and CoE relies on its ability to build on existing best practices. Agile cannot grow without a solid foundation. ACE gives you the way to disseminate these practices and facilitate knowledge transfer from a centralized sharing environment. As part of defining your service offerings, engage with stakeholders across the organization to evaluate what is already documented so that it can be accommodated in the ACE.

    Documentation

    • Are there any existing templates that can be leveraged (e.g. resource planning, sprint planning)?
    • Are there any existing process documents that can be leveraged (e.g. SIPOC, program frameworks)?
    • Are there any existing standards documents the CoE can incorporate (e.g. policies, procedures, guidelines)?

    SMEs

    • Interview existing subject-matter experts that can give you an idea of your current pains and opportunities.
    • You already have feedback from those in your workshop group, so think about the rest of the organization:
      • Agile practitioners
      • Business stakeholders
      • Operations
      • Any other parties not represented in the workshop group

    Metrics

    • What are the current metrics being used to measure the success of Agile teams?
    • What metrics are currently being used to measure the completion of business objectives?
    • What tools or mediums are currently used for recording and communicating metrics?

    Info-Tech Insight

    When considering existing practices, it is important to evaluate the level of adherence to these practices. If they have been efficiently utilized, injecting them into ACE becomes an obvious decision. If they have been underutilized, however, it is important to understand why this occurred and discuss how you can drive higher adherence.

    Examples of existing documents to leverage

    People

    • Agile onboarding planning documents
    • Agile training documents
    • Organizational Agile manifesto
    • Team performance metrics dashboard
    • Stakeholder engagement and communication plan
    • Development team engagement plan
    • Organizational design and structure
    • Roles and responsibilities chart (i.e. RACI)
    • Compensation plan Resourcing plan

    Process

    • Tailored Scrum process
    • Requirements gathering process
    • Quality stage-gate checklist (including definitions of ready and done)
    • Business requirements document
    • Use case document
    • Business process diagrams
    • Entity relationship diagrams
    • Data flow diagrams
    • Solution or system architecture
    • Application documentation for deployment
    • Organizational and user change management plan
    • Disaster recovery and rollback process
    • Test case templates

    Technology

    • Code review policies and procedures
    • Systems design policies
    • Build, test, deploy, and rollback scripts
    • Coding guidelines
    • Data governance and management policies
    • Data definition and glossary
    • Request for proposals (RFPs)
    • Development tool standards and licensing agreements
    • Permission to development, testing, staging, and production environments
    • Application, system, and data integration policies

    Build upon the lessons learned from your Agile pilots

    The success of your Center of Excellence relies on the ability to build sound best practices within your organization’s context. Use your previous lessons learned and growing pains as shared knowledge of past Agile implementations within the ACE.

    Implement Agile Practices That Work

    Draw on the experiences of your initial pilot where you learned how to adapt the Agile manifesto and practices to your specific context. These lessons will help onboard new teams to Agile since they will likely experience some of the same challenges.

    Download

    Documents for review include:

    • Tailored Scrum Process
    • Agile Pilot Metrics
    • Info-Tech’s Agile Pilot Playbook

    Enable Organization-Wide Collaboration by Scaling Agile

    Draw on previous scaling Agile experiences to help understand how to interface, facilitate, and orchestrate cross-functional teams and stakeholders for large and complex projects. These lessons will help your ACE teams develop collaboration and problem-solving techniques involving roles with different priorities and lines of thinking.

    Download

    Documents for review include:

    • Agile Program Framework
    • Agile Pilot Program Metrics
    • Scaled Agile Development Process
    • Info-Tech’s Scaling Agile Playbook

    Activity: Gather and document your existing Agile practices for the CoE

    1.2.2 Variable time commitment based on current documentation state

    Input

    • Existing practices

    Output

    • Practices categorized within operating model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Compile a list of existing practices that will be shared by the Center of Excellence. Consider any documents, templates, or tools that are used regularly by Agile teams.
    2. Evaluate the level of adherence to use of the practices (whether the practice is complied with regularly or not) with a high, medium, or low. Low compliance will need a root-cause analysis to understand why and how to remedy the situation.
    3. Determine the best fit for each practice under the ACE operational model.
    Name Type Adherence Level CoE Best Fit Source
    1 Tailored Scrum process Process High Shared Services Internal Wiki
    2
    3

    Activity: Interview stakeholders to understand the ACE functional expectations

    1.2.3 30-60 Minutes per interview

    Interview Stakeholders (from both Agile teams and functional areas) on their needs from the ACE. Ensure you capture both pain points and opportunities. Capture these as either Common Agile needs or Functional needs. Document using the tables below:

    Common Agile Needs
    Common Agile Needs
    • Each Agile Team interprets Agile differently
    • Need common approach to Agile with a proven track record within the organization
    • Making sure all Team members have a good understanding of Agile
    • Common set of tool(s) with a proven track record, along with a strong understanding of how to use the tool(s) efficiently and effectively
    • Help troubleshooting process related questions
    • Assistance with addressing the individual short comings of each Agile Team
    • Determining what sort of help each Agile Team needs most
    • Better understanding of the role played by Scrum Master and associated good practices
    • When and how do security/privacy/regulatory requirements get incorporated into Agile projects
    Functional Needs Ent Arch Needs
    • How do we ensure Ent Arch has insight and influence on Agile software design
    • Better understanding of Agile process
    • How to measure compliance with reference architectures

    PMO Needs

    • Better understanding of Agile process
    • Understanding role of PM in Agile
    • Project status reports that determine current level of project risk
    • How does project governance apply on Agile projects
    • What deliverables/artifacts are produced by Agile projects and when are they completed

    Operations Needs

    • Alignment on approaches for doing releases
    • Impact of Agile on change management and support desk processes
    • How and when will installation and operation instructions be available in Agile

    Activity: Form a solution matrix to organize your pain points and opportunities

    1.2.4 Half day

    Input

    • Identified requirements

    Output

    • Classified pains and opportunities

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the listed pain points from the data gathering process. Sort the pain points on sticky notes into technology, governance, people, and shared services.
    2. Consider opportunities under each defining element based on the identified business requirements.
    3. Document your findings.
    4. Discuss the results with the project team and prioritize the opportunities.
      • Where do the most pains occur?
      • What opportunities exist to alleviate pains?
    Governance Shared Services Technology People
    Pain Points
    Opportunities

    Document results in the ACE Communications Deck.

    Activity: Refine your use cases to identify your ACE functions and services

    1.2.5 1 Hour

    Input

    • Use cases from activity 1.1.2

    Output

    • Refined use cases based on data collection

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Refine your initial use cases for the points of alignment between your ACE and business objectives using your classified pain points and opportunities.
    2. Add use cases to address newly realized pain points.
    3. Determine the functions and services the CoE can offer to address the identified requirements.
    4. Evaluate the outputs in the form of realized benefits and extracted inefficiencies.

    Possible ACE use cases:

    • Policy Management
    • Change Management
    • Risk Management
    • Stakeholder Management
    • Engagement Planning
    • Knowledge Management
    • Subject-Matter Expertise
    • Agile Team Evaluation
    • Operations Support
    • Onboarding
    • Coaching
    • Learning Facilitation
    • Communications Training
    • Vendor Management
    • Application Support
    • Tooling Standards

    Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map

    1.2.6 1 Hour

    Input

    • Use cases from activity 1.2.4

    Output

    • ACE capability map

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE team
    1. Review the refined and categorized list of service offerings.
    2. Determine how these new capabilities will add, remove, or enhance your existing service and capabilities.
    3. Categorize the capabilities into the following groups:
    • Governance and Metrics
    • Services
    • Staff
    • Technology
  • Label the estimated impact of the service offering based on your business priorities for the year. This will guide your strategy for implementing your Agile Center of Excellence moving forward.
  • Document results in the ACE Communications Deck.

    Activity: Visualize your ACE functions and service offerings with a capability map (continued)

    Governance

    Policy Management (Medium Potential)

    Change Management (High Potential)

    Risk Management (High Potential)

    Stakeholder Management (High Potential)

    Metrics/Feedback Monitoring (High Potential)

    Shared Services

    Engagement Planning (High Potential)

    Knowledge Management (High Potential)

    Subject-Matter Expertise (High Potential)

    Agile Team Evaluation (High Potential)

    Operations Support (High Potential)

    People

    Onboarding (Medium Potential)

    Coaching (High Potential)

    Learning Facilitation (High Potential)

    Internal Certification Program (Low Potential)

    Communications Training (Medium Potential)

    Technology

    Vendor Management (Medium Potential)

    Application Support (Low Potential)

    Tooling Standards (High Potential)

    Checkpoint: Are you ready to standardize your CoEs service offerings?

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Self-Auditing Guidelines

    • Have you identified and prioritized the key business objectives for the upcoming year that the ACE will align with?
    • Do you have a high-level set of use cases for points of alignment between your ACE and business objectives?
    • Have you mapped your stakeholders and identified the key players that will have an influence over the future success of your ACE?
    • Have you identified how your organization will fund, resource, and govern the ACE?
    • Have you collected data to understand the functional expectations of the users the ACE is intended to serve?
    • Have you refined your use cases to align with both business objectives and functional expectations?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.2 Identify and prioritize organizational business objectives

    Our analyst team will help you organize and prioritize your business objectives for the year in order to ensure that the service offerings the ACE offers are delivering consistent business value.

    1.1.3 Form use cases for the points of alignment between your ACE and business objectives

    Our analyst team will help you turn your prioritized business objectives into a set of high-level use cases that will provide the foundation for defining user-aligned services.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.1.4 Prioritize your ACE stakeholders

    Our analysts will walk you through an exercise of mapping and prioritizing your Centers of Excellence stakeholders based on impact and power within so you can ensure appropriate presentation of interests within the organization.

    1.2.4 Form a solution matrix to organize your pain points and opportunities

    Our analyst team will help you solidify the direction of your Center of Excellence by overlaying your identified needs, pain points, and potential opportunities in a matrix guided by Info-Tech’s CoE operating model.

    1.2.5 Refine your use cases to identify your ACE functions and services

    Our analyst team will help you further refine your business-aligned use cases with the functional expectations from your Agile teams and stakeholders, ensuring the ACEs long-term utility.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    1.2.6 Visualize your ACE functions and service offerings with a capability map

    Our analysts will walk you through creating your Agile Centers of Excellence capability map and help you to prioritize which service offerings are critical to the success of your Agile teams in meeting their objectives.

    Phase 2

    Standardize the Centers of Excellence Service Offerings

    Spread Best Practices With an Agile Center of Excellence

    The ACE needs to ensure consistency in service delivery

    Now that you have aligned the CoE to the business and functional expectations, you need to ensure its service offerings are consistently accessible. To effectively ensure accessibility and delegation of shared services in an efficient way, the CoE needs to have a consistent framework to deliver its services.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Standardize the CoEs Service Offerings

    Proposed Time to Completion (in weeks): 2

    Step 2.1: Define an adoption plan for your Agile teams

    Start with an analyst kick off call:

    • Dissect the key attributes of Agile adoption.

    Then complete these activities…

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Step 2.2: Create an ACE engagement plan

    Start with an analyst kick off call:

    • Form engagement plans for your Agile teams.

    Then complete these activities…

    2.2.1 Create an engagement plan for each level of adoption.

    Step 2.3: Define metrics to measure success

    Finalize phase deliverable:

    • Discuss effective ACE metrics.

    Then complete these activities…

    2.3.1 Collect existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Phase 2 Results & Insights:

    • Standardizing your service offerings allows you to have direct influence on the dissemination of best practices.

    Phase 2, Step 1: Define an adoption plan for your Agile teams

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.1.1 Further categorize your use cases within the Agile adoption model.

    Outcomes:

    • Refine your previously determined use cases within the Agile adoption model to ensure that teams can be assisted at any level of Agile adoption.
    • Understand the key attributes of Agile adoption and how they impact success.

    Understand the implementation challenges that the ACE may face

    Culture clash between ACE and larger organization

    It is important to carefully consider the compatibility between the current organizational culture and Agile moving forward. Agile compels empowered teams, meritocracy, and broad collaboration for success; while typical organizational structures are siloed and hierarchical and decisions are delegated from the top down.

    This is not to say that the culture of the ACE has to match the larger organizational culture; part of the overarching aim of the ACE is to evolve the current organizational culture for the better. The point is to ensure you enable a smooth transition with sufficient management support and a team of Agile champions.

    The changing role of middle management

    Very similar to the culture clash challenge, cultural rigidity in how middle managers operate (performance review, human resource management, etc.) can cause cultural rejection. They need to become enablers for high performance and give their teams the sufficient tools, skills, and opportunities to succeed and excel.

    What impedes Agile adoption?

    Based on a global survey of Agile practitioners (N=1,319)*:

    52% Organizational culture at odds with agile values

    44% Inadequate management support and sponsorship

    48% General organization resistance to change

    *Respondents were able to make multiple selections

    (13th Annual State of Agile Report, VersionOne, 2019)

    Build competency and trust through a structured Agile adoption plan

    The reality of cultural incompatibility between Agile and traditional organization structures necessitates a structured adoption plan. Systematically build competency so teams can consistently achieve project success and solidify trust in your teams’ ability to meet business needs with Agile.

    By incrementally gaining the trust of management as you build up your Agile capabilities, you enable a smooth cultural transition to an environment where teams are empowered, adapt quickly to changing needs, and are trusted to innovate and make successes out of their failures.

    Optimized value delivery occurs when there is a direct relationship between competency and trust. There will be unrealized value when competency or trust outweigh the other. That value loss increases as either dimension of adoption continues to grow faster than the other.

    The image shows a graph with Competency on the x-axis and Trust on the y-axis. There are 3 sections: Level 1, Level 2, and Level 3, in subsequently larger arches in the background of the graph. The graph shows two diagonal arrows, the bottom one labelled Current Value Delivery and the top one labelled Optimized Value Delivery. The space between the two arrows is labelled Value Loss.

    Use Info-Tech’s Practice Adoption Optimization Model to systematically increase your teams’ ability to deliver

    Using Info-Tech’s Practice adoption optimization model will ensure you incrementally build competency and trust to optimize your value delivery.

    Agile adoption at its core, is about building social capital. Your level of trust with key influencers increases as you continuously enhance your capabilities, enabling the necessary cultural changes away from traditional organizational structures.

    Trust & Competency ↓

    DEFINE

    Begin to document your development workflow or value chain, implement a tracking system for KPIs, and start gathering metrics and reporting them transparently to the appropriate stakeholders.

    ITERATE

    Use collected metrics and retrospectives to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.

    COLLABORATE

    Use information to support changes and adopt appropriate practices to make incremental improvements to the existing environment.

    EMPOWER

    Drive behavioral and cultural changes that will empower teams to be accountable for their own success and learning.

    INNOVATE

    Use your built-up trust and support practice innovation, driving the definition and adoption of new practices.

    Review these key attributes of Agile adoption

    Agile adoption is unique to every organization. Consider these key attributes within your own organizational context when thinking about levels of Agile adoption.

    Adoption Attributes

    Team Organization

    Considers the degree to which teams are able to self-organize based on internal organizational structures (hierarchy vs. meritocracy) and inter-team capabilities.

    Team Coordination

    Considers the degree to which teams can coordinate, both within and across functions.

    Business Alignment

    Considers the degree to which teams can understand and/or map to business objectives.

    Coaching

    Considers what kind of coaching/training is offered and how accessible the training is.

    Empowerment

    Considers the degree to which teams are able and capable to address project, process, and technical challenges without significant burden from process controls and bureaucracy.

    Failure Tolerance

    Considers the degree to which stakeholders are risk tolerant and if teams are capable of turning failures into learning outcomes.

    Why are these important?

    These key attributes function as qualities or characteristics that, when improved, will successively increase the degree to which the business trusts your Agile teams’ ability to meet their objectives.

    Systematically improving these attributes as you graduate levels of the adoption model allows the business to acclimatize to the increased capability the Agile team is offering, and the risk of culture clash with the larger organization decreases.

    Start to consider at what level of adoption each of your service offerings become useful. This will allow you to standardize the way your Agile teams interact with the CoE.

    Activity: Further categorize your use cases within the Agile adoption model

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather the list of your categorized use cases.
    2. Based on Info-Tech’s Agile adoption model, categorize which use cases would be useful to help the Agile team graduate to the next level of adoption.
      • Conceptualize: Begin to document your workflow or value chain, implement a tracking system for KPIs, and gather metrics and report them transparently to the appropriate stakeholders.
      • Iterate: Use collected metrics to stabilize team performance by reducing areas of variability in your workflow and increasing the consistency at which targets are met.
      • Collaborate: Use information to drive changes and adopt appropriate Agile practices to make incremental improvements to the existing environment.
      • Empower: Drive behavioral and cultural changes that will empower teams to be accountable for their own successes given the appropriate resources.
      • Innovate: Use your built-up trust to begin to make calculated risks and innovate more, driving new best practices into the CoE.

    The same service offering could be offered at different levels of adoption. In these cases, you will need to re-visit the use case and differentiate how the service (if at all) will be delivered at different levels of adoption.

    1. Use this opportunity to brainstorm alternative or new use cases for any gaps identified. It is the CoEs goal to assist teams at every level of adoption to meet their business objectives. Use a different colored sticky note for these so you can re-visit and map out their inputs, outputs, metrics, etc.

    Activity: Further categorize your use cases within the Agile adoption model (continued)

    2.1.1 1.5 Hours

    Input

    • List of service offerings

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team

    Example:

    Service Offerings
    Level 5: Innovate
    Level 4: Empower
    Level 3: Collaborate Coaching -- Communications Training
    Level 2: Iterate Tooling Standards
    Level 1: Conceptualize

    Learning Facilitation

    Draw on the service offerings identified in activity 1.2.4

    Phase 2, Step 2: Create an ACE engagement plan

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.2.1 Create an engagement plan for each level of adoption.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Enable Agile teams to interface with ACE service offerings to meet their business objectives

    A Center of Excellence aligned with your service offerings is only valuable if your CoEs customers can effectively access those services. At this stage, you have invested in ensuring that your CoE aligns to your business objectives and that your service offerings align to its customers. Now you need to ensure that these services are accessible in the day-to-day operation of your Agile teams.

    Engagement Process → Service Offering

    Use backwards induction from your delivery method to the service offering. This is an effective method to determine the optimal engagement action for the CoE, as it considers the end customer as the driver for best action for every possible situation.

    Info-Tech Insight

    Your engagement process should be largely informed by your ACE users. Teams have constraints as well as in-the-trenches concerns and issues. If your service offerings don’t account for these, it can lead to rejection of the culture you are trying to inspire.

    Show the way, do not dictate

    Do not fix problems for your Agile teams, give them the tools and knowledge to fix the problems themselves.

    Facilitate learning to drive success

    A primary function of your ACE is to transfer knowledge to Agile teams to increase their capability to achieve desired outcomes.

    While this can take the form of coaching, training sessions, libraries, and wikis, a critical component of ACE is creating interactions where individuals from Agile teams can come together and share their knowledge.

    Ideas come from different experiences. By creating communities of practice (CoP) around topics that the ACE is tasked with supporting (e.g. Agile business analysts), you foster social learning and decrease the likelihood that change will result in some sort of cultural rejection.

    Consider whether creating CoPs would be beneficial in your organization’s context.

    "Communities of practice are a practical way to frame the task of managing knowledge. They provide a concrete organizational infrastructure for realizing the dream of a learning organization." – Etienne Wenger, Digital Habitats: Stewarding technology for communities

    A lack of top-down support will result in your ACE being underutilized

    Top-down support is critical to validate the CoE to its customers and ensure they feel compelled to engage with its services. Relevancy is a real concern for the long-term viability of a CoE and championing its use from a position of authority will legitimize its function and deter its fading from relevancy of day-to-day use for Agile teams.

    Although you are aligning your engagement processes to the customers of your Agile Center of Excellence, you still need your key influencers to champion its lasting organizational relevancy. Don’t let your employees think the ACE is just a coordinating body or a committee that is convenient but non-essential – make sure they know that it drives their own personal growth and makes everyone better as a collective.

    "Even if a CoE is positioned to meet a real organizational need, without some measure of top-down support, it faces an uphill battle to remain relevant and avoid becoming simply one more committee in the eyes of the wider organization. Support from the highest levels of the organization help fight the tendency of the larger organization to view the CoE as a committee with no teeth and tip the scales toward relevancy for the CoE." – Joe Shepley, VP and Practice Lead, Doculabs

    Info-Tech Insight

    Stimulate top-down support with internal certifications. This allows your employees to gain accreditation while at the same time encouraging top-down support and creating a compliance check for the continual delivery and acknowledgement of your evolving best practices.

    Ensure that best practices and lessons learned are injected back into the ACE

    For your employees to continuously improve, so must the Center of Excellence. Ensure the ACE has the appropriate mechanisms to absorb and disseminate best practices that emerge from knowledge transfer facilitation events.

    Facilitated Learning Session →Was the localized adaption well received by others in similar roles? →Document Localized Adaptation →Is there broad applicability and benefit to the proposed innovation? →CoE Absorbs as Best Practice

    Continuous improvement starts with the CoE

    While facilitating knowledge transfer is key, it is even more important that the Center of Excellence can take localized adaptations from Agile teams and standardize them as best practices when well received. If an individual were to leave without sharing their knowledge, the CoE and the larger organization will lose that knowledge and potential innovation opportunities.

    Experience matters

    To organically grow your ACE and be cost effective, you want your teams to continuously improve and to share that knowledge. As individual team members develop and climb the adoption model, they should participate as coaches and champions for less experienced groups so that their knowledge is reaching the widest audience possible.

    Case study: Agile learning at Spotify

    CASE STUDY

    Industry Digital Media

    Source Henrik Kniberg & Anders Ivarsson, 2012

    Methods of Agile learning at Spotify

    Spotify has continuously introduced innovative techniques to facilitate learning and ensure that that knowledge gets injected back into the organization. Some examples are the following:

    • Hack days: Self-organizing teams, referred to as squads, come together, try new ideas, and share them with their co-workers. This facilitates a way to stay up to date with new tools and techniques and land new product innovations.
    • Coaching: Every squad has access to an Agile coach to help inject best practices into their workflow – coaches run retrospectives, sprint planning meetings, facilitate one-on-one coaching, etc.
    • Tribes: Collections of squads that hold regular gatherings to show the rest of the tribe what they’ve been working on so others can learn from what they are doing.
    • Chapters: People with similar skills within a tribe come together to discuss their area of expertise and their specific challenges.
    • Guilds: A wide-reaching community of interest where members from different tribes can come together to share knowledge, tools, and codes, and practice (e.g. a tester guild, an Agile coaching guild).

    The image shows the Spotify model, with two sections, each labelled Tribe, and members from within each Tribe gathered together in a section labelled Guild.

    "As an example of guild work, we recently had a ‘Web Guild Unconference,’ an open space event where all web developers at Spotify gathered up in Stockholm to discuss challenges and solutions within their field."

    Activity: Create an engagement plan for each level of adoption

    2.2.1 30 Minutes per role

    Input

    • Categorized use cases

    Output

    • Role-based engagement plans

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. On the top bar, define the role you are developing the engagement plan for. This will give you the ability to standardize service delivery across all individuals in similar roles.
    2. Import your categorized service offerings for each level of adoption that you think are applicable to the given role.
    3. Using backwards induction, determine the engagement processes that will ensure that those service offerings are accessible and fit the day-to-day operations of the role.
    4. Fill in the template available on the next slide with each role’s engagement plan.

    Document results in the ACE Communications Deck.

    Example engagement plan: Developer

    2.2.1 30 Minutes per role

    Role: Developer
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    3. Learning Facilitation
    1. Tooling Standards
    2. Learning Facilitation
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Knowledge Management
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    2. Based on service request or need identified by dev. manager.
    3. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 2, receive standard Agile tooling standards training.
    2. Weekly mandatory community of practice meetings.
    1. When determined to have graduated to level 3, receive standard Agile communications training.
    2. Weekly mandatory community of practice meetings
    1. Peer-based training on how to effectively self-organize.
    2. Based on service request or need identified by dev. manager.
    1. Review captured key learnings from last and have CoE review KPIs related to any area changed.

    Example engagement plan: Tester

    2.2.1 30 Minutes per role

    Role: Tester
    Level 1Level 2Level 3Level 4Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Product Training
    2. Communications Training
    1. Communications Training
    2. Learning Facilitation
    1. Subject-Matter Expertise
    2. Coaching
    1. Tooling Standards
    2. Training
    3. Coaching
    Engagement Process
    1. Based on service request or need identified by dev. manager.
    1. Weekly mandatory community of practice meetings.
    2. Provide training on effective methods for communicating with development teams based on organizational best practices.
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices. Weekly mandatory community of practice meetings.
    1. Peer-to-peer training with level 5 certified coach.
    2. Based on service request or need identified by dev. manager. .
    1. Periodic updates of organizational tooling standards based on community of practice results.
    2. Automation training.
    3. Provide coaching to level 1 developers on a rotating basis to develop facilitation skills.

    Example engagement plan: Product Owner

    2.2.1 30 Minutes per role

    Role: Product Owner
    Level 1 Level 2 Level 3 Level 4 Level 5
    Service Offering
    1. Onboarding
    2. Coaching
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Communications Training
    3. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    1. Coaching
    2. Learning Facilitation
    Engagement Process
    1. Provide onboarding materials for Agile product owners.
    2. Provide bi-weekly reviews and subsequent guidance at the end of retrospective processes.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. When determined to have graduated to level 3, receive standard training based on organizational testing best practices.
    2. Bi-weekly mandatory community of practice meetings.
    1. Provide monthly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings
    1. Provide quarterly reviews and subsequent guidance based on retrospective results.
    2. Bi-weekly mandatory community of practice meetings

    Phase 2, Step 3: Define metrics to measure success

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    2.3.1 Define existing team-level metrics.

    2.3.2 Define metrics that align with your Agile business objectives.

    2.3.3 Define target ACE performance metrics.

    2.3.4 Define Agile adoption metrics.

    2.3.5 Consolidate your metrics for stakeholder impact.

    2.3.6 Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value.

    Outcomes:

    • Understand the importance of aligning with the functional expectations of your ACE customers.
    • Understand the relationship between engagement and continuous improvement.
    • Create an engagement plan for each level of adoption to standardize the way customers interact with the ACE.

    Craft metrics that will measure the success of your Agile teams

    Quantify measures that demonstrate the effectiveness of your ACE by establishing distinct metrics for each of your service offerings. This will ensure that you have full transparency over the outputs of your CoE and that your service offerings maintain relevance and are utilized.

    Questions to Ask

    1. What are leading indicators of improvements that directly affect the mandate of the CoE?
    2. How do you measure process efficiency and effectiveness?

    Creating meaningful metrics

    Specific

    Measureable

    Achievable

    Realistic

    Time-bound

    Follow the SMART framework when developing metrics for each service offering.

    Adhering to this methodology is a key component of the lean management methodology. This framework will help you avoid establishing general metrics that aren’t relevant.

    "It’s not about telling people what they are doing wrong. It’s about constantly steering everyone on the team in the direction of success, and never letting any individual compromise the progress of the team toward success." – Mary Poppendieck, qtd. in “Questioning Servant Leadership”

    For important advice on how to avoid the many risks associated with metrics, refer to Info-Tech’s Select and Use SDLC Metrics Effectively.

    Ensure your metrics are addressing criteria from different levels of stakeholders and enterprise context

    There will be a degree of overlap between the metrics from your business objectives, service offerings, and existing Agile teams. This is a positive thing. If a metric can speak to multiple benefits it is that much more powerful in commuting successes to your key stakeholders.

    Existing metrics

    Business objective metrics

    Service offering metrics

    Agile adoption metrics

    Finding points of overlap means that you have multiple stakeholders with a vested interest in the positive trend of a specific metric. These consolidated metrics will be fundamental for your CoE as they will help build consensus through communicating the success of the ACE in a common language for a diverse audience.

    Activity: Define existing team-level metrics

    2.3.1 1 Hour

    Input

    • Current metrics

    Output

    • Service offerings categorized within adoption model

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Team
    1. Gather any metrics related documentation that you collected during your requirements gathering in Phase 1.
    2. Collect team-level metrics for your existing Agile teams:
      • Examine outputs from any feedback mechanisms you have (satisfaction surveys, emails, existing SLAs, burndown charts, resourcing costs, licensing costs per sprint, etc.).
      • Look at historical trends and figures when available. Be careful of frequent anomalies as these may indicate a root cause that needs to be addressed.
      • Explore the definition of specific metrics across different functional teams to ensure consistency of measurement and reporting.
    Team Objective Expected Benefits Metrics
    Improve productivity
    • Improve transparency with business decisions
    • Team burndown and velocity
    • Number of releases per milestone
    Increase team morale and motivation
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Team satisfaction with Agile environment
    • Degree of engagement in ceremonies
    Improve transparency with business decisions
    • Teams are engaged and motivated to develop new opportunities to deliver more value quicker.
    • Stakeholder satisfaction with completed product
    • Number of revisions to products in demonstrations

    Activity: Define metrics that align with your Agile business objectives

    2.3.2 1 Hour

    Input

    • Organizational business objectives from Phase 1

    Output

    • Metrics aligned to organizational business objectives

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. List the business objectives that you determined in 1.1.2.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of completing those business objectives, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your business objectives. While engaging in this process, ensure to document the collection method for each metrics.
    Business Objectives Expected Benefits Metrics
    Decrease time-to-market of product releases
    • Faster feedback from customers.
    • Increased customer satisfaction.
    • Competitive advantage.
    Decrease time-to-market of product releases
    • Alignment to organizational best practices.
    • Improved team productivity.
    • Greater collaboration across functional teams.
    • Policy and practice adherence and acknowledgement
    • Number of requests for ACE services
    • Number of suggestions to improve Agile best practices and ACE operations

    Activity: Define target ACE performance metrics

    2.3.3 1 Hour

    Input

    • Service offerings
    • Satisfaction surveys
    • Usage rates

    Output

    • CoE performance metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. Compare these to your team performance metrics.
    Service Offering Expected Benefits Metrics
    Knowledge management
    • Comprehensive knowledgebase that accommodates various company products and office locations.
    • Easily accessible resources.
    • Number of practices extracted from ACE and utilized
    • Frequency of updates to knowledgebase
    Tooling standards
    • Tools adhere to company policies, security guidelines, and regulations.
    • Improved support of tools and technologies.
    • Tools integrate and function well with enterprise systems.
    • Number of teams and functional groups using standardized tools
    • Number of supported standardized tools
    • Number of new tools added to the standards list
    • Number of tools removed from standards list

    Activity: Define Agile adoption metrics

    2.3.4 1 Hour

    Input

    • Agile adoption model

    Output

    • Agile adoption metrics
    1. Define metrics to measure the success of each of your service offerings.
    2. Create a shortlist of expected benefits from those business objectives. These will help to drive metrics that align with the intended purpose of those service offerings, and affirm they are aligned to realizable benefits.
    3. Define metrics that speak to the benefits of your service offerings.
    4. It is possible that you will need to adjust these metrics after baselines are established when you begin to operate the ACE. Keep this in mind moving forward.
    Adoption attributes Expected Benefits Metrics
    Team organization
    • Acquisition of the appropriate roles and skills to successfully deliver products.
    • Degree of flexibility to adjust team compositions on a per project basis
    Team coordination
    • Ability to successfully undertake large and complex projects involving multiple functional groups.
    • Number of ceremonies involving teams across functional groups
    Business alignment
    • Increased delivery of business value from process optimizations.
    • Number of business-objective metrics surpassing targets
    Coaching
    • Teams are regularly trained with new and better best practices.
    • Number of coaching and training requests
    Empowerment
    • Teams can easily and quickly modify processes to improve productivity without following a formal, rigorous process.
    • Number of implemented changes from team retrospectives
    Failure tolerance
    • Stakeholders trust teams will adjust when failures occur during a project.
    • Degree of stakeholder trust to address project issues quickly and effectively

    Activity: Consolidate your metrics for stakeholder impact

    2.3.5 30 Minutes

    Input

    • New and existing Agile metrics

    Output

    • Consolidated Agile metrics

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • ACE
    1. Take all the metrics defined from the previous activities and compare them as a group.
    2. If there are overlapping metrics that are measuring similar outcomes or providing similar benefits, see if there is a way to merge them together so that a single metric can report outcomes to multiple stakeholders. This reduces the amount of resources invested in metrics gathering and helps to show consensus or alignment between multiple stakeholder interests.
    3. Compare these to your existing Agile metrics, and explore ways to consolidate existing metrics that are established with some of your new metrics. Established metrics are trusted and if they can be continued it can be viewed as beneficial from a consensus and consistency perspective to your stakeholders.

    Activity: Use Info-Tech’s ACE Benefits Tracking Tool to monitor, evaluate, refine, and ensure continued business value

    2.3.6 1 Hour

    Purpose

    The CoE governance team can use this tool to take ownership of the project’s benefits, track progress, and act on any necessary changes to address gaps. In the long term, it can be used to identify whether the team is ahead, on track, or lagging in terms of benefits realization.

    Steps

    1. Enter your identified metrics from the following activities into the ACE Benefits Tracking Tool.
    2. Input your baselines from your data collection (Phase 3) and a goal value for each metric.
    3. Document the results at key intervals as defined by the tool.
    4. Use the summary report to identify metrics that are not tracking well for root cause analysis and communicate with key stakeholders the outcomes of your Agile Center of Excellence based on your communication schedule from Phase 3, Step 3.

    INFO-TECH DELIVERABLE

    Download the ACE Benefits Tracking Tool.

    Checkpoint: Are you ready to operate your ACE?

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Self Auditing Guidelines

    • Have you categorized your ACE service offerings within Info-Tech’s Agile adoption model?
    • Have you formalized engagement plans to standardize the access to your service offerings?
    • Do you understand the function of learning events and their criticality to the function of the ACE?
    • Do you understand the key attributes of Agile adoption and how social capital leads to optimized value delivery?
    • Have you defined metrics for different goals (adoption, effective service offerings, business objectives) of the ACE?
    • Do your defined metrics align to the SMART framework?

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.1 Further categorize your use cases within the Agile adoption model

    Our analyst team will help you categorize the Centers of Excellence service offerings within Info-Tech’s Agile adoption model to help standardize the way your organization engages with the Center of Excellence.

    2.2.1 Create an engagement plan for each level of adoption

    Our analyst team will help you structure engagement plans for each role within your Agile environment to provide a standardized pathway to personal development and consistency in practice.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    2.3.2 Define metrics that align with your Agile business objectives

    Our analysts will walk you through defining a set of metrics that align with your Agile business objectives identified in Phase 1 of the blueprint so the CoEs monitoring function can ensure ongoing alignment during operation.

    2.3.3 Define target ACE performance metrics

    Our analysts will walk you through defining a set of metrics that monitors how successful the ACE has been at providing its services so that business and IT stakeholders can ensure the effectiveness of the ACE.

    2.3.4 Define Agile adoption metrics

    Our analyst team will help you through defining a set of metrics that aligns with your organization’s fit of the Agile adoption model in order to provide a mechanism to track the progress of Agile teams maturing in capability and organizational trust.

    Phase 3

    Operationalize Your Agile Center of Excellence

    Spread Best Practices With an Agile Center of Excellence

    Operate your ACE to drive optimized value from your Agile teams

    The final step is to engage in monitoring of your metrics program to identify areas for improvement. Using metrics as a driver for operating your ACE will allow you to identify and effectively manage needed change, as well as provide you with the data necessary to promote outcomes to your stakeholders to ensure the long-term viability of the ACE within your organization.

    Phase 1 - Strategically Align the CoE

    Create strategic alignment between the CoE and the organization’s goals, objectives, and vision. This alignment translates into the CoE mandate intended to enhance the way Agile will enable teams to meet business objectives.

    Phase 2 - Standardize the CoEs Service Offerings

    Build an engagement plan based on a standardized adoption model to ensure your CoE service offerings are accessible and consistent across the organization. Create and consolidate key performance indicators to measure the CoEs utility and whether or not the expected value is being translated to tangible results.

    Phase 3 - Operate the CoE

    Operate the CoE to provide service offerings to Agile teams, identify improvements to optimize the function of your Agile teams, and effectively manage and communicate change so that teams can grow within the Agile adoption model and optimize value delivery both within your Agile environment and across functions.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Operate the CoE

    Proposed Time to Completion (in weeks): Variable depending on communication plan

    Step 3.1: Optimize the success of your ACE

    Start with an analyst kick off call:

    • Conduct a baseline assessment of your Agile environment.

    Then complete these activities…

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Step 3.2: Plan change to enhance your Agile initiatives

    Start with an analyst kick off call:

    • Interface with the ACE with your change management function.

    Then complete these activities…

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues.

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Step 3.3: Conduct ongoing retrospectives of your ACE

    Finalize phase deliverable:

    • Build a communications deck for key stakeholders.

    Then complete these activities…

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Review the effectiveness of your service offerings.

    3.3.4 Evaluate your ACE Maturity.

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Phase 3 Results & Insights:

    Inject improvements into your Agile environment with operational excellence. Plan changes and communicate them effectively, monitor outcomes on a regular basis, and keep stakeholders in the loop to ensure that their interests are being looked after to ensure long-term viability of the CoE.

    Phase 3, Step 1: Optimize the success of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Tools:

    3.1.1 Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline.

    3.1.2 Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE.

    3.1.3 Prioritize ACE actions by monitoring your metrics.

    Outcomes:

    • Conduct a baseline assessment of your ACE to measure against using a variety of data sources, including interviews, satisfaction surveys, and historical data.
    • Use the Benefits Tracking Tool to start monitoring the outcomes of the ACE and to keep track of trends.

    Ensure the CoE is able to collect the necessary data to measure success

    Establish your collection process to ensure that the CoE has the necessary resources to collect metrics and monitor progress, that there is alignment on what data sources are to be used when collecting data, and that you know which stakeholder is interested in the outcomes of that metric.

    Responsibility

    • Does the CoE have enough manpower to collect the metrics and monitor them?
    • If automated through technology, is it clear who is responsible for its function?

    Source of metric

    • Is the method of data collection standardized so that multiple people could collect the data in the same way?

    Impacted stakeholder

    • Do you know which stakeholder is interested in this metric?
    • How often should the interested stakeholder be informed of progress?

    Intended function

    • What is the expected benefit of increasing this metric?
    • What does the metric intend to communicate to the stakeholder?

    Conduct a baseline assessment of your ACE to measure success

    Establishing the baseline performance of the ACE allows you to have a reasonable understanding of the impact it is having on meeting business objectives. Use user satisfaction surveys, stakeholder interviews, and any current metrics to establish a concept of how you are performing now. Setting new metrics can be a difficult task so it is important to collect as much current data as possible. After the metrics have been established and monitored for a period of time, you can revisit the targets you have set to ensure they are realistic and usable.

    Without a baseline, you cannot effectively:

    • Establish reasonable target metrics that reflect the performance of your Center of Excellence.
    • Identify, diagnose, and resolve any data that deviates from expected outcomes.
    • Measure ongoing business satisfaction given the level of service.

    Info-Tech Insight

    Invest the needed time to baseline your activities. These data points are critical to diagnose successes and failures of the CoE moving forward, and you will need them to be able to refine your service offerings as business conditions or user expectations change. While it may seem like something you can breeze past, the investment is critical.

    Use a variety of sources to get the best picture of your current state; a combination of methods provides the richest insight

    Interviews

    What to do:

    • Conduct interviews (or focus groups) with key influencers and Agile team members.

    Benefits:

    • Data comes from key business decision makers.
    • Identify what is top of mind for your top-level stakeholders.
    • Ask follow-up questions for detail.

    Challenges:

    • This will only provide a very high-level view.
    • Interviewer biases may skew the results.

    Surveys

    What to do:

    • Distribute an Agile-specific stakeholder satisfaction survey. The survey should be specific to identify factors of your current environment.

    Benefits:

    • Every end user/business stakeholder will be able to provide feedback.
    • The survey will be simple to develop and distribute.

    Challenges:

    • Response rates can be low if stakeholders do not understand the value in their opinions.

    Historical Data

    What to do:

    • Collect and analyze existing Agile data such as past retrospectives, Agile team metrics, etc.

    Benefits:

    • Get a full overview of current service offerings, past issues, and current service delivery.
    • Allows you to get an objective view of what is really going on within your Agile teams.

    Challenges:

    • Requires a significant time investment and analytical skills to analyze the data and generate insights on business satisfaction and needs.

    Use Info-Tech’s ACE Satisfaction Survey to help establish your baseline

    3.1.1 Baseline satisfaction survey

    Purpose

    Conduct a user satisfaction survey prior to setting your baseline for your ACE. This will include high-level questions addressing your overall Agile environment and questions addressing teams’ current satisfaction with their processes and technology.

    Steps

    1. Modify the satisfaction survey template to suit your organization and the service offerings you have defined for the Agile Center of Excellence.
    2. Distribute the satisfaction survey to any users who are expected to interface with the ACE.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your current state.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to measure the maturity level of your ACE

    3.1.2 CoE maturity assessment

    Purpose

    Assessing your ACEs maturity lets you know where they currently are and what to track to get them to the next step. This will help ensure your ACE is following good practices and has the appropriate mechanisms in place to serve your stakeholders.

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your maturity score.
    3. Document the results and communicate them with the relevant key stakeholders.
    4. Combine these results with historical data points (if available) and stakeholder interviews to get a holistic picture of your ACE maturity level.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Activity: Prioritize ACE actions by monitoring your metrics

    3.1.3 Variable time commitment

    Input

    • Metrics from ACE Benefits Tracking Tool

    Output

    • Prioritized actions for the ACE

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE team
    1. Review your ACE Benefits Tracking Tool periodically (at the end of sprint cycles, quarterly, etc.) and document metrics that are trending or actively falling short of goals or expectations.
    2. Take the documented list and have the ACE staff consider what actions or decisions can be prioritized to help mend the identified gaps. Look for any trends that could potentially speak to a larger problem or a specific aspect of the ACE or the organizational Agile environment that is not functioning as expected.
    3. Take the opportunity to review metrics that are also tracking above expected value to see if there are any lessons learned that can be extended to other ACE service offerings (e.g. effective engagement or communication strategies) so that the organization can start to learn what is effective and what is not based on their internal struggles and challenges. Spreading successes is just as important as identifying challenges in a CoE model.

    Phase 3, Step 2: Plan change to enhance your Agile initiatives

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities:

    3.2.1 Assess the interaction and communication points of your Agile teams.

    3.2.2 Determine the root cause of each metric falling short of expectations.

    3.2.3 Brainstorm solutions to identified issues

    3.2.4 Review your metrics program.

    3.2.5 Create a communication plan for change.

    Outcomes:

    • Understand how your existing change management process interfaces with the Center of Excellence.
    • Identify issues and ideate solutions to metrics falling short of expectations.
    • Create a communication plan to prepare groups for any necessary change.

    Manage the adaptation of teams as they adopt Agile capabilities

    As Agile spreads, be cognizant of your cultural tolerance to change and its ability to deliver on such change. Change will happen more frequently and continuously, and there may be conceptual (change tolerance) or capability (delivery tolerance) roadblocks along the way that will need to be addressed.

    The Agile adoption model will help to graduate both the tolerance to change and tolerance to deliver over time. As your level of competency to deliver change increases, organizational tolerance to change, especially amongst management, will increase as well. Remember that optimized value delivery comes from this careful balance of aptitude and trust.

    Tolerance to change

    Tolerance to change refers to the conceptual capacity of your people to consume and adopt change. Change tolerance may become a barrier to success because teams might be too engrained with current structures and processes and find any changes too disruptive and uncomfortable.

    Tolerance to deliver

    Tolerance to deliver refers to the capability to deliver on expected change. While teams may be tolerant, they may not have the necessary capacity, skills, or resources to deliver the necessary changes successfully. The ACE can help solve this problem with training and coaching, or possibly by obtaining outside help where necessary.

    Understand how the ACE interfaces with your current change management process

    As the ACE absorbs best practices and identifies areas for improvement, a change management process should be established to address the implementation and sustainability of change without introducing significant disruptions and costs.

    To manage a continuously changing environment, your ACE will need to align and coordinate with organizational change management processes. This process should be capable of evaluating and incorporating multiple change initiatives continuously.

    Desired changes will need to be validated, and localized adaptations will need to be disseminated to the larger organization, and current state policy and procedures will need to be amended as the adoption of Agile spreads and capabilities increase.

    The goal here is to have the ACE governance group identify and interface with parties relevant to successfully implementing any specific change.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Optimize Change Management

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Where should your Agile change requests come from?

    Changes to the services, structure, or engagement model of your ACE can be triggered from various sources in your organization. You will see that proposed changes may be requested with the best intentions; however, the potential impacts they may have to other areas of the organization can be significant. Consult all sources of ACE change requests to obtain a consensus that your change requests will not deteriorate the ACEs performance and use.

    ACE Governance

    • Sources of ACE Change Requests
      • ACE Policies/Stakeholders
        • Triggers for Change:
          • Changes in business and functional group objectives.
          • Dependencies and legacy policies and procedures.
      • ACE Customers
        • Triggers for Change:
          • Retrospectives and post-mortems.
          • Poor fit of best practices to projects.
      • Metrics
        • Triggers for Change:
          • Performance falling short of expectations.
          • Lack of alignment with changing objectives.
      • Tools and Technologies
        • Triggers for Change:
          • New or enhanced tools and technologies.
          • Changes in development and technology standards.

    Note: Each source of ACE change requests may require a different change management process to evaluate and implement the change.

    Activity: Assess the interaction and communication points of your Agile teams

    3.2.1 1.5 Hours

    Input

    • Understanding of team and organization structure

    Output

    • Current assessment of organizational design

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Identify everyone who is directly or indirectly involved in projects completed by Agile teams. This can include those that are:
    • Informed of a project’s progress.
    • Expected to interface with the Agile team for solution delivery (e.g. DevOps).
    • Impacted by the success of the delivered solutions.
    • Responsible for the removal of impediments faced by the Agile team.
  • Indicate how each role interacts with the others and how frequently these interactions occur for a typical project. Do this by drawing a diagram on a whiteboard using labelled arrows to indicate types and frequency of interactions.
  • Identify the possible communication, collaboration, and alignment challenges the team will face when working with other groups.
  • Agile Team n
    Group Type of Interaction Potential challenges
    Operations
    • Release management
    • Past challenges transitioning to DevOps.
    • Communication barrier as an impediment.
    PMO
    • Planning
    • Product owner not located with team in organization.
    • PMO still primarily waterfall; need Agile training/coaching

    Activity: Determine the root cause of each metric falling short of expectations

    3.2.2 30 Minutes per metric

    Input

    • Metrics from Benefits Tracking Tool

    Output

    • Root causes to issues

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE team
    1. Take each metric from the ACE Benefits Tracking Tool that is lagging behind or has missed expectations and conduct an analysis of why it is performing that way.
    2. Conduct individual webbing sessions to clarify the issues. The goal is to drive out the reasons why these issues are present or why scaling Agile may introduce additional challenges.
    3. Share and discuss these findings with the entire team.

    Example:

    • Lack of best-practice documentation
      • Why?
        • Knowledge siloed within teams
        • No centralized repository for best practices
          • Why?
            • No mechanisms to share between teams
              • Why? Root causes
                • Teams are not sharing localized adaptations
                • CoE is not effectively monitoring team communications
            • Access issues at team level to wiki
              • Why? Root causes
                • Administration issues with best-practice wiki
                • Lack of ACE visibility into wiki access

    Activity: Brainstorm solutions to identified issues

    3.2.3 30 Minutes per metric

    Input

    • Root causes of issues

    Output

    • Fixes and solutions to scaling Agile issues

    Materials

    • Whiteboard
    • Markers
    • Sticky notes

    Participants

    • Development team
    1. Using the results from your root-cause analysis, brainstorm potential solutions to the identified problems. Frame your brainstorming within the following perspectives: people, process, and technology. Map these solutions using the matrix below.
    2. Synthesize your ideas to create a consolidated list of initiatives.
      1. Highlight the solutions that can address multiple issues.
      2. Collaborate on how solutions can be consolidated into a single initiative.
    3. Write your synthesized solutions on sticky notes.
    SOLUTION CATEGORY
    People Process Technology
    ISSUES Poor face-to-face communication
    Lack of best-practice documentation

    Engage those teams affected by change early to ensure they are prepared

    Strategically managing change is an essential component to ensure that the ACE achieves its desired function. If the change that comes with adopting Agile best practices is going to impact other functions and change their expected workflows, ensure they are well prepared and the benefits for said changes are clearly communicated to them.

    Necessary change may be identified proactively (dependency assessments, system integrity, SME indicates need, etc.) or reactively (through retrospectives, discussions, completing root-cause analyses, etc.), but both types need to be handled the same way – through proper planning and communication with the affected parties.

    Plan any necessary change

    Understand the points where other groups will be affected by the adoption of Agile practices and recognize the potential challenges they may face. Plan changes to accommodate interactions between these groups without roadblocks or impediments.

    Communicate the change

    Structure a communication plan based on your identified challenges and proposed changes so that groups are well prepared to make the necessary adjustments to accommodate Agile workflows.

    Review and modify your metrics and baselines to ensure they are achievable in changing environments

    Consider the possible limitations that will exist from environmental complexities when measuring your Agile teams. Dependencies and legacy policies and procedures that pose a bottleneck to desired outcomes will need to be changed before teams can be measured justifiably. Take the time to ensure the metrics you crafted earlier are plausible in your current environment and there is not a need for transitional metrics.

    Are your metrics achievable?

    Specific

    Measureable

    Achievable

    • Adopting Agile is a journey, not just a destination. Ensure that the metrics a team is measured against reflect expectations for the team’s current level of Agile adoption and consider external dependencies that may limit their ability to achieve intended results.

    Realistic

    Time-bound

    Info-Tech Insight

    Use metrics as diagnostics, not as motivation. Teams will find ways to meet metrics they are measured by making sacrifices and taking unneeded risk to do so. To avoid dysfunction in your monitoring, use metrics as analytical tools to inform decision making, not as a yardstick for judgement.

    Activity: Review your metrics program

    3.2.4 Variable time commitment

    Input

    • Identified gaps
    • Agile team interaction points

    Output

    • ACE baselines
    • Past measurements

    Materials

    • ACE Benefits Tracking Tool

    Participants

    • ACE
    1. Now that you have identified gaps in your current state, see if those will have any impact on the achievability of your current metrics program.
    2. Review your root-cause analyses and brainstormed solutions, and hypothesize whether or not they will have any downstream impact to goal attainment. It is possible that there is no impact, but as cross-functional collaboration increases, the likelihood that groups will act as bottlenecks or impediments to expected performance will increase.
    3. Consider how any changes will impact the interaction points between teams based on the results from activity 3.2.1: Assess the interaction and communication points of your Agile teams. If there are too many negative impacts it may be a sign to re-consider the hypothesized solution to the problem and consider alternatives.
    4. In any cases where a metric has been altered, adjust its goal measurement to reflect its changes in the ACE Benefits Tracking Tool.

    Case study: Agile change at the GSA

    CASE STUDY

    Industry Government

    Source Navin Vembar, Agile Government Leadership

    Challenge

    The GSA is tasked with completed management of the Integrated Award Environment (IAE).

    • The IAE manages ten federal information technology systems that enable registering, searching, and applying for federal awards, as well as tracking them.
    • The IAE also manages the Federal Service Desk.

    The IAE staff had to find a way to break down the problem of modernization into manageable chunks that would demonstrate progress, but also had to be sure to capture a wide variety of user needs with the ability to respond to those needs throughout development.

    Had to work out the logistics of executing Agile change within the GSA, an agency that relies heavily on telework. In the case of modernization, they had a product owner in Florida while the development team was spread across the metro Washington, DC area.

    Solution

    Agile provided the ability to build incremental successes that allowed teams successful releases and built enthusiasm around the potential of adopting Agile practices offered.

    • GSA put in place an organization framework that allowed for planning of change at the portfolio level to enable the change necessary to allow for teams to execute tasks at the project level.
    • A four-year plan with incremental integration points allowed for larger changes on a quarterly basis while maintaining a bi-weekly sprint cycle.
    • They adopted IBM’s RTC tool for a Scrum board and on Adobe Connect for daily Scrum sessions to ensure transparency and effectiveness of outcomes across their collocated teams.

    Create a clear, concise communication plan

    Communication is key to avoid surprises and lost productivity created by the implementation of changes.

    User groups and the business need to be given sufficient notice of an impending change. Be concise, be comprehensive, and ensure that the message is reaching the right audience so that no one is blindsided and unable to deliver what is needed. This will allow them to make appropriate plans to accept the change, minimizing the impact of the change on productivity.

    Key Aspects of a Communication Plan

    • The method of communication (email, meetings, workshops, etc.).
    • The delivery strategy (who will deliver the message?).
    • The communication responsibility structure.
    • The communication frequency.
    • A feedback mechanism that allows you to review the effectiveness of your plan.
    • The message that you need to present.

    Communicating change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    (Cornelius & Associates, The Qualities of Leadership: Leading Change)

    Apply the following principles to enhance the clarity of your message

    1. Be Consistent
    • "This is important because..."
      • The core message must be consistent regardless of audience, channel, or medium.
      • Test your communication and obtain feedback before delivering your message.
      • A lack of consistency can be perceived as deception.
  • Be Clear
    • "This means..."
      • Say what you mean and mean what you say.
      • Choice of language is important.
      • Don’t use jargon.
  • Be Relevant
    • "This affects you because..."
      • Talk about what matters to the audience.
      • Talk about what matters to the change initiative.
      • Tailor the details of the message to each audience’s specific concerns.
      • Communicate truthfully; do not make false promises or hide bad news.
  • Be Concise
    • "In summary..."
      • Keep communication short and to the point so key messages are not lost in the noise.
  • Activity: Create a communication plan for change

    3.2.5 1.5 Hours

    Input

    • Desired messages
    • Stakeholder list

    Output

    • Communication plan

    Materials

    • Whiteboard
    • Markers

    Participants

    • CoE
    1. Define the audience(s) for your communications. Consider who needs to be the audience of your different communication events and how it will impact them.
    2. Identify who the messenger will be to deliver the message.
    3. Identify your communication methods. Decide on the methods you will use to deliver each communication event. Your delivery method may vary depending on the audience it is targeting.
    4. Establish a timeline for communication releases. Set dates for your communication events. This can be recurring (weekly, monthly, etc.) or one-time events.
    5. Determine what the content of the message must include. Use the guidelines on the following slide to ensure the message is concise and impactful.

    Note: It is important to establish a feedback mechanism to ensure that the communication has been effective in communicating the change to the intended audiences. This can be incorporated into your ACE satisfaction surveys.

    Audience Messenger Format Timing Message
    Operations Development team Email
    • Monthly (major release)
    • Ad hoc (minor release and fixes)
    Build ready for release
    Key stakeholders CIO Meeting
    • Monthly unless dictated otherwise
    Updates on outcomes from past two sprint cycles

    Phase 3, Step 3: Conduct ongoing retrospectives of your ACE

    Phase 1

    1.1 Determine the vision of your ACE

    1.2 Define the service offerings of your ACE

    Phase 2

    2.1 Define an adoption plan for your Agile teams

    2.2 Create an ACE engagement plan

    2.3 Define metrics to measure success

    Phase 3

    3.1 Optimize the success of your ACE

    3.2 Plan change to enhance your Agile initiatives

    3.3 Conduct ongoing retrospectives of your ACE

    Activities/Tools:

    3.3.1 Use the outputs from your metrics tracking tool to communicate progress.

    3.3.2 Summarize adjustments in areas where the ACE fell short.

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline.

    3.3.4 Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.5 Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders.

    Outcomes:

    • Conduct a retrospective of your ACE to enable the continuous improvement of your Agile program.
    • Structure a communications deck to communicate with stakeholders the outcomes from introducing the ACE to the organization.

    Reflect on your ACEs performance to lead the way to enterprise agility

    After functioning for a period of time, it is imperative to review the function of your ACE to ensure its continual alignment and see in what ways it can improve.

    At the end of the year, take the time to deliberately review and discuss:

    1. The effectiveness and use of your ACEs service offerings.
    2. What went well or wrong during the ACEs operation.
    3. What can be done differently to improve reach, usability, and effectiveness.
    4. Bring together Agile teams and discuss the processes they follow and inquire about suggestions for improvement.

    What is involved?

    • Use your metrics program to diagnose areas of issue and success. The diagnostic value of your metrics can help lead conversations with your Agile teams when attempting to inquire about suggestions for improvement.
    • Leverage your satisfaction surveys from the creation of your ACE and compare them against satisfaction surveys run after a year of operation. What are the lessons learned between then and now?
    • While it is primarily conducted by the ACE team, keep in mind it is a collaborative function and should involve all members, including Agile teams, product owners, Scrum masters, etc.

    Communicating with your key influencers is vital to ensure long-term operation of the ACE

    To ensure the long-term viability of your ACE and that your key influencers will continue funding, you need to demonstrate the ROI the Center of Excellence has provided.

    The overlying purpose of your ACE is to effectively align your Agile teams with corporate objectives. This means that there have to be communicable benefits that point to the effort and resources invested being valuable to the organization. Re-visit your prioritized stakeholder list and get ready to show them the impact the ACE has had on business outcomes.

    Communication with stakeholders is the primary method of building and developing a lasting relationship. Correct messaging can build bridges and tear down barriers, as well as soften opposition and bolster support.

    This section will help you to prepare an effective communication piece that summarizes the metrics stakeholders are interested in, as well as some success stories or benefits that are not communicable through metrics to provide extra context to ongoing successes of the ACE.

    INFO-TECH RELATED RESEARCH:

    Strategy and Leadership: Manage Stakeholder Relations

    Optimize your stakeholder management process to identify, prioritize, and effectively manage key stakeholders.

    Involve key stakeholders in your retrospectives to justify the funding for your ACE

    Those who fund the ACE have a large influence on the long-term success of your ACE. If you have not yet involved your stakeholders, you need to re-visit your organizational funding model for the ACE and ensure that your key stakeholders include the key decision makers for your funding. While they may have varying levels of interest and desires for granularity of data reporting, they need to at least be informed on a high level and kept as champions of the ACE so that there are no roadblocks to the long-term viability of this program.

    Keep this in mind as the ACE begins to demonstrate success, as it is not uncommon to have additional members added to your funding model as your service scales, especially in the chargeback models.

    As new key influencers are included, the ACEs governing group must ensure that collective interests may align and that more priorities don’t lead to derailment.

    The image shows a matrix. The matrix is labelled with Involvement at the bottom, and Power on the left side, and has the upper left quadrant labelled Keep Satisfied, the upper right quadrant labelled Key players, the lower right quadrant labelled Keep informed, and the lower left quadrant labelled Minimal effort. In the matric, there are several roles shown, with roles such as CFO, Apps Director, Funding Group, and CIO highlighted in the Key players section.

    Use the outputs from your metrics tracking tool to communicate progress

    3.3.1 1 Hour

    Use the ACE Benefits Tracking Tool to track the progress of your Agile environment to monitor whether or not the ACE is having a positive impact on the business’ ability to meet its objectives. The outputs will allow you to communicate incremental benefits that have been realized and point towards positive trends that will ensure the long-term buy-in of your key influencers.

    For communication purposes, use this tool to:

    • Re-visit who the impacted or interested stakeholders are so you can tailor your communications to be as impactful as possible for each key influencer of the ACE.

    The image shows a screen capture of the Agile CoE Metrics Tracking sheet.

    • Collate the benefits of the current projects undertaken by the Center of Excellence to give an overall recap of the ACEs impact.

    The image is a screen capture of the Summary Report sheet.

    Communicate where the ACE fell short

    Part of communicating the effectiveness of your ACE is to demonstrate that it is able to remedy projects and processes when they fall short of expectations and brainstorm solutions that effectively address these challenges. Take the opportunity to summarize where results were not as expected, and the ways in which the ACE used its influence or services to drive a positive outcome from a problem diagnosis. Stakeholders do not want a sugar-coated story – they want to see tangible results based on real scenarios.

    Summarizing failures will demonstrate to key influencers that:

    • You are not cherry-picking positive metrics to report and that the ACE faced challenges that it was able to overcome to drive positive business outcomes.
    • You are being transparent with the successes and challenges faced by the ACE, fostering increased trust within your stakeholders regarding the capabilities of Agile.
    • Resolution mechanisms are working as intended, successfully building failure tolerance and trust in change management policies and procedures.

    Activity: Summarize adjustments in areas where the ACE fell short

    3.3.2 15 Minutes per metric

    Input

    • Diagnosed problems from tracking tool
    • Root-cause analyses

    Output

    • Summary of change management successes

    Materials

    • Whiteboard
    • Markers

    Participants

    • ACE
    1. Create a list of items from the ACE Benefits Tracking Tool that fell short of expectations or set goals.
    2. For each point, create a brief synopsis of the root-cause analysis completed and summarize the brainstormed solution and its success in remedying the issue. If this process is not complete, create a to-date summary of any progress.
    3. Choose two to three pointed success stories from this list that will communicate broad success to your set of stakeholders.
    Name of metric that fell short
    Baseline measurement 65% of users satisfied with ACE services.
    Goal measurement 80% of users satisfied with ACE services.
    Actual measurement 70% of users satisfied with ACE services.
    Results of root-cause analysis Onboarding was not extensive enough; teams were unaware of some of the services offered, rendering them unsatisfied.
    Proposed solution Revamp onboarding process to include capability map of service offered.
    Summary of success TBD

    Re-conduct surveys with the ACE Satisfaction Survey to review the effectiveness of your service offerings

    3.3.3 Re-conduct satisfaction surveys and compare against your baseline

    Purpose

    This satisfaction survey will give you a template to follow to monitor the effectiveness of your ACEs defined service offerings. The goal is to understand what worked, and what did not, so you can add, retract, or modify service offerings where necessary.

    Steps

    1. Re-use the satisfaction survey to measure the effectiveness of the service offerings. Add questions regarding specific service offerings where necessary.
    2. Cross-analyze your satisfaction survey with metrics tied to your service offerings to help understand the root cause of the issues.
    3. Use the root-cause analysis exercises from step 3.2 to find the root causes of issues.
    4. Create a set of recommendations to add, amend, or improve any existing service offerings.

    INFO-TECH DELIVERABLE

    Download the ACE Satisfaction Survey.

    Use Info-Tech’s CoE Maturity Diagnostic Tool to baseline current practices

    3.3.4 ACE Maturity Assessment

    Purpose

    Assess your ACEs maturity by using Info-Tech’s CoE Maturity Diagnostic Tool. Assessing your ACEs maturity lets you know where you currently are, and where to look for improvements. Note that your optimal Maturity Level will depend on organizational specifics (e.g. a small organization with a handful of Agile Teams can be less mature than a large organization with hundreds of Agile Teams).

    Steps

    1. Download the CoE Maturity Diagnostic Tool to assess the maturity of your ACE.
    2. Complete the assessment tool with all members of your ACE team to determine your current Maturity score.
    3. Document the results in the ACE Communications Deck.

    Document results in the ACE Communications Deck.

    INFO-TECH DELIVERABLE

    Download the CoE Maturity Diagnostic Tool.

    Use Info-Tech’s ACE Communications Deck to deliver your outcomes to the key stakeholders

    3.3.5 Structure communications to each of your key stakeholders

    Purpose

    The ACE Communications Deck will give you a template to follow to effectively communicate with your stakeholders and ensure the long-term viability of your Agile Center of Excellence. Fill in the slides as instructed and provide each stakeholder with a targeted view of the successes of the ACE.

    Steps

    1. Determine who your target audience is for the Communications Deck – you may desire to create one for each of your key stakeholders as they may have different sets of interests.
    2. Fill out the ACE Communications Deck with the suggested inputs from the exercises you have completed during this research set.
    3. Review communications with members of the ACE to ensure that there are no communicable benefits that have been missed or omitted in the deck.

    INFO-TECH DELIVERABLE

    Download the ACE Communications Deck.

    Summary of accomplishment

    Knowledge Gained

    • An understanding of social capital as the key driver for organizational Agile success, and how it optimizes the value delivery of your Agile teams.
    • Importance of flexible governance to balance the benefits of localized adaptation and centralized control.
    • Alignment of service offerings with both business objectives and functional expectations as critical to ensuring long-term engagement with service offerings.

    Processes Optimized

    • Knowledge management and transfer of Agile best practices to new or existing Agile teams.
    • Optimization of service offerings for Agile teams based on organizational culture and objectives.
    • Change request optimization via interfacing ACE functions with existing change management processes.
    • Communication planning to ensure transparency during cross-functional collaboration.

    Deliverables Completed

    • A set of service offerings offered by the Center of Excellence that are aligned with the business, Agile teams, and related stakeholders.
    • Engagement plans for Agile team members based on a standardized adoption model to access the ACEs service offerings.
    • A suite of Agile metrics to measure effectiveness of Agile teams, the ACE itself, and its ability to deliver positive outcomes.
    • A communications plan to help create cross-functional transparency over pending changes as Agile spreads.
    • A communications deck to communicate Agile goals, actions, and outcomes to key stakeholders to ensure long-term viability of the CoE.

    Research contributors and experts

    Paul Blaney, Technology Delivery Executive, Thought Leader and passionate Agile Advocate

    Paul has been an Agile practitioner since the manifesto emerged some 20 years ago, applying and refining his views through real life experience at several organizations from startups to large enterprises. He has recently completed the successful build out of the inaugural Agile Delivery Centre of Excellence at TD bank in Toronto.

    John Munro, President Scrum Masters Inc.

    John Munro is the President of Scrum Masters Inc., a software optimization professional services firm using Agile, Scrum, and Lean to help North American firms “up skill” their software delivery people and processes. Scrum Masters’ unique, highly collaborative “Master Mind” consulting model leverages Agile/Lean experts on a biweekly basis to solve clients’ technical and process challenges.

    Doug Birgfeld, Senior Partner Agile Wave

    Doug has been a leader in building great teams, Agile project management, and business process innovation for over 20 years. As Senior Partner and Chief Evangelist at Agile Wave, his mission is to educate and to learn from all those who care about effective government delivery, nationally.

    Related Info-Tech research

    Implement Agile Practices That Work

    Agile is a cultural shift. Don't just do Agile, be Agile.

    Enable Organization-Wide Collaboration by Scaling Agile

    Execute a disciplined approach to rolling out Agile methods in the organization.

    Improve Application Development Throughput

    Drive down your delivery time by eliminating development inefficiencies and bottlenecks while maintaining high quality.

    Implement DevOps Practices That Work

    Accelerate software deployment through Dev and Ops collaboration.

    Related Info-Tech research (continued)

    Maximize the Benefits from Enterprise Applications with a Center of Excellence

    Optimize your organization’s enterprise application capabilities with a refined and scalable methodology.

    Drive Efficiency and Agility with a Fit-for-Purpose Quality Management Program

    Be proactive; it costs exponentially more to fix a problem the longer it goes unnoticed.

    Optimize the Change Management Process

    Right-size your change management process.

    Improve Requirements Gathering

    Back to basics: great products are built on great requirements.

    Bibliography

    Ambler, Scott. “Agile Requirements Change Management.” Agile Modeling. Scott Amber + Associates, 2014. Web. 12 Apr. 2016.

    Ambler, Scott. “Center of Excellence (CoEs).” Disciplined Agile 2.0: A Process Decision Framework for Enterprise I.T. Scott Amber + Associates. Web. 01 Apr. 2016.

    Ambler, Scott. “Transforming From Traditional to Disciplined Agile Delivery.” Case Study: Disciplined Agile Delivery Adoption. Scott Amber + Associates, 2013. Web.

    Beers, Rick. “IT – Business Alignment Why We Stumble and the Path Forward.” Oracle Corporation, July 2013. Web.

    Cornelius & Associates. “The Qualities of Leadership: Leading Change.” Cornelius & Associates, n.d. Web.

    Craig, William et al. “Generalized Criteria and Evaluation Method for Center of Excellence: A Preliminary Report.” Carnegie Mellon University Research Showcase @ CMU – Software Engineering Institute. Dec. 2009. Web. 20 Apr. 2016.

    Forsgren, Dr. Nicole et al (2019), Accelerate: State of DevOps 2019, Google, https://services.google.com/fh/files/misc/state-of-devops-2019.pdf

    Gerardi, Bart (2017), Agile Centers of Excellence, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/405819/Agile-Centers-of-Excellence

    Gerardi, Bart (2017), Champions of Agile Adoption, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/418151/Champions-of-Agile-Adoption

    Gerardi, Bart (2017), The Roles of an Agile COE, PMI Projectmanagement.com, https://www.projectmanagement.com/articles/413346/The-Roles-of-an-Agile-COE

    Hohl, P. et al. “Back to the future: origins and directions of the ‘Agile Manifesto’ – views of the originators.” Journal of Software Engineering Research and Development, vol. 6, no. 15, 2018. https://link.springer.com/article/10.1186/s40411-0...

    Kaltenecker, Sigi and Hundermark, Peter. “What Are Self-Organising Teams?” InfoQ. 18 July 2014. Web. 14 Apr. 2016.

    Kniberg, Henrik and Anderson Ivarsson. “Scaling Agile @ Spotify with Tribes, Squads, Chapters & Guilds.” Oct. 2012. Web. 30 Apr. 2016.

    Kumar, Alok et al. “Enterprise Agile Adoption: Challenges and Considerations.” Scrum Alliance. 30 Oct. 2014. Web. 30 May 2016.

    Levison, Mark. “Questioning Servant Leadership.” InfoQ, 4 Sept. 2008. Web. https://www.infoq.com/news/2008/09/servant_leadership/

    Linders, Ben. “Don't Copy the Spotify Model.” InfoQ.com. 6 Oct. 2016.

    Loxton, Matthew (June 1, 2011), CoP vs CoE – What’s the difference, and Why Should You Care?, Wordpress.com

    McDowell, Robert, and Bill Simon. In Search of Business Value: Ensuring a Return on Your Technology Investment. SelectBooks, 2010

    Novak, Cathy. “Case Study: Agile Government and the State of Maine.” Agile Government Leadership, n.d. Web.

    Pal, Nirmal and Daniel Pantaleo. “Services are the Language and Building Blocks of an Agile Enterprise.” The Agile Enterprise: Reinventing your Organization for Success in an On-Demand World. 6 Dec. 2015. Springer Science & Business Media.

    Rigby, Darrell K. et al (2018), Agile at Scale, Harvard Business Review, https://hbr.org/2018/05/agile-at-scale

    Scaledagileframework.com, Create a Lean-Agile Center of Excellence, Scaled Agile, Inc, https://www.scaledagileframework.com/lace/

    Shepley, Joe. “8 reasons COEs fail (Part 2).” Agile Ramblings, 22 Feb. 2010. https://joeshepley.com/2010/02/22/8-reasons-coes-fail-part-2/

    Stafford, Jan. “How upper management misconceptions foster Agile failures.” TechTarget. Web. 07 Mar. 2016.

    Taulli, Tom (2020), RPA Center Of Excellence (CoE): What You Need To Know For Success, Forbes.com, https://www.forbes.com/sites/tomtaulli/2020/01/25/rpa-center-of-excellence-coe-what-you-need-to-know-for-success/#24364620287a

    Telang, Mukta. “The CMMI Agile Adoption Model.” ScrumAlliance. 29 May 2015. Web. 15 Apr. 2016.

    VersionOne. “13th Annual State of Agile Report.” VersionOne. 2019. Web.

    Vembar, Navin. “Case Study: Agile Government and the General Services Administration (Integrated Award Environment).” Agile Government Leadership, n.d. Web.

    Wenger, E., R. A. McDermott, et al. (2002), Cultivating communities of practice: A guide to managing knowledge, Harvard Business Press.

    Wenger, E., White, N., Smith, J.D. Digital Habitats; Stewarding Technology for Communities. Cpsquare (2009).

    Train Managers to Strengthen Employee Relationships to Improve Engagement

    • Buy Link or Shortcode: {j2store}545|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Engage
    • Parent Category Link: /engage
    • The responsibility of employee engagement has been on the shoulders of HR and the executive team for years, but managers, not HR or executives, should be primarily responsible for employee engagement.
    • Managers often fail to take steps to improve due to the following reasons:
      • They don’t understand the impact they can have on engagement.
      • They don’t understand the value of an engaged workforce.
      • They don’t feel that they are responsible for engagement.
      • They don’t know what steps they can personally take to improve engagement levels.

    Our Advice

    Critical Insight

    • Managers have a large impact on employee engagement and retention. According to McLean & Company’s engagement data, every 10% increase in the category “my manager inspires me to improve” resulted in a 3.6% increase in an employee’s intent to stay.
    • To improve the manager relationship driver, managers cannot abdicate the responsibility of strengthening relationships with employees to HR – they must take the ownership role.

    Impact and Result

    • When an organization focuses on strengthening manager relationships with employees, managers should be the owner and IT leadership should be the facilitator.
    • Info-Tech recommends starting with the three most important actions to improve employee trust and therefore engagement: inform employees of the why behind decisions, interact with them on a personal level, and involve them in decisions that affect them (also known as the “3 I’s”).
    • Use this blueprint to prepare to train managers on how to apply the 3 I principles and improve the score on this engagement driver.

    Train Managers to Strengthen Employee Relationships to Improve Engagement Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Make the case

    Educate managers on the impact they have on engagement.

    • Train Managers to Strengthen Employee Relationships to Improve Engagement Storyboard

    2. Prepare for the training session by understanding key concepts

    Learn the 3 I’s of engagement and understand IT leaders as role models for engagement.

    • Training Deck: Train Managers to Build Trusting Relationships to Improve Engagement

    3. Plan the training session and customize the materials

    Determine the logistics of the training session: the who, what, and where.

    • Participant Notebook: Take Ownership of Manager Relationships

    4. Track training success metrics and follow up

    Determine ways to track the impact the training has on employee engagement.

    • Training Evaluation: Manager Relationships
    [infographic]

    Workshop: Train Managers to Strengthen Employee Relationships to Improve Engagement

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Make the Case for Strengthening Manager Relationships

    The Purpose

    Educate managers on the impact they have on engagement and the relationship between employee trust and engagement.

    Identify reasons why managers fail to positively impact employee engagement.

    Inform managers of their responsibility for employee engagement.

    Key Benefits Achieved

    Increased awareness of managers regarding their impact on employee engagement.

    Improved understanding of manager role.

    Creation of plan to increase employee trust and engagement.

    Activities

    1.1 Describe relationship between trust and engagement.

    1.2 Review data on manager’s impact on engagement.

    Outputs

    Gain an understanding of the 3 I’s of building trust.

    Address key objections managers might have.

    2 Prepare for the Training Session by Understanding Key Concepts and Your Role as HR

    The Purpose

    Understand key concepts for engagement, such as inform, interact, and involve.

    Use McLean & Company’s advice to get past pain points with managers.

    Key Benefits Achieved

    Understand the key principles and activities in the manager training deck.

    Gain advice for dealing with pushback from managers.

    Learn about actions that you can take to adopt the 3 I’s principle and act as a role model.

    Activities

    2.1 Practice manager training exercises on informing, interacting with, and involving employees.

    Outputs

    Become familiar with and prepared to take managers through key training exercises.

    3 Plan the Training Session and Customize the Materials

    The Purpose

    Determine who will participate in the manager training session.

    Become familiar with the content in the training deck and ensure the provided examples are appropriate.

    Key Benefits Achieved

    Logistics planned for your own training session.

    Your own case made more powerful by adding your engagement data to the training deck slides.

    Improved delivery of training, making it more effective and engaging for participants.

    Activities

    3.1 Consider your audience for delivering the training.

    3.2 Plan out logistics for the training session—the who, where, and when.

    Outputs

    Ensure that your training sessions include the appropriate participants.

    Deliver a smooth and successful training session.

    4 Track Training Success Metrics and Follow Up

    The Purpose

    Determine ways to track the impact the training has on employee engagement.

    Understand how to apply the 3 I’s principle across HR functions. 

    Key Benefits Achieved

    Measure the value of engagement training.

    Gain immediate feedback on employee engagement with the McLean Leadership Index.

    Determine how HR can support managers in building stronger relationships with employees.

    Activities

    4.1 Determine how HR can support management in strengthening employee relationships.

    Outputs

    Create a culture of trust throughout the organization.

    Reinforce End-User Security Awareness During Your COVID-19 Response

    • Buy Link or Shortcode: {j2store}311|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Endpoint Security
    • Parent Category Link: /endpoint-security

    Without the control over the areas in which employees are working, businesses are opening themselves up to a greater degree of risk during the pandemic. How does a business raise awareness for employees who are going to be working remotely?

    Our Advice

    Critical Insight

    • An expanding remote workforce requires training efforts to evolve to include the unique security threats that face remote end users.
    • By presenting security as a personal and individualized issue, you can make this new personal focus a driver for your organizational security awareness and training program.

    Impact and Result

    • Teach remote end users how to recognize current cyberattacks before they fall victim and turn them into active barriers against cyberattacks.
    • Use Info-Tech’s blueprint and materials to build a customized training program that uses best practices.

    Reinforce End-User Security Awareness During Your COVID-19 Response Research & Tools

    Start here

    COVID-19 is forcing many businesses to expand their remote working capabilities further than before. Using this blueprint, see how to augment your existing training or start from scratch during a remote work situation.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Reinforce End-User Security Awareness During Your COVID-19 Response Storyboard
    • Security Awareness and Training Program Development Tool
    • Security Awareness and Training Metrics Tool
    • End-User Security Knowledge Test Template

    1. Training Materials

    Use Info-Tech’s training materials to get you started on remote training and awareness.

    • Training Materials – Phishing
    • Training Materials – Incident Response
    • Training Materials – Cyber Attacks
    • Training Materials – Web Usage
    • Training Materials – Physical Computer Security
    • Training Materials – Mobile Security
    • Training Materials – Passwords
    • Training Materials – Social Engineering
    • Security Training Email Templates
    [infographic]

    Bring Visibility to Your Day-to-Day Projects

    • Buy Link or Shortcode: {j2store}444|cart{/j2store}
    • member rating overall impact (scale of 10): 9.8/10 Overall Impact
    • member rating average dollars saved: $9,649 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • As an IT leader, you are responsible for getting new things done while keeping the old things running. These “new things” can come in many forms, e.g. service requests, incidents, and officially sanctioned PMO projects, as well as a category of “unofficial” projects that have been initiated through other channels.
    • These unofficial projects get called many things by different organizations (e.g. level 0 projects,BAU projects, non-PMO projects, day-to-day projects), but they all have the similar characteristics: they are smaller and less complex than larger projects or officially sanctioned projects; they are larger and more risky than operational tasks or incidents; and they are focused on the needs of a specific functional unit and tend to stay within those units to get done.
    • Because these day-to-day projects are small, emergent, team-specific, operationally vital, yet generally perceived as being strategically unimportant, top-level leadership has a limited understanding of them when they are approving and prioritizing major projects. As a result, they approve projects with no insight into how your team’s capacity is already stretched thin by existing demands.

    Our Advice

    Critical Insight

    • Senior leadership cannot contrast the priority of things that are undocumented. As an IT leader, you need to ensure day-to-day projects receive the appropriate amount of documentation without drowning your team in a process that the types of project don’t warrant.
    • Don’t bleed your project capacity dry by leaving the back door open. When executive oversight took over the strategic portfolio, we assumed they’d resource those projects as a priority. Instead, they focused on “alignment,” “strategic vision,” and “go to market” while failing to secure and defend the resource capacity needed. To focus on the big stuff, you need to sweat the small stuff.

    Impact and Result

    • Develop a method to consistently identify and triage day-to-day projects across functional teams in a standard and repeatable way.
    • Establish a way to balance and prioritize the operational necessity of day-to-day projects against the strategic value of major projects.
    • Build a repeatable process to document and report where the time goes across all given pockets of demand your team faces.

    Bring Visibility to Your Day-to-Day Projects Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should put more portfolio management structure around your day-to-day projects, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Uncover your organization’s hidden pockets of day-to-day projects

    Define an organizational standard for identifying day-to-day projects and triaging them in relation to other categories of projects.

    • Bring Visibility to Your Day-to-Day Projects – Phase 1: Uncover Your Organization’s Hidden Pockets of Day-to-Day Projects
    • Day-to-Day Project Definition Tool
    • Day-to-Day Project Supply/Demand Calculator

    2. Establish ongoing day-to-day project visibility

    Build a process for maintaining reliable day-to-day project supply and demand data.

    • Bring Visibility to Your Day-to-Day Projects – Phase 2: Establish Ongoing Day-to-Day Project Visibility
    • Day-to-Day Project Process Document
    • Day-to-Day Project Intake and Prioritization Tool
    [infographic]

    Workshop: Bring Visibility to Your Day-to-Day Projects

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Analyze the Current State of Day-to-Day Projects

    The Purpose

    Assess the current state of project portfolio management and establish a realistic target state for the management of day-to-day projects.

    Key Benefits Achieved

    Realistic and well-informed workshop goals.

    Activities

    1.1 Begin with introductions and workshop expectations activity.

    1.2 Perform PPM SWOT analysis.

    1.3 Assess pain points and analyze root causes.

    Outputs

    Realistic workshop goals and expectations

    PPM SWOT analysis

    Root cause analysis

    2 Establish Portfolio Baselines for Day-to-Day Projects

    The Purpose

    Establish a standard set of baselines for day-to-day projects that will help them to be identified and managed in the same way across different functional teams.

    Key Benefits Achieved

    Standardization of project definitions and project value assessments across different functional teams.

    Activities

    2.1 Formalize the definition of a day-to-day project and establish project levels.

    2.2 Develop a project value scorecard for day-to-day projects.

    2.3 Analyze the capacity footprint of day-to-day projects.

    Outputs

    Project identification matrix

    Project value scorecard

    A capacity overview to inform baselines

    3 Build a Target State Process for Day-to-Day Projects

    The Purpose

    Establish a target state process for tracking and monitoring day-to-day projects at the portfolio level.

    Key Benefits Achieved

    Standardization of how day-to-day projects are managed and reported on across different functional teams.

    Activities

    3.1 Map current state workflows for the intake and resource management practices (small and large projects).

    3.2 Perform a right-wrong-missing-confusing analysis.

    3.3 Draft a target state process for the initiation of day-to-day projects and for capacity planning.

    Outputs

    Current state workflows

    Right-wrong-missing-confusing analysis

    Target state workflows

    4 Prepare to Implement Your New Processes

    The Purpose

    Start to plan the implementation of your new processes for the portfolio management of day-to-day projects.

    Key Benefits Achieved

    An implementation plan, complete with communication plans, timelines, and goals.

    Activities

    4.1 Perform a change impact and stakeholder management analysis.

    4.2 Perform a start-stop-continue activity.

    4.3 Define an implementation roadmap.

    Outputs

    Change impact and stakeholder analyses

    Start-stop-continue retrospective

    Implementation roadmap

    Build a Continual Improvement Program

    • Buy Link or Shortcode: {j2store}463|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • IT managers must work hard to maintain and improve service quality or risk performance deterioration over time.
    • Leadership may feel lost about what to do next and which initiatives have higher priority for improvement.
    • The backlog of improvement initiatives makes the work even harder. Managers should involve the right people in the process and build a team that is responsible to monitor, measure, prioritize, implement, and test improvements.

    Our Advice

    Critical Insight

    • Without continual improvement, sustained service quality will be temporary. Organizations need to put in place an ongoing process to detect potential services, enhance their procedures, and sustain their performance, whatever the process maturity is.

    Impact and Result

    • Set strategic vision for the continual improvement program.
    • Build a team to set regulations, processes, and audits for the program.
    • Set measurable targets for the program.
    • Identify and prioritize improvement initiatives.
    • Measure and monitor progress to ensure initiatives achieve the desired outcome.
    • Apply lessons learned to the next initiatives.

    Build a Continual Improvement Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Build a Continual Improvement Program – A step-by-step document to walk you through building a plan for efficient IT continual improvement.

    This storyboard will help you craft a continual improvement register and a workflow to ensure sustained service improvements that fulfill ongoing increases in stakeholder expectations.

    • Build a Continual Improvement Program Storyboard

    2. Continual Improvement Register and Workflow – Structured documents to help you outline improvement initiatives, prioritize them, and build a dashboard to streamline tracking.

    Use the Continual Improvement Register and Continual Improvement Workflow to help you brainstorm improvement items, get a better visibility into the items, and plan to execute improvements.

    • Continual Improvement Register
    • Continual Improvement Workflow (Visio)
    • Continual Improvement Workflow (PDF)
    [infographic]

    Further reading

    Build a Continual Improvement Program

    Don’t stop with process standardization; plan to continually improve and help those improvements stick.

    Analyst Perspective

    Go beyond standardizing basics

    IT managers often learn how to standardize IT services. Where they usually fail is in keeping these improvements sustainable. It’s one thing to build a quality process, but it’s another challenge entirely to keep momentum and know what to do next.

    To fill the gap, build a continual improvement plan to continuously increase value for stakeholders. This plan will help connect services, products, and practices with changing business needs.

    Without a continual improvement plan, managers may find themselves lost and wonder what’s next. This will lead to misalignment between ongoing and increasingly high stakeholder expectations and your ability to fulfill these requirements.

    Build a continual improvement program to engage executives, leaders, and subject matter experts (SMEs) to go beyond break fixes, enable proactive enhancements, and sustain process changes.

    Photo of Mahmoud Ramin, Ph.D., Senior Research Analyst, Infrastructure and Operations, Info-Tech Research Group. Mahmoud Ramin, Ph.D.
    Senior Research Analyst
    Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Even high-quality services and products need to be aligned with rising stakeholder expectations to sustain operational excellence.
    • Without the right leadership, commitment, and processes, improvements in service quality can be difficult to sustain.
    • Continual improvement is not only a development plan but also an organizational culture shift, which makes stakeholder buy-in even challenging.

    Common Obstacles

    • IT managers must work hard to maintain and improve service quality or risk performance deterioration over time.
    • Leadership feels lost about what to do next and which initiatives have higher priority for improvement.
    • A backlog of improvement initiatives makes the work even harder. Managers should involve the right people in the process and build a team that is responsible for monitoring, measuring, prioritizing, implementing, and testing improvements.

    Info-Tech’s Approach

    • Set a strategic vision for the continual improvement program.
    • Build a team to set regulations, processes, and audits for the program.
    • Set measurable targets for the program.
    • Identify and prioritize improvement initiatives.
    • Measure and monitor progress to ensure initiatives achieve the desired outcome.
    • Apply lessons learned to the next initiatives.

    Info-Tech Insight

    Without continual improvement, any process maturity achieved around service quality will not be sustained. Organizations need to put in place an ongoing program to maintain their current maturity and continue to grow and improve by identifying new services and enhancing existing processes.

    Purpose of continual improvement

    There should be alignment between ongoing improvements of business products and services and management of these products and services. Continual improvement helps service providers adapt to changing environments. No matter how critical the service is to the business, failure to continually improve reduces the service value.

    Image of a notebook with an illustration titled 'Continuous Improvement'.

    Continual improvement is one of the five elements of ITIL’s Service Value System (SVS).

    Continual improvement should be documented in an improvement register to record and manage improvement initiatives.

    Continual improvement is a proactive approach to service management. It involves measuring the effectiveness and efficiency of people, processes, and technology to:

    • Identify areas for improvement.
    • Adapt to changes in the business environment.
    • Align the IT strategy to organizational goals.

    A continual improvement process helps service management move away from a reactive approach that focuses only on fixing problems as they occur.

    Info-Tech Insight

    Make sure the basics are in place before you embark on a continual improvement initiative.

    Benefits of embedding a cross-organizational continual improvement approach

    Icon of a computer screen. Encourage end users to provide feedback on service quality. Icon of a crossed pencil and wrench.

    Provide an opportunity to stakeholders to define requirements and raise their concerns.

    Icon of a storefront.

    Embed continual improvement in all service delivery procedures.

    Icon of chevrons moving backward.

    Turn failures into improvement opportunities rather than contributing to a blame culture.

    Icon of a telescope.

    Improve practice effectiveness that enhances IT efficiency.

    Icon of a thumbs up in a speech bubble.

    Improve end-user satisfaction that positively impacts brand reputation.

    Icon of shopping bags.

    Improve operational costs while maintaining a high level of satisfaction.

    Icon of a magnifying glass over a map marker.

    Help the business become more proactive by identifying and improving services.

    Info-Tech Insight

    It’s the responsibility of the organization’s leaders to develop and promote a continual improvement culture. Work with the business unit leads and communicate the benefits of continual improvement to get their buy-in for the practice and achieve the long-term impact.

    Build a feedback program to get input into where improvement initiatives are needed

    A well-maintained continual improvement process creates a proper feedback mechanism for the following stakeholder groups:
    • Users
    • Suppliers
    • Service delivery team members
    • Service owners
    • Sponsors
    An efficient feedback mechanism should be constructed around the following initiatives:
    Target with an arrow in the bullseye. The arrow has four flags: 'Perceived value by users', 'Service effectiveness', 'Service governance', and 'Service demand'.
    Stakeholders who participate in feedback activities should feel comfortable providing suggestions for improvement.

    Work closely with the service desk team to build communication channels to conduct surveys. Avoid formal bureaucratic communications and enforce openness in communicating the value of feedback the stakeholders can provide.

    Info-Tech Insight

    When conducting feedback activities with users, keep surveys anonymous and ensure users’ information is kept confidential. Make sure everyone else is comfortable providing feedback in a constructive way so that you can seek clarification and create a feedback loop.

    Implement an iterative continual improvement model and ensure that your services align with your organizational vision

    Build a six-step process for your continual improvement plan. Make it a loop, in which each step becomes an input for the next step. A cycle around a dartboard with numbered steps: '01 Determine your goals', '02 Define the process team', '03 Determine initiatives', '04 Prioritize initiatives', '05 Execute improvement', '06 Establish a learning culture'.

    1. Determine your goals

    A vision statement communicates your desired future state of the IT organization.

    Your IT goals should always support your organizational goals. IT goals are high-level objectives that the IT organization needs to achieve to reach a target state.
    A cycle of the bolded statements on the right surrounding a dartboard with two bullseyes.

    Understand the high-level business objectives to set the vision for continual improvement in a way that will align IT strategies with business strategies.

    Obtaining a clear picture of your organization’s goals and overall corporate strategy is one of the crucial first steps to continual improvement and will set the stage for the metrics you select. Document your continual improvement program goals and objectives.

    Knowing what your business is doing and understanding the impact of IT on the business will help you ensure that any metrics you collect will be business focused.

    Understanding the long-term vision of the business and its appetite for commitment and sponsorship will also inform your IT strategy and continual improvement goals.

    Assess the future state

    At this stage, you need to visualize improvement, considering your critical success factors.

    Critical success factors (CSFs) are higher-level goals or requirements for success, such as improving end-user satisfaction. They’re factors that must be met in order to reach your IT and business strategic vision.

    Select key performance indicators (KPIs) that will identify useful information for the initiative: Define KPIs for each CSF. These will usually involve a trend, as an increase or decrease in something. If KPIs already exist for your IT processes, re-evaluate them to assess their relevance to current strategy and redefine if necessary. Selected KPIs should provide a full picture of the health of targeted practice.

    KPIs should cover these four vectors of practice performance:

    1. Quantity
      How many continual improvement initiatives are in progress
    2. Quality
      How well you implemented improvements
    3. Timeliness
      How long it took to get continual improvement initiatives done
    4. Compliance
      How well processes and controls are being executed, such as system availability
    Cross-section of a head split into sections with icons in the middle sections.

    Examples of key CSFs and KPIs for continual improvement

    CSF

    KPI

    Adopt and maintain an effective approach for continual improvement Improve stakeholder satisfaction due to implementation of improvement initiatives.
    Enhance stakeholder awareness about continual improvement plan and initiatives.
    Increase continual improvement adoption across the organization.
    Commit to effective continual improvement across the business Improve the return on investment.
    Increase the impact of the improvement initiatives on process maturity.
    Increase the rate of successful improvement initiatives.

    Prepare a vision statement to communicate the improvement strategy

    IT Implications + Business Context –› IT Goals
    • IT implications are derived from the business context and inform goals by aligning the IT goals with the business context.
    • Business context encompasses an understanding of the factors impacting the business from various perspectives, how the business makes decisions, and what it is trying to achieve.
    • IT goals are high-level, specific objectives that the IT organization needs to achieve to reach the target state. IT goals begin a process of framing what IT as an organization needs to be able to do in the target state.

    IT goals will help identify the target state, IT capabilities, and the initiatives that will need to be implemented to enable those capabilities.

    The vision statement is expressed in the present tense. It seeks to articulate the desired role of IT and how IT will be perceived.

    Strong IT vision statements have the following characteristics:
    Arrow pointing right. Describe a desired future
    Arrow pointing right. Focus on ends, not means
    Arrow pointing right. Communicate promise
    Arrow pointing right. Work as an elevator pitch:
    • Concise; no unnecessary words
    • Compelling
    • Achievable
    • Inspirational
    • Memorable

    2. Define the process team

    The structure of each continual improvement team depends on resource availability and competency levels.

    Make sure to allocate continual improvement activities to the available resources and assess the requirement to bring in others to fulfill all tasks.

    Brainstorm what steps should be included in a continual improvement program:

    • Who is responsible for identifying, logging, and prioritizing improvement opportunities?
    • Who makes the business case for improvement initiatives?
    • Who is the owner of the register, responsible for documenting initiatives and updating their status?
    • Who executes implementation?
    • Who evaluates implementation success?
    Match stakeholder skill sets with available resources to ensure continual improvement processes are handled properly. Brainstorm skills specific to the program:
    • Knowledge of provided products and services.
    • Good understanding of organization’s goals and objectives.
    • Efficiency in collecting and measuring metrics, understanding company standards and policies, and presenting them to impacted stakeholders.
    • Competency in strategic thinking and aligning the organization’s goals with improvement initiatives.

    Enable the continual improvement program by clarifying responsibilities

    Determine roles and responsibilities to ensure accountability

    The continual improvement activities will only be successful if specific roles and responsibilities are clearly identified.

    Depending on available staff and resources, you may be able to have full-time continual improvement roles, or you may include continual improvement activities in individuals’ job descriptions.

    Each improvement action that you identify should have clear ownership and accountability to ensure that it is completed within the specified timeframe.

    Roles and responsibilities can be reassigned throughout the continual improvement process.

    Info-Tech Insight

    Create cross-functional teams to improve perspective and not focus on only one small group when trying to problem solve. Having other teams hear and reframe the issue or talk about how they can help to solve issues as a team can create bigger solutions that will help the entire IT team, not just one group.

    Consider assigning dedicated continual improvement roles

    Silhouette of a business person.
    CI Coordinator

    Continual improvement coordinators are responsible for moving projects to the implementation phase and monitoring all continual improvement roles.

    Silhouette of a business person.
    Business Owner

    Business owners are accountable for business governance, compliance, and ROI analysis. They are responsible for operational and monetary aspects of the business.

    Silhouette of a business person.
    IT Owner

    IT owners are responsible for developing the action plan and ensuring success of the initiatives. They are usually the subject matter experts, focusing on technical aspects.

    3. Determine improvement initiatives

    Businesses usually make the mistake of focusing too much on making existing processes better while missing gaps in their practices.

    Gather stakeholder feedback to help you evaluate the maturity levels of IT practices Sample of the End User Satisfaction Survey.

    You need to understand the current state of service operations to understand how you can provide value through continual improvement. Give everyone an opportunity to provide feedback on IT services.

    Use Info-Tech’s End User Satisfaction Survey to define the state of your core IT services.

    Info-Tech Insight

    Become proactive to improve satisfaction. Continual improvement is not only about identifying pain points and improving them. It enables you to proactively identify initiatives for further service improvement using both practice functionality and technology enablement.

    Understand the current state of your IT practices

    Determine the maturity level of your IT areas to help you understand which processes need improvement. Involve the practice team in maturity assessment activities to get ideas and input from them. This will also help you get their buy-in and engagement for improvement.

    Leverage performance metrics to analyze performance level. Metrics play a key role in understanding what needs improvement. After you implement metrics, have an impact report regularly generated to monitor them.

    Use problem management to identify root causes for the identified gaps. Potential sources of problems can be:

    • Recurring issues that may be an indicator of an underlying problem.
    • Business processes or service issues that are not IT related, such as inefficient business process or service design issues.

    Establish an improvement roadmap and execute initiatives

    Build a continual improvement register (CIR) for your target initiatives

    A CIR is a document used for recording your action plan from the beginning to the end of the improvement project.

    If you just sit and plan for improvements without acting on them, nothing will improve. CIR helps you create an action plan and allows you to manage, track, and prioritize improvement suggestions.

    Consider tracking the following information in your CIR, adjusted to meet the needs of your organization:

    Information

    Description

    Business value impact Identify approved themes or goals that each initiative should apply to. These can and should change over time based on changing business needs.
    Effort/cost Identify the expected effort or cost the improvement initiative will require.
    Priority How urgent is the improvement? Categorize based on effort, cost, and risk levels.
    Status Ensure each initiative has a status assigned that reflects its current state.
    Timeline List the timeframe to start the improvement initiative based on the priority level.
    CI functional groups Customize the functional groups in your CI program

    Populate your register with ideas that come from your first round of assessments and use this document to continually add and track new ideas as they emerge.

    You can also consider using the register to track the outcomes and benefits of improvement initiatives after they have been completed.

    Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

    1-3 hours
    1. Open the Continual Improvement Register template and navigate to tab 2, Setup.
    2. Brainstorm your definitions for the following items to get a clear understanding of these items when completing the CIR. The more quantification you apply to the criteria, the more tangible evaluation you will do:
      • Business value impact categories
      • Effort/cost
      • Priority
      • Status
      • Timeline
    3. Discuss the teams that the upcoming initiatives will belong to and update them under CI Functional Groups.
    1. Analyze the assessment data collected throughout stakeholder feedback and your current-state evaluation.
    2. Use this data to generate a list of initiatives that should be undertaken to improve the performance of the targeted processes.
    3. Use sticky notes to record identified CI initiatives.
    4. Record each initiative in tab 3, CI Register, along with associated information:
      • A unique ID number for the initiative
      • The individual who submitted the idea
      • The team the initiative belongs to
      • A description of the initiative

    Download the Continual Improvement Register template

    Activity: Use the Continual Improvement Register template to brainstorm responsibilities, generate improvement initiatives, and action plan

    Input

    • List of key stakeholders for continual improvement
    • Current state of services and processes

    Output

    • Continual improvement register setup
    • List of initiatives for continual improvement

    Materials

    • Continual improvement register
    • Whiteboard/flip charts
    • Markers
    • Laptops

    Participant

    • CIO
    • IT managers
    • Project managers
    • Continual improvement manager/coordinator

    4. Prioritize initiatives

    Prioritization should be transparent and available to stakeholders.

    Some initiatives are more critical than others to achieve and should be prioritized accordingly. Some improvements require large investments and need an equally large effort, while some are relatively low-cost, low-effort improvements. Focus on low-hanging fruit and prioritize low-cost, low-effort improvements to help the organization with rapid growth. This will also help you get stakeholder buy-in for the rest of your continual improvement program.

    Prioritize improvement initiatives in your CIR to increase visibility and ensure larger improvement initiatives are done the next cycle. As one improvement cycle ends, the next cycle begins, which allows the continual improvement team to keep pace with changing business requirements.

    Stock image of a person on a ladder leaning against a bookshelf.

    Identify “quick wins” that can provide immediate improvement

    Prioritize these quick wins to immediately demonstrate the success of the continual service improvement effort to the business.

    01

    Keep the scope of the continual improvement process manageable at the beginning by focusing on a few key areas that you want to improve.
    • If you have identified pain points, addressing these will demonstrate the value of the project to the business to gain their support.
    • Choose the services or processes that continue to disrupt or threaten service – focus on where pain points are evident and where there is a need for improvement.
    • Critical services to improve should emerge from the current-state assessments.

    02

    From your list of proposed improvements, focus on a few of the top pain points and plan to address those.

    03

    Choose the right services to improve at the first stage of continual improvement to ensure that the continual improvement process delivers value to the business.

    Activity: Prioritize improvement initiatives

    2-3 hours

    Input: List of initiatives for continual improvement

    Output: Prioritized list of initiatives

    Materials: Continual improvement register, Whiteboard/flip charts, Markers, Laptops

    Participants: CIO, IT managers, Project managers, Continual improvement manager

    1. In the CI Register tab of the Continual Improvement Register template, define the status, priority, effort/cost, and timeline according to the definition of each in the data entry tab.
    2. Review improvement initiatives from the previous activity.
    3. Record the CI coordinator, business owner, and IT owner for each initiative.
    4. Fill out submission date to track when the initiative was added to the register.
    5. According to the updated items, you will get a dashboard of items based on their categories, effort, priority, status, and timeline. You will also get a visibility into the total number of improvement initiatives.
    6. Focus on the short-term initiatives that are higher priority and require less effort.
    7. Refer to the Continual Improvement Workflow template and update the steps.

    Download the Continual Improvement Register template

    Download the Continual Improvement Workflow template

    5. Execute improvement

    Develop a plan for improvement

    Determine how you want to reach your improvement objectives. Define how to make processes work better.
    Icons representing steps. Descriptions below.
    Make a business case for your action plan Determine budget for implementing the improvement and move to execution. Find out how long it takes to build the improvement in the practice. Confirm the resources and skill sets you require for the improvement. Communicate the improvement plan across the business for better visibility and for seamless organizational change management, if needed. Lean into incremental improvements to ensure practice quality is sustained, not temporary. Put in place an ongoing process to audit, enhance, and sustain the performance of the target practice.

    Create a specific action plan to guide your improvement activities

    As part of the continual improvement plan, identify specific actions to be completed, along with ownership for each action.

    The continual improvement process must:

    • Define activities to be completed.
    • Create roles and assign ownership to complete activities.
    • Provide training and awareness about the initiative.
    • Define inputs and outputs.
    • Include reporting.

    For each action, identify:

    • The problem.
    • Who will be responsible and accountable.
    • Metric(s) for assessment.
    • Baseline and target metrics.
    • Action to be taken to achieve improvement (training, new templates, etc.).

    Choose timelines:

    • Firm timelines are important to keep the project on track.
    • One to two months for an initiative is an ideal length of time to maintain interest and enthusiasm for the specific project and achieve a result.

    Info-Tech Insight

    Every organization is unique in terms of its services, processes, strengths, weaknesses, and needs, as well as the expectations of its end users. There is no single action plan that will work for everyone. The improvement plan will vary from organization to organization, but the key elements of the plan (i.e. specific priorities, timelines, targets, and responsibilities) should always be in place.

    Build a communication plan to ensure the implementation of continual improvement stakeholder buy-in

    1. Throughout the improvement process, share information about both the status of the project and the impact of the improvement initiatives.
    Icon of a group of people. Encourage a collaborative environment across all members of the practice team.
    Icon of an ascending graph. Motivate every individual to continue moving upward and taking ownership over their roles.
    Icon of overlapping speech bubbles. Communication among team members ensures that everyone is on the same page working together toward a common goal.
    Icon of a handshake. The most important thing is to get the support of your team. Unless you have their support, you won’t be able to deliver any of the solutions you draw up.
    2. The end users should be kept in the loop so they can feel that their contribution is valued.
    Icon of an arrow pointing right. When improvements happen and only a small group of people are involved in the results and action plan, misconceptions will arise.
    Icon of a thumbs up in a speech bubble. If communication is lacking, end users will provide less feedback on the practice improvements.
    Icon of a cone made of stacked layers. For end users to feel their concerns are being considered, you must communicate the findings in a way that conveys the impact of their contribution.

    Info-Tech Insight

    To be effective, continual improvement requires open and honest feedback from IT staff. Debriefings work well for capturing information about lessons learned. Break down the debriefings into smaller, individual activities completed within each phase of the project to better capture the large amount of data and lessons learned within that phase.

    Measure the success of your improvement program

    Continual improvement is everybody’s job within the organization.

    Determine how improvements impacted stakeholders. Build a relationship pyramid to analyze how improvements impacted external users and narrow down to the internal users, implementing team, and leaders.
    1. How did we make improvements with our partners and suppliers? –› Look into your contracts and measure the SLAs and commitments.
    2. How could improvement initiatives impact the organization? –› Involve everybody to provide feedback. Rerun the end-user satisfaction survey and compare with the baseline that you obtained before improvement implementation.
    3. How does the improvement team feel about the whole process? –› What were the lessons learned, and can the team apply the lessons in the next improvement initiatives?
    4. How did the leaders manage and lead improvements? –› Were they able to provide proper vision to guide the improvement team through the process?
    A relationship pyramid with the initial questions on the left starting from '1' at the bottom to '4' at the 2nd highest level.

    Measure changes in selected metrics to evaluate success

    Measuring and reporting are key components in the improvement process.

    Adjust improvement priority based on updated objectives. Justify the reason. Refer to your CIR to document it.

    Did you get there?

    Part of the measurement should include a review of CSFs and KPIs determined in step 1 (assess the future state). Some may need to be replaced.

    • After an improvement has been implemented, it is important to regularly monitor and evaluate the CSFs and KPIs you chose and run reports to evaluate whether the implemented improvement has actually resolved the service/process issues or helped you achieve your objectives.
    • Establish a schedule for regularly reviewing key metrics that were identified in Step 1 and assessing change in those metrics and progress toward reaching objectives.
    • In addition to reviewing CSFs, KPIs, and metrics, check in with the IT organization and end users to measure their perceptions of the change once an appropriate amount of time has passed.
    • Ensure that metrics are telling the whole story and that reporting is honest in order to be informative.
    Outcomes of the continual improvement process should include:
    • Improved efficiency, effectiveness, and quality of processes and services.
    • Processes and services more aligned with the business needs and strategy.
    • Maturity of processes and services.

    For a guideline to determine a list of metrics, refer to Info-Tech’s blueprints:

    Info-Tech Insight

    Make sure you’re measuring the right things and considering all sources of information. Don’t rely on a single or very few metrics. Instead, consider a group of metrics to help you get a better holistic view of improvement initiatives and their impact on IT operations.

    6. Establish a learning culture and apply it to other practices

    Reflect on lessons learned to drive change forward

    What did you learn?
    Icon of a checklist and pencil. Ultimately, continual improvement is an ongoing educational program.
    Icon of a brain with a lighting bolt.
    Icon of a wrench in a speech bubble. By teaching your team how to learn better and identify sources of new knowledge that can be applied going forward, you maximize the efficacy of your team and improvement plan effort.
    What obstacles prevented you from reaching your target condition?
    Icon of a map marker. If you did not reach your target goals, reflect as a team on what obstacles prevented you from reaching that target.
    Icon of a wrench in a gear. Focus on the obstacles that are preventing your team from reaching the target state.
    Icon of a sun behind clouds. As obstacles are removed, new ones will appear, and old ones will disappear.

    Compare expectations versus reality

    Compare the EC (expected change) to the AC (actual change)
    Arrow pointing down.
    Arrow pointing left and down labelled 'Small'. Evaluate the differences: how large is the difference from what you expected? Arrow pointing right and down labelled 'Large'.
    Things are on track and the issue could have simply been an issue with timing of the improvement. More reflection is needed. Perhaps it is a gap in understanding the goal or a poor execution of the action plan.

    Info-Tech Insight

    Regardless of the cause, large differences between the EC and the AC provide great learning opportunities about how to approach change in the future.

    A cycle around a dartboard with numbered steps: '01 Determine your goals', '02 Define the process team', '03 Determine initiatives', '04 Prioritize initiatives', '05 Execute improvement', '06 Establish a learning culture'.

    Think long-term to sustain changes

    The continual improvement process is ongoing. When one improvement cycle ends, the next should begin in order to continually measure and evaluate processes.

    The goal of any framework is steady and continual improvement over time that resets the baseline to the current (and hopefully improved) level at the end of each cycle.

    Have processes in place to ensure that the improvements made will remain in place after the change is implemented. Each completed cycle is just another step toward your target state.
    Icon of a group of people. Ensure that there is a continual commitment from management.
    Icon of a bar chart. Regularly monitor metrics as well as stakeholder feedback after the initial improvement period has ended. Use this information to plan the next improvement.
    Icon of gears. Continual improvement is a combination of attitudes, behavior, and culture.

    Related Info-Tech Research

    Sample of 'Build a Business-Aligned IT Strategy'. Build a Business-Aligned IT Strategy

    Success depends on IT initiatives clearly aligned to business goals, IT excellence, and driving technology innovation.

    Sample of 'Develop Meaningful Service Metrics'. Develop Meaningful Service Metrics

    Reinforce service orientation in your IT organization by ensuring your IT metrics generate value-driven resource behavior.

    Sample of 'Common Challenges to incident management success'. Improve Incident and Problem Management

    Rise above firefighter mode with structured incident management to enable effective problem management.

    Works Cited

    “Continual Improvement ITIL4 Practice Guide.” AXELOS, 2020. Accessed August 2022.

    “5 Tips for Adopting ITIL 4’s Continual Improvement Management Practice.” SysAid, 2021. Accessed August 2022.

    Jacob Gillingham. “ITIL Continual Service Improvement And 7-Step Improvement Process” Invensis Global Learning Services, 2022. Accessed August 2022.

    Enterprise Network Design Considerations

    • Buy Link or Shortcode: {j2store}502|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Our Advice

    Critical Insight

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Impact and Result

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise Network Design Considerations Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Enterprise Network Design Considerations Deck – A brief deck that outlines key trusts and archetypes when considering enterprise network designs.

    This blueprint will help you:

    • Enterprise Network Design Considerations Storyboard

    2. Enterprise Network Roadmap Technology Assessment Tool – Build an infrastructure assessment in an hour.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    • Enterprise Network Roadmap Technology Assessment Tool
    [infographic]

    Further reading

    Enterprise Network Design Considerations

    It is not just about connectivity.

    Executive Summary

    Info-Tech Insight

    Connectivity and security are tightly coupled

    Security, risk, and trust models play into how networks are designed and deployed. If these models are not considered during network design, band-aids and workarounds will be deployed to achieve the needed goals, potentially bypassing network controls.

    Many services are no longer within the network

    The cloud “gold rush” has made it attractive for many enterprises to migrate services off the traditional network and into the cloud. These services are now outside of the traditional network and associated controls. This shifts the split of east-west vs. north-south traffic patterns, as well as extending the network to encompass services outside of enterprise IT’s locus of control.

    Users are demanding an anywhere, any device access model

    Where users access enterprise data or services and from which devices dictate the connectivity needed. With the increasing shift of work that the business is completing remotely, not all devices and data paths will be under the control of IT. This shift does not allow IT to abdicate from the responsibility to provide a secure network.

    Enterprise networks are changing

    The new network reality

    The enterprise network of 2020 and beyond is changing:

    • Services are becoming more distributed.
    • The number of services provided “off network” is growing.
    • Users are more often remote.
    • Security threats are rapidly escalating.

    The above statements are all accurate for enterprise networks, though each potentially to differing levels depending on the business being supported by the network. Depending on how affected the network in question currently is and will be in the near future, there are different common network archetypes that are best able to address these concerns while delivering business value at an appropriate price point.

    High-Level Design Considerations

    1. Understand Business Needs
    2. Understand what the business needs are and where users and resources are located.

    3. Define Your Trust Model
    4. Trust is a spectrum and tied tightly to security.

    5. Align With an Archetype
    6. How will the network be deployed?

    7. Understand Available Tooling
    8. What tools are in the market to help achieve design principles?

    Understand business needs

    Mission

    Never ignore the basics. Start with revisiting the mission and vision of the business to address relevant needs.

    Users

    Identify where users will be accessing services from. Remote vs. “on net” is a design consideration now more than ever.

    Resources

    Identify required resources and their locations, on net vs. cloud.

    Controls

    Identify required controls in order to define control points and solutions.

    Define a trust model

    Trust is a spectrum

    • There is a spectrum of trust, from fully trusted to not trusted at all. Each organization must decide for their network (or each area thereof) the appropriate level of trust to assign.
    • The ease of network design and deployment is directly proportional to the trust spectrum.
    • When resources and users are outside of direct IT control, the level of appropriate trust should be examined closely.

    Implicit

    Trust everything within the network. Security is perimeter based and designed to stop external actors from entering the large trusted zone.

    Controlled

    Multiple zones of trust within the network. Segmentation is a standard practice to separate areas of higher and lower trust.

    Zero

    Verify trust. The network is set up to recognize and support the principle of least privilege where only required access is supported.

    Align with an archetype

    Archetypes are a good guide

    • Using a defined archetype as a guiding principle in network design can help clarify appropriate tools or network structures.
    • Different aspects of a network can have different archetypes where appropriate (e.g. IT vs. OT [operational technology] networks).

    Traditional

    Services are provided from within the traditional network boundaries and security is provided at the network edge.

    Hybrid

    Services are provided both externally and from within the traditional network boundaries, and security is primarily at the network edge.

    Inverted

    Services are provided primarily externally, and security is cloud centric.

    Traditional networks

    Resources within network boundaries

    Moat and castle security perimeter

    Abstract

    A traditional network is one in which there are clear boundaries defined by a security perimeter. Trust can be applied within the network boundaries as appropriate, and traffic is generally routed through internally deployed control points that may be centralized. Traditional networks commonly include large firewalls and other “big iron” security and control devices.

    Network Design Tenets

    • The full network path from resource to user is designed, deployed, and controlled by IT.
    • Users external to the network must first connect to the network to gain access to resources.
    • Security, risk, and trust controls will be implemented by internal enterprise hardware/software devices.

    Control

    In the traditional network, it is assumed that all required control points can be adequately deployed across hardware/software that is “on prem” and under the control of central IT.

    Info-Tech Insight

    With increased cloud services provided to end users, this network is now more commonly used in data centers or OT networks.

    Traditional networks

    The image contains an example of what traditional networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows in a defined path under the control of IT to and from central IT resources.
    • Due to visibility into, and the control of, the traffic between the end user and resources, IT can relatively simply implement the required security controls on owned hardware.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space

    Hybrid networks

    Resources internal and external to network

    Network security perimeter combined with cloud protection

    Abstract

    A hybrid network is one that combines elements of a traditional network with cloud resources. As some of these resources are not fully under the control of IT and may be completely “offnet” or loosely coupled to the on-premises network, the security boundaries and control points are less likely to be centralized. Hybrid networks allow the flexibility and speed of cloud deployment without leaving behind traditional network constructs. This generally makes them expensive to secure and maintain.

    Network Design Tenets

    • The network path from resource to user may not be in IT’s locus of control.
    • Users external to the network must first connect to the network to gain access to internal resources but may directly access publicly hosted ones.
    • Security, risk, and trust controls may potentially be implemented by a mixture of internal enterprise hardware/software devices and external control points.

    Control

    The hallmark of a hybrid network is the blending of public and private resources. This blending tends to necessitate both public and private points of control that may not be homogenous.

    Info-Tech Insight

    With multiple control points to address, take care in simplifying designs while addressing all concerns to ease operational load.

    Hybrid networks

    The image contains an example of what hybrid networks look like, as described in the text below.

    Defining Characteristics

    • Traffic flows to central resources across a defined path under the control of IT.
    • Traffic to cloud assets may be partially under the control of IT.
    • For central resources, the traffic to and from the end user can have the required security controls relatively simply implemented on owned hardware.
    • For public cloud assets, IT may or may not have some control over part of the path.

    Common Components

    • Traditional offices
    • Remote users/road warriors
    • Private data center/colocation space
    • Public cloud assets (IaaS/PaaS/SaaS)

    Inverted perimeter

    Resources primarily external to the network

    Security control points are cloud centric

    Abstract

    An inverted perimeter network is one in which security and control points cover the entire workflow, on or off net, from the consumer of services through to the services themselves with zero trust. Since the control plane is designed to encompass the workflow in a secure manner, much of the underlying connectivity can be abstracted. In an extreme version of this deployment, IT would abstract end-user access, and any cloud-based or on-premises resources would be securely published through the control plane with context-aware precision access.

    Network Design Tenets

    • The network path from resource to user is abstracted and controlled by IT through services like secure access service edge (SASE).
    • Users only need internet access and appropriate credentials to gain access to resources.
    • Security, risk, and trust controls will be implemented through external cloud based services.

    Control

    An inverted network abstracts the lower-layer connectivity away and focuses on implementing a cloud-based zero trust control plane.

    Info-Tech Insight

    This model is extremely attractive for organizations that consume primarily cloud services and have a large remote work force.

    Inverted networks

    The image contains an example of what inverted networks look like, as described in the text below.

    Defining Characteristics

    • The end user does not have to be in a defined location.
    • All central resources that are to be accessed are hosted on cloud resources.
    • IT has little to no control of the path between the end user and central resources.

    Common Components

    • Traditional offices
    • Regent offices/shared workspaces
    • Remote users/road warriors
    • Public cloud assets (IaaS/PaaS/SaaS)

    Understand available tooling

    Don’t buy a hammer and go looking for nails

    • A network archetype must be defined in order to understand what tools (hardware or software) are appropriate for consideration in a network build or refresh.
    • Tools are purpose built and generally designed to solve specific problems if implemented and operated correctly. Choose the tools to align with the challenges that you are solving as opposed to choosing tools and then trying to use those purchases to overcome challenges.
    • The purchase of a tool does not allow for abdication of proper design. Tools must be chosen appropriately and integrated properly to orchestrate the best solutions. Purchasing a tool and expecting the tool to solve all your issues rarely succeeds.

    “It is essential to have good tools, but it is also essential that the tools should be used in the right way.” — Wallace D. Wattles

    Software-defined WAN (SD-WAN)

    Simplified branch office connectivity

    Archetype Value: Traditional Networks

    What It Is Not

    SD-WAN is generally not a way to slash spending by lowering WAN circuit costs. Though it is traditionally deployed across lower cost access, to minimize risk and realize the most benefits from the platform many organizations install multiple circuits with greater bandwidths at each endpoint when replacing the more costly traditional circuits. Though this maximizes the value of the technology investment, it will result in the end cost being similar to the traditional cost plus or minus a small percentage.

    What It Is

    SD-WAN is a subset of software-defined networking (SDN) designed specifically to deploy a secure, centrally managed, connectivity agnostic, overlay network connecting multiple office locations. This technology can be used to replace, work in concert with, or augment more traditional costly connectivity such as MPLS or private point to point (PtP) circuits. In addition to the secure overlay, SD-WAN usually also enables policy-based, intelligent controls, based on traffic and circuit intelligence.

    Why Use It

    You have multiple endpoint locations connected by expensive lower bandwidth traditional circuits. Your target is to increase visibility and control while controlling costs if and where possible. Ease of centralized management and the ability to more rapidly turn up new locations are attractive.

    Cloud access security broker (CASB)

    Inline policy enforcement placed between users and cloud services

    Archetype Value: Hybrid Networks

    What It Is Not

    CASBs do not provide network protection; they are designed to provide compliance and enforcement of rules. Though CASBs are designed to give visibility and control into cloud traffic, they have limits to the data that they generally ingest and utilize. A CASB does not gather or report on cloud usage details, licencing information, financial costing, or whether the cloud resource usage is aligned with the deployment purpose.

    What It Is

    A CASB is designed to establish security controls beyond a company’s environment. It is commonly deployed to augment traditional solutions to extend visibility and control into the cloud. To protect assets in the cloud, CASBs are designed to provide central policy control and apply services primarily in the areas of visibility, data security, threat protection, and compliance.

    Why Use It

    You a mixture of on-premises and cloud assets. In moving assets out to the cloud, you have lost the traditional controls that were implemented in the data center. You now need to have visibility and apply controls to the usage of these cloud assets.

    Secure access service edge (SASE)

    Convergence of security and service access in the cloud

    Archetype Value: Inverted Networks

    What It Is Not

    Though the service will consist of many service offerings, SASE is not multiple services strung together. To present the value proposed by this platform, all functionality proposed must be provided by a single platform under a “single pane of glass.” SASE is not a mature and well-established service. The market is still solidifying, and the full-service definition remains somewhat fluid.

    What It Is

    SASE exists at the intersection of network-as-a-service and network-security-as-a-service. It is a superset of many network and security cloud offerings such as CASB, secure web gateway, SD-WAN, and WAN optimization. Any services offered by a SASE provider will be cloud hosted, presented in a single stack, and controlled through a single pane of glass.

    Why Use It

    Your network is inverting, and services are provided primarily as cloud assets. In a full realization of this deployment’s value, you would abstract how and where users gain initial network access yet remain in control of the communications and data flow.

    Activity

    Understand your enterprise network options

    Activity: Network assessment in an hour

    • Learn about the Enterprise Network Roadmap Technology Assessment Tool
    • Complete the Enterprise Network Roadmap Technology Assessment Tool

    This activity involves the following participants:

    • IT strategic direction decision makers.
    • IT managers responsible for network.
    • Organizations evaluating platforms for mission critical applications.

    Outcomes of this step:

    • Completed Enterprise Network Roadmap Technology Assessment Tool

    Info-Tech Insight

    Review your design options with security and compliance in mind. Infrastructure is no longer a standalone entity and now tightly integrates with software-defined networks and security solutions.

    Build an assessment in an hour

    Learn about the Enterprise Network Roadmap Technology Assessment Tool.

    This workbook provides a high-level analysis of a technology’s readiness for adoption based on your organization’s needs.

    • The workbook then places the technology on a graph that measures both the readiness and fit for your organization. In addition, it provides warnings for specific issues and lets you know if you have considerable uncertainty in your answers.
    • At a glance you can now communicate what you are doing to help the company:
      • Grow
      • Save money
      • Reduce risk
    • Regardless of your specific audience, these are important stories to be able to tell.
    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool.

    Build an assessment in an hour

    Complete the Enterprise Network Roadmap Technology Assessment Tool.

    Dispense with detailed analysis and customizations to present a quick snapshot of the road ahead.

    1. Weightings: Adjust the Weighting tab to meet organizational needs. The provided weightings for the overall solution areas are based on a generic firm; individual firms will have different needs.
    2. Data Entry: For each category, answer the questions for the technology you are considering. When you have completed the questionnaire, go to the next tab for the results.
    3. Results: The Enterprise Network Roadmap Technology Assessment Tool provides a value versus readiness assessment of your chosen technology customized to your organization.

    The image contains three screenshots from the Enterprise Network Roadmap Technology Assessment Tool. It has a screenshot for each step as described in the text above.

    Related Info-Tech Research

    Effectively Acquire Infrastructure Services

    Acquiring a service is like buying an experience. Don’t confuse the simplicity of buying hardware with buying an experience.

    Outsource IT Infrastructure to Improve System Availability, Reliability, and Recovery

    There are very few IT infrastructure components you should be housing internally – outsource everything else.

    Build Your Infrastructure Roadmap

    Move beyond alignment: Put yourself in the driver’s seat for true business value.

    Drive Successful Sourcing Outcomes With a Robust RFP Process

    Leverage your vendor sourcing process to get better results.

    Research Authors

    The image contains a photo of Scott Young.

    Scott Young, Principal Research Advisor, Info-Tech Research Group

    Scott Young is a Director of Infrastructure Research at Info-Tech Research Group. Scott has worked in the technology field for over 17 years, with a strong focus on telecommunications and enterprise infrastructure architecture. He brings extensive practical experience in these areas of specialization, including IP networks, server hardware and OS, storage, and virtualization.

    The image contains a photo of Troy Cheeseman.

    Troy Cheeseman, Practice Lead, Info-Tech Research Group

    Troy has over 24 years of experience and has championed large enterprise-wide technology transformation programs, remote/home office collaboration and remote work strategies, BCP, IT DRP, IT operations and expense management programs, international right placement initiatives, and large technology transformation initiatives (M&A). Additionally, he has deep experience working with IT solution providers and technology (cloud) startups.

    Bibliography

    Ahlgren, Bengt. “Design considerations for a network of information.” ACM Digital Library, 21 Dec. 2008.

    Cox Business. “Digital transformation is here. Is your business ready to upgrade your mobile work equation?” BizJournals, 1 April 2022. Accessed April 2022.

    Elmore, Ed. “Benefits of integrating security and networking with SASE.” Tech Radar, 1 April 2022. Web.

    Greenfield, Dave. “From SD-WAN to SASE: How the WAN Evolution is Progressing.” Cato Networks, 19 May 2020. Web

    Korolov, Maria. “What is SASE? A cloud service that marries SD-WAN with security.” Network World, 7 Sept. 2020. Web.

    Korzeniowski, Paul, “CASB tools evolve to meet broader set of cloud security needs.” TechTarget, 26 July 2019. Accessed March 2022.

    Prevent Data Loss Across Cloud and Hybrid Environments

    • Buy Link or Shortcode: {j2store}377|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Organizations are often beholden to compliance obligations that require protection of sensitive data.
    • All stages of the data lifecycle exist in the cloud and all stages provide opportunity for data loss.
    • Organizations must find ways to mitigate insider threats without impacting legitimate business access.

    Our Advice

    Critical Insight

    • Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.
    • The journey to data loss prevention is complex and should be taken in small and manageable steps.

    Impact and Result

    • Organizations will achieve data comprehension.
    • Organizations will align DLP with their current security program and architecture.
    • A DLP strategy will be implemented with a distinct goal in mind.

    Prevent Data Loss Across Cloud and Hybrid Environments Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Prevent Data Loss Across Cloud and Hybrid Environments Storyboard – A guide to handling data loss prevention in cloud services.

    This research describes an approach to strategize and implement DLP solutions for cloud services.

    • Prevent Data Loss Across Cloud and Hybrid Environments Storyboard

    2. Data Loss Prevention Strategy Planner – A workbook designed to guide you through identifying and prioritizing your data and planning what DLP actions should be applied to protect that data.

    Use this tool to identify and prioritize your data, then use that information to make decisions on DLP strategies based on classification and data environment.

    • Data Loss Prevention Strategy Planner
    [infographic]

    Further reading

    Prevent Data Loss Across Cloud and Hybrid Environments

    Leverage existing tools and focus on the data that matters most to your organization.

    Analyst Perspective

    Data loss prevention is an additional layer of protection

    Driven by reduced operational costs and improved agility, the migration to cloud services continues to grow at a steady rate. A recent report by Palo Alto Networks indicates workload in the cloud increased by 13% last year, and companies are expecting to move an additional 11% of their workload to the cloud in the next 24 months1.

    However, moving to the cloud poses unique challenges for cyber security practitioners. Cloud services do not offer the same level of management and control over resources as traditional IT approaches. The result can be reduced visibility of data in cloud services and reduced ability to apply controls to that data, particularly data loss prevention (DLP) controls.

    It’s not unusual for organizations to approach DLP as a point solution. Many DLP solutions are marketed as such. The truth is, DLP is a complex program that uses many different parts of an organization’s security program and architecture. To successfully implement DLP for data in the cloud, an organization should leverage existing security controls and integrate DLP tools, whether newly acquired or available in cloud services, with its existing security program.

    Photo of Bob Wilson
    Bob Wilson
    CISSP
    Research Director, Security and Privacy
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Organizations must prevent the misuse and leakage of data, especially sensitive data, regardless of where it’s stored.

    Organizations often have compliance obligations requiring protection of sensitive data.

    All stages of the data lifecycle exist in the cloud and all stages provide opportunity for data loss.

    Organizations must find ways to mitigate insider threats without impacting legitimate business access.

    Common Obstacles

    Many organizations must handle a plethora of data in multiple varied environments.

    Organizations don’t know enough about the data they use or where it is located.

    Different systems offer differing visibility.

    Necessary privileges and access can be abused.

    Info-Tech’s Approach

    The path to data loss prevention is complex and should be taken in small and manageable steps.

    First, organizations must achieve data comprehension.

    Organizations must align DLP with their current security program and architecture.

    Organizations need to implement DLP with a distinct goal in mind.

    Once the components are in place it’s important to measure and improve.

    Info-Tech Insight

    Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate, tools within your existing security program.

    Your challenge

    Protecting data is a critical responsibility for organizations, no matter where it is located.

    45% of breaches occurred in the cloud (“Cost of a Data Breach 2022,” IBM Security, 2022).

    A diagram that shows the mean time to detect and contain.

    It can take upwards of 12 weeks to identify and contain a breach (“Cost of a Data Breach 2022,” IBM Security, 2022).

    • Compliance obligations will require organizations to protect certain data.
    • All data states can exist in the cloud, and each state provides a unique opportunity for data loss.
    • Insider threats, whether intentional or not, are especially challenging for organizations. It’s necessary to prevent illicit data use while still allowing work to happen.

    Info-Tech Insight

    Data loss prevention doesn’t depend on a single tool. Many of the leading cloud service providers offer DLP controls with their services and these controls should be considered.

    Common obstacles

    As organizations increasingly move data into the cloud, their environments become more complex and vulnerable to insider threats

    • It’s not uncommon for an organization not to know what data they use, where that data exists, or how they are supposed to protect it.
    • Cloud systems, especially software as a service (SaaS) applications, may not provide much visibility into how that data is stored or protected.
    • Insider threats are a primary concern, but employees must be able to access data to perform their duties. It isn’t always easy to strike a balance between adequate access and being too restrictive with controls.

    Insider threats are a significant concern

    53%

    53% of a study’s respondents think it is more difficult to detect insider threats in the cloud.

    Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023

    45%

    Only about 45% of organizations think native cloud app functionality is useful in detecting insider threats.

    Source: "2023 Insider Threat Report," Cybersecurity Insiders, 2023

    Info-Tech Insight

    An insider threat management (ITM) program focuses on the user. DLP programs focus on the data.

    Insight summary

    DLP is not just a single tool. It’s an additional layer of security that depends on different components of your security program, and it requires time and effort to mature.

    Organizations should leverage existing security architecture with the DLP controls available in the cloud services they use.

    Data loss prevention is not a point solution

    Data loss prevention is the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

    Prioritize data

    Start with the data that matters most to your organization.

    Define an objective

    Having a clearly defined objective will make implementing a DLP program much easier.

    DLP is a layer

    Data loss prevention is not foundational, and it depends on many other parts of a mature information security program.

    The low hanging fruit is sweet

    Start your DLP implementation with a quick win in mind and build on small successes.

    DLP is a work multiplier

    Your organization must be prepared to investigate alerts and respond to incidents.

    Prevent data loss across cloud or hybrid environments

    A diagram that shows preventing data loss across cloud or hybrid environments

    Data loss prevention is not a point solution.
    It’s the outcome of a well-designed strategy that incorporates multiple, sometimes disparate tools within your existing security program.

    Info-Tech Insight

    Leverage existing security tools where possible.

    Data loss prevention (DLP) overview

    DLP is an additional layer of security.

    DLP is a set of technologies and processes that provides additional data protection by identifying, monitoring, and preventing data from being illicitly used or transmitted.

    DLP depends on many components of a mature security program, including but not limited to:

    • Acceptable use policy
    • Data classification policy and data handling guidelines
    • Identity and access management

    DLP is achieved through some or all of the following tactics:

    • Identify: Data is detected using policies, rules, and patterns.
    • Monitor: Data is flagged and data activity is logged.
    • Prevent: Action is taken on data once it has been detected.

    Info-Tech Insight

    DLP is not foundational. Your information security program needs to be moderately mature to support a DLP strategy.

    DLP approaches and methods

    DLP uses a handful of techniques to achieve its tactics:

    • Policy and access rights: Limits access to data based on user permissions or other contextual attributes.
    • Isolation or virtualization: Data is isolated in an environment with channels for data leakage made unavailable.
    • Cryptographic approach: Data is encrypted.
    • Quantifying and limiting: Use or transfer of data is restricted by quantity.
    • Social and behavioral analysis: The DLP system detects anomalous activity, such as users accessing data outside of business hours.
    • Pattern matching: Data content is analyzed for specific patterns.
    • Data mining and text clustering: Large sets are analyzed, typically with machine learning (ML), to identify patterns.
    • Data fingerprinting: Data files are matched against a pre-calculated hash or based on file contents.
    • Statistical Analysis: Data content is analyzed for sensitive data. Usually involves machine learning.


    DLP has two primary approaches for applying techniques:

    • Content-based: Data is identified through inspecting its content. Fingerprinting and pattern matching are examples of content-based methods.
    • Context-based: Data is identified based on its situational or contextual attributes. Some factors that may be used are source, destination, and format.

    Some DLP tools use both approaches.

    Info-Tech Insight

    Different DLP products will support different methods. It is important to keep these in mind when choosing a DLP solution.

    Start by defining your data

    Define data by answering the 5 “W”s

    Who? Who owns the data? Who needs access? Who would be impacted if it was lost?
    What? What data do you have? What type of data is it? In what format does it exist?
    When? When is the data generated? When is it used? When is it destroyed?
    Where? Where is the data stored? Where is it generated? Where is it used?
    Why? Why is the data needed?

    Use what you discover about your data to create a data inventory!

    Compliance requirements

    Compliance requirements often dictate what must be done to manage and protect data and vary from industry to industry.

    Some examples of compliance requirements to consider:

    • Healthcare - Health Insurance Portability and Accountability Act (HIPAA)
    • Financial Services - Gramm-Leach-Bliley Act (GLBA)
    • Payment Card Industry Data Security Standards (PCI DSS)

    Info-Tech Insight

    Why is especially important. If you don’t need a specific piece of data, dispose of it to reduce risk and administrative overhead related to maintaining or protecting data.

    Classify your data

    Data classification facilitates making decisions about how data is treated.

    Data classification is a process by which data is categorized.

    • The classifications are often based on the sensitivity of the data or the impact a loss or breach of that data would have on the organization.
    • Data classification facilitates decisions about data handling and how information security controls are implemented. Instead of considering many different types of data individually, decisions are based on a handful of classification levels.
    • A mature data classification should include a formalized policy, handling standards, and a steering committee.

    Refer to our Discover and Classify Your Data blueprint for guidance on data classification.

    Sample data classification schema

    Label

    Category

    Top Secret Data that is mission critical and highly likely to negatively impact the organization if breached. The “crown jewels.”
    Examples: Trade secrets, military secrets
    Confidential Data that must not be disclosed, either because of a contractual or regulatory requirement or because of its value to the organization.
    Examples: Payment card data, private health information, personally identifiable information, passwords
    Internal Data that is intended for organizational use, which should be kept private.
    Examples: Internal memos, sales reports
    Limited Data that isn’t generally intended for public consumption but may be made public.
    Examples: Employee handbooks, internal policies
    Public Data that is meant for public consumption and anonymous access.
    Examples: Press releases, job listings, marketing material

    Info-Tech Insight

    Data classification should be implemented as a continuous program, not a one-time project.

    Understand data risk

    Knowing where and how your data is at risk will inform your DLP strategy.

    Data exists in three states, and each state presents different opportunities for risk. Different DLP methodologies will be appropriate for different states.

    Data states

    In use

    • End-user devices
    • Mobile devices
    • Servers

    In motion

    • Cloud services
    • Email
    • Web/web apps
    • Instant messaging
    • File transfers

    At rest

    • Cloud services
    • Databases
    • End-user devices
    • Email archives
    • Backups
    • Servers
    • Physical storage devices

    Causes of Risk

    The most common causes of data loss can be categorized by people, processes, and technology.

    A diagram that shows the categorization of causes of risk.

    Check out our Combine Security Risk Management Components Into One Program blueprint for guidance on risk management, including how to do a full risk assessment.

    Prioritize your data

    Know what data matters most to your organization.

    Prioritizing the data that most needs protection will help define your DLP goals.

    The prioritization of your data should be a business decision based on your comprehension of the data. Drivers for prioritizing data can include:

    • Compliance-driven: Noncompliance is a risk in itself and your organization may choose to prioritize data based on meeting compliance requirements.
    • Audit-driven: Data can be prioritized to prepare for a specific audit objective or in response to an audit finding.
    • Business-driven: Data could be prioritized based on how important it is to the organization’s business processes.

    Info-Tech Insight

    It’s not feasible for most organizations to apply DLP to all their data. Start with the most important data.

    Activity: Prioritize your data

    Input: Lists of data, data types, and data environments
    Output: A list of data types with an estimated priority
    Materials: Data Loss Prevention Strategy Planner worksheet
    Participants: Security leader, Data owners

    1-2 hours

    For this activity, you will use the Data Loss Prevention Strategy Planner workbook to prioritize your data.

    1. Start with tab “2. Setup” and fill in the columns. Each column features a short explanation of itself, and the following slides will provide more detail about the columns.
    2. On tab “3. Data Prioritization,” work through the rows by selecting a data type and moving left to right. This sheet features a set of instructions at the top explaining each column, and the following slides also provide some guidance. On this tab, you may use data types and data environments multiple times.

    Click to download the Data Loss Prevention Strategy Planner

    Activity: Prioritize your data

    In the Data Loss Prevention Strategy Planner tool, start with tab “2. Setup.”

    A diagram that shows tab 2 setup

    Next, move to tab “3. Data Prioritization.”

    A diagram that shows tab 3 Data Prioritization.

    Click to download the Data Loss Prevention Strategy Planner

    Determine DLP objectives

    Your DLP strategy should be able to function as a business case.

    DLP objectives should achieve one or more of the following:

    • Prevent disclosure or unauthorized use of data, regardless of its state.
    • Preserve usability while providing adequate security.
    • Improve security, privacy, and compliance capabilities.
    • Reduce overall risk for the enterprise.

    Example objectives:

    • Prevent users from emailing ePHI to addresses outside of the organization.
    • Detect when a user is uploading an unusually large amount of data to a cloud drive.

    Most common DLP use cases:

    • Protection of data, primarily from internal threats.
    • Meet compliance requirements to protect data.
    • Automate the discovery and classification of data.
    • Provide better data management and visibility across the enterprise.
    • Manage and protect data on mobile devices.

    Info-Tech Insight

    Having a clear idea of your objectives will make implementing a DLP program easier.

    Align DLP with your existing security program/architecture

    DLP depends on many different aspects of your security program.
    To the right are some components of your existing security program that will support DLP.


    1. Data handling standards or guidelines: These specify how your organization will handle data, usually based on its classification. Your data handling standards will inform the development of DLP rules, and your employees will have a clear idea of data handling expectations.

    2. Identity and access management (IAM): IAM will control the access users have to various resources and data and is integral to DLP processes.

    3. Incident response policy or plan: Be sure to consider your existing incident handling processes when implementing DLP. Modifying your incident response processes to accommodate alerts from DLP tools will help you efficiently process and respond to incidents.

    4. Existing security tools: Firewalls, email gateways, security information and event management (SIEM), and other controls should be considered or leveraged when implementing a DLP solution.

    5. Acceptable use policy: An organization must set expectations for acceptable/unacceptable use of data and IT resources.

    6. User education and awareness: Aside from baseline security awareness training, organizations should educate users about policies and communicate the risks of data leakage to reduce risk caused by user error.

    Info-Tech Insight

    Consider DLP as a secondary layer of protection; a safety net. Your existing security program should do most of the work to prevent data misuse.

    Cloud service models

    A fundamental challenge with implementing DLP with cloud services is the reduced flexibility that comes with managing less of the technology stack. Each cloud model offers varying levels of abstraction and control to the user.

    Infrastructure as a service (IaaS): This service model provides customers with virtualized technology resources, such as servers and networking infrastructure. IaaS allows users to have complete control over their virtualized infrastructure without needing to purchase and maintain hardware resources or server space. Popular examples include Amazon Web Servers, Google Cloud Engine, and Microsoft Azure.

    Platform as a service (PaaS): This service model provides users with an environment to develop and manage their own applications without needing to manage an underlying infrastructure. Popular examples include Google Cloud Engine, OpenShift, and SAP Cloud.

    Software as a service (SaaS): This service model provides customers with access to software that is hosted and maintained by the cloud provider. SaaS offers the least flexibility and control over the environment. Popular examples include Salesforce, Microsoft Office, and Google Workspace.

    A diagram that shows cloud models, including IaaS, PaaS, and SaaS.

    Info-Tech Insight

    Cloud service providers may include DLP controls and functionality for their environments with the subscription. These tools are usually well suited for DLP functions on that platform.

    Different DLP tools

    DLP products often fall into general categories defined by where those tools provide protection. Some tools fit into more than one category.

    Cloud DLP refers to DLP products that are designed to protect data in cloud environments.

    • Cloud access security broker (CASB): This system, either in-cloud or on-premises, sits between cloud service users and cloud service providers and acts as a point of control to enforce policies on cloud-based resources. CASBs act on data in motion, for the most part, but can detect and act on data at rest through APIs.
    • Existing tools integrated within a service: Many cloud services provide DLP tools to manage data loss in their service.

    Endpoint DLP: This DLP solution runs on an endpoint computing device and is suited to detecting and controlling data at rest on a computer as well as data being uploaded or downloaded. Endpoint DLP would be feasible for IaaS.

    Network DLP: Network DLP, deployed on-premises or as a cloud service, enforces policies on network flows between local infrastructure and the internet.

    • “Email DLP”: Detects and enforces security policies specifically on data in motion as emails.

    A diagram of CASB

    Choosing a DLP solution

    You will also find that some DLP solutions are better suited for some cloud service models than others.


    DLP solution types that are better suited for SaaS: CASB and Integrated Tools

    DLP solution types that are better suited for PaaS: CASB, Integrated Tools, Network DLP

    DLP solution types that are better suited for IaaS: CASB, Integrated Tools, Network DLP, and Endpoint DLP

    Your approach for DLP will vary depending on the data state you’ll be acting on and whether you are trying to detect or prevent.

    A diagram that shows DLP tactics by approach and data state

    Click to download the Data Loss Prevention Strategy Planner
    Check the tab labeled “6. DLP Features Reference” for a list of common DLP features.

    Activity: Plan DLP methods

    Input: Knowledge of data states for data types
    Output: A set of technical DLP policy rules for each data type by environment
    Materials: The same Data Loss Prevention Strategy Planner worksheet from the earlier activity
    Participants: Security leader, Data owners

    1-2 hours

    Continue with the same workbook used in the previous activity.

    1. On tab “4. DLP Methods,” indicate the expected data state the DLP control will act on. Then, select the type of DLP control your organization intends to use for that data type in that data environment.
    2. DLP actions are suggested based on the classification of the data type, but these may be overridden by manually selecting your preferred action.
    3. You will find more detail on this activity on the following slide, and you will find some additional guidance in the instructional text at the top of the worksheet.
    4. Once you have populated the columns on this worksheet, a summary of suggested DLP rules can be found on tab “5. Results.”

    Click to download the Data Loss Prevention Strategy Planner

    Activity: Plan DLP methods

    Use tab “4. DLP Methods” to plan DLP rules and technical policies.

    A diagram that shows tab 4 DLP Methods

    See tab “5. Results” for a summary of your DLP policies.

    A diagram that shows tab 5 Results.

    Click to download the Data Loss Prevention Strategy Planner

    Implement your DLP program

    Take the steps to properly implement your DLP program

    1. It’s important to shift the culture. You will need leadership’s support to implement controls and you’ll need stakeholders’ participation to ensure DLP controls don’t negatively affect business processes.
    2. Integrate DLP tools with your security program. Most cloud service providers, like Amazon, Microsoft, and Google provide DLP controls in their native environment. Many of your other security controls, such as firewalls and mail gateways, can be used to achieve DLP objectives.
    3. DLP is best implemented with a crawl, walk, then run approach. Following change management processes can reduce friction.
    4. Communicating controls to users will also reduce friction.

    A diagram of implementing DLP program

    Info-Tech Insight

    After a DLP program is implemented, alerts will need to be investigated and incidents will need a response. Be prepared for DLP to be a work multiplier!

    Measure and improve

    Metrics of effectiveness

    DLP attempts to tackle the challenge of promptly detecting and responding to an incident.
    To measure the effectiveness of your DLP program, compare the number of events, number of incidents, and mean time to respond to incidents from before and after DLP implementation.

    Metrics that indicate friction

    A high number of false positives and rule exceptions may indicate that the rules are not working well and may be interfering with legitimate use.
    It’s important to address these issues as the frustration felt by employees can undermine the DLP program.

    Tune DLP rules

    Establish a process for routinely using metrics to tune rules.
    This will improve performance and reduce friction.

    Info-Tech Insight

    Aside from performance-based tuning, it’s important to evaluate your DLP program periodically and after major system or business changes to maintain an awareness of your data environment.

    Related Info-Tech Research

    Photo of Discover and Classify Your Data

    Discover and Classify Your Data

    Understand where your data lives and who has access to it. This blueprint will help you develop an appropriate data classification system by conducting interviews with data owners and by incorporating vendor solutions to make the process more manageable and end-user friendly.

    Photo of Identify the Components of Your Cloud Security Architecture

    Identify the Components of Your Cloud Security Architecture

    This blueprint and associated tools are scalable for all types of organizations within various industry sectors. It allows them to know what types of risk they are facing and what security services are strongly recommended to mitigate those risks.

    Photo of Data Loss Prevention on SoftwareReviews

    Data Loss Prevention on SoftwareReviews

    Quickly evaluate top vendors in the category using our comprehensive market report. Compare product features, vendor strengths, user-satisfaction, and more.

    Don’t settle for just any vendor – find the one you can trust. Use the Emotional Footprint report to see which vendors treat their customers right.

    Research Contributors

    Andrew Amaro
    CSO and Founder
    Klavan Physical and Cyber Security Services

    Arshad Momin
    Cyber Security Architect
    Unicom Engineering, Inc.

    James Bishop
    Information Security Officer
    StructureFlow

    Michael Mitchell
    Information Security and Privacy Compliance Manager
    Unicom Engineering, Inc.

    One Anonymous Contributor

    Bibliography

    Alhindi, Hanan, Issa Traore, and Isaac Woungang. "Preventing Data Loss by Harnessing Semantic Similarity and Relevance." jisis.org Journal of Internet Services and Information Security, 31 May 2021. Accessed 2 March 2023. https://jisis.org/wp-content/uploads/2022/11/jisis-2021-vol11-no2-05.pdf

    Cash, Lauryn. "Why Modern DLP is More Important Than Ever." Armorblox, 10 June 2022. Accessed 10 February 2023. https://www.armorblox.com/blog/modern-dlp-use-cases/

    Chavali, Sai. "The Top 4 Use Cases for a Modern Approach to DLP." Proofpoint, 17 June 2021. Accessed 7 February 2023. https://www.proofpoint.com/us/blog/information-protection/top-4-use-cases-modern-approach-dlp

    Crowdstrike. "What is Data Loss Prevention?" Crowdstrike, 27 Sept. 2022. Accessed 6 Feb. 2023. https://www.crowdstrike.com/cybersecurity-101/data-loss-prevention-dlp/

    De Groot, Juliana. "What is Data Loss Prevention (DLP)? Definition, Types, and Tips." Digital Guardian, 8 February 2023. Accessed 9 Feb. 2023. https://digitalguardian.com/blog/what-data-loss-prevention-dlp-definition-data-loss-prevention

    Denise. "Learn More About DLP Key Use Cases." CISO Platform, 28 Nov. 2019. Accessed 10 February 2023. https://www.cisoplatform.com/profiles/blogs/learn-more-about-dlp-key-use-cases

    Google. "Cloud Data Loss Prevention." Google Cloud Google, n.d. Accessed 7 Feb. 2023. https://cloud.google.com/dlp#section-6

    Gurucul. "2023 Insider Threat Report." Cybersecurity Insiders, 13 Jan. 2023. Accessed 23 Feb. 2023. https://gurucul.com/2023-insider-threat-report

    IBM Security. "Cost of a Data Breach 2022." IBM Security, 1 Aug. 2022. Accessed 13 Feb. 2023. https://www.ibm.com/downloads/cas/3R8N1DZJ

    Mell, Peter & Grance, Tim. "The NIST Definition of Cloud Computing." NIST CSRC NIST, Sept. 2011. Accessed 7 Feb. 2023. https://csrc.nist.gov/publications/detail/sp/800-145/final

    Microsoft. "Plan for Data Loss Prevention (DLP)." Microsoft 365 Solutions and Architecture Microsoft, 6 Feb. 2023. Accessed 14 Feb. 2023. https://learn.microsoft.com/en-us/microsoft-365/compliance/dlp-overview-plan-for-dlp

    Nanchengwa, Christopher. "The Four Questions for Successful DLP Implementation." ISACA Journal ISACA, 1 Jan. 2019. Accessed 6 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2019/volume-1/the-four-questions-for-successful-dlp-implementation

    Palo Alto Networks. "The State of Cloud Native Security 2023." Palo Alto Networks, 2 March 2023. Accessed 23 March 2023. https://www.paloaltonetworks.com/content/dam/pan/en_US/assets/pdf/reports/state-of-cloud-native-security-2023.pdf

    Pritha. "Top Six Metrics for your Data Loss Prevention Program." CISO Platform, 27 Nov. 2019. Accessed 10 Feb. 2023. https://www.cisoplatform.com/profiles/blogs/top-6-metrics-for-your-data-loss-prevention-program

    Raghavarapu, Mounika. "Understand DLP Key Use Cases." Cymune, 12 June 2021. Accessed 7 Feb. 2023. https://www.cymune.com/blog-details/DLP-key-use-cases

    Sheela, G. P., & Kumar, N. "Data Leakage Prevention System: A Systematic Report." International Journal of Recent Technology and Engineering BEIESP, 30 Nov. 2019. Accessed 2 March 2023. https://www.ijrte.org/wp-content/uploads/papers/v8i4/D6904118419.pdf

    Sujir, Shiv. "What is Data Loss Prevention? Complete Guide [2022]." Pathlock, 15 Sep. 2022. Accessed 7 February 2023. https://pathlock.com/learn/what-is-data-loss-prevention-complete-guide-2022/

    Wlosinski, Larry G. "Data Loss Prevention - Next Steps." ISACA Journal, 16 Feb. 2018. Accessed 21 Feb. 2023. https://www.isaca.org/resources/isaca-journal/issues/2018/volume-1/data-loss-preventionnext-steps

    Combine Security Risk Management Components Into One Program

    • Buy Link or Shortcode: {j2store}376|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $37,798 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Governance, Risk & Compliance
    • Parent Category Link: /governance-risk-compliance
    • Companies are aware of the need to discuss and assess risk, but many struggle to do so in a systematic and repeatable way.
    • Rarely are security risks analyzed in a consistent manner, let alone in a systematic and repeatable method to determine project risk as well as overall organizational risk exposure.

    Our Advice

    Critical Insight

    • The best security programs are built upon defensible risk management. With an appropriate risk management program in place, you can ensure that security decisions are made strategically instead of based on frameworks and gut feelings. This will optimize any security planning and budgeting.
    • All risks can be quantified. Security, compliance, legal, or other risks can be quantified using our methodology.

    Impact and Result

    • Develop a security risk management program to create a standardized methodology for assessing and managing the risk that information systems face.
    • Build a risk governance structure that makes it clear how security risks can be escalated within the organization and who makes the final decision on certain risks.
    • Use Info-Tech’s risk assessment methodology to quantifiably evaluate the threat severity for any new or existing project or initiative.
    • Tie together all aspects of your risk management program, including your information security risk tolerance level, threat and risk assessments, and mitigation effectiveness models.

    Combine Security Risk Management Components Into One Program Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop and implement a security risk management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the risk environment

    Lay down the foundations for security risk management, including roles and responsibilities and a defined risk tolerance level.

    • Combine Security Risk Management Components Into One Program – Phase 1: Establish the Risk Environment
    • Security Risk Governance Responsibilities and RACI Template
    • Risk Tolerance Determination Tool
    • Risk Weighting Determination Tool

    2. Conduct threat and risk assessments

    Define frequency and impact rankings then assess the risk of your project.

    • Combine Security Risk Management Components Into One Program – Phase 2: Conduct Threat and Risk Assessments
    • Threat and Risk Assessment Process Template
    • Threat and Risk Assessment Tool

    3. Build the security risk register

    Catalog an inventory of individual risks to create an overall risk profile.

    • Combine Security Risk Management Components Into One Program – Phase 3: Build the Security Risk Register
    • Security Risk Register Tool

    4. Communicate the risk management program

    Communicate the risk-based conclusions and leverage these in security decision making.

    • Combine Security Risk Management Components Into One Program – Phase 4: Communicate the Risk Management Program
    • Security Risk Management Presentation Template
    • Security Risk Management Summary Template
    [infographic]

    Workshop: Combine Security Risk Management Components Into One Program

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Risk Environment

    The Purpose

    Build the foundation needed for a security risk management program.

    Define roles and responsibilities of the risk executive.

    Define an information security risk tolerance level.

    Key Benefits Achieved

    Clearly defined roles and responsibilities.

    Defined risk tolerance level.

    Activities

    1.1 Define the security executive function RACI chart.

    1.2 Assess business context for security risk management.

    1.3 Standardize risk terminology assumptions.

    1.4 Conduct preliminary evaluation of risk scenarios to determine your risk tolerance level.

    1.5 Decide on a custom risk factor weighting.

    1.6 Finalize the risk tolerance level.

    1.7 Begin threat and risk assessment.

    Outputs

    Defined risk executive functions

    Risk governance RACI chart

    Defined quantified risk tolerance and risk factor weightings

    2 Conduct Threat and Risk Assessments

    The Purpose

    Determine when and how to conduct threat and risk assessments (TRAs).

    Complete one or two TRAs, as time permits during the workshop.

    Key Benefits Achieved

    Developed process for how to conduct threat and risk assessments.

    Deep risk analysis for one or two IT projects/initiatives.

    Activities

    2.1 Determine when to initiate a risk assessment.

    2.2 Review appropriate data classification scheme.

    2.3 Identify system elements and perform data discovery.

    2.4 Map data types to the elements.

    2.5 Identify STRIDE threats and assess risk factors.

    2.6 Determine risk actions taking place and assign countermeasures.

    2.7 Calculate mitigated risk severity based on actions.

    2.8 If necessary, revisit risk tolerance.

    2.9 Document threat and risk assessment methodology.

    Outputs

    Define scope of system elements and data within assessment

    Mapping of data to different system elements

    Threat identification and associated risk severity

    Defined risk actions to take place in threat and risk assessment process

    3 Continue to Conduct Threat and Risk Assessments

    The Purpose

    Complete one or two TRAs, as time permits during the workshop.

    Key Benefits Achieved

    Deep risk analysis for one or two IT projects/initiatives, as time permits.

    Activities

    3.1 Continue threat and risk assessment activities.

    3.2 As time permits, one to two threat and risk assessment activities will be performed as part of the workshop.

    3.3 Review risk assessment results and compare to risk tolerance level.

    Outputs

    One to two threat and risk assessment activities performed

    Validation of the risk tolerance level

    4 Establish a Risk Register and Communicate Risk

    The Purpose

    Collect, analyze, and aggregate all individual risks into the security risk register.

    Plan for the future of risk management.

    Key Benefits Achieved

    Established risk register to provide overview of the organizational aggregate risk profile.

    Ability to communicate risk to other stakeholders as needed.

    Activities

    4.1 Begin building a risk register.

    4.2 Identify individual risks and threats that exist in the organization.

    4.3 Decide risk responses, depending on the risk level as it relates to the risk tolerance.

    4.4 If necessary, revisit risk tolerance.

    4.5 Identify which stakeholders sign off on each risk.

    4.6 Plan for the future of risk management.

    4.7 Determine how to present risk to senior management.

    Outputs

    Risk register, with an inventory of risks and a macro view of the organization’s risk

    Defined risk-based initiatives to complete

    Plan for securing and managing the risk register

    Deliver on Your Digital Product Vision

    • Buy Link or Shortcode: {j2store}351|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $133,318 Average $ Saved
    • member rating average days saved: 30 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Product organizations are under pressure to align the value they provide to the organization’s goals and overall company vision.
    • You need to clearly convey your direction, strategy, and tactics to gain alignment, support, and funding from your organization.
    • Products require continuous additions and enhancements to sustain their value. This requires detailed, yet simple communication to a variety of stakeholders.

    Our Advice

    Critical Insight

    • A vision without tactics is an unsubstantiated dream, while tactics without a vision is working without a purpose. You need to have a handle on both to achieve outcomes that are aligned with the needs of your organization.

    Impact and Result

    • Recognize that a vision is only as good as the data that backs it up – lay out a comprehensive backlog with quality built-in that can be effectively communicated and understood through roadmaps.
    • Your intent is only a dream if it cannot be implemented – define what goes into a release plan via the release canvas.
    • Define a communication approach that lets everyone know where you are heading.

    Deliver on Your Digital Product Vision Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should build a digital product vision that you can stand behind. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Define a digital product vision

    Define a digital product vision that takes into account your objectives, business value, stakeholders, customers, and metrics.

    • Deliver on Your Digital Product Vision – Phase 1: Define a Digital Product Vision
    • Digital Product Strategy Template
    • Digital Product Strategy Supporting Workbook

    2. Build a better backlog

    Build a structure for your backlog that supports your product vision.

    • Deliver on Your Digital Product Vision – Phase 2: Build a Better Backlog
    • Product Backlog Item Prioritization Tool

    3. Build a product roadmap

    Define standards, ownership for your backlog to effectively communicate your strategy in support of your digital product vision.

    • Deliver on Your Digital Product Vision – Phase 3: Build a Product Roadmap
    • Product Roadmap Tool

    4. Release and deliver value

    Understand what to consider when planning your next release.

    • Deliver on Your Digital Product Vision – Phase 4: Release and Deliver Value

    5. Communicate the strategy – make it happen

    Build a plan for communicating and updating your strategy and where to go next.

    • Deliver on Your Digital Product Vision – Phase 5: Communicate the Strategy – Make It Happen!

    Infographic

    Workshop: Deliver on Your Digital Product Vision

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Define a Digital Product Vision

    The Purpose

    Understand the elements of a good product vision and the pieces that back it up.

    Key Benefits Achieved

    Provide a great foundation for an actionable vision and goals people can align to.

    Activities

    1.1 Build out the elements of an effective digital product vision

    Outputs

    Completed product vision definition for a familiar product via the product canvas

    2 Build a Better Backlog

    The Purpose

    Define the standards and approaches to populate your product backlog that support your vision and overall strategy.

    Key Benefits Achieved

    A prioritized backlog with quality throughout that enables alignment and the operationalization of the overall strategy.

    Activities

    2.1 Introduction to key activities required to support your digital product vision

    2.2 What do we mean by a quality backlog?

    2.3 Explore backlog structure and standards

    2.4 Define backlog data, content, and quality filters

    Outputs

    Articulate the activities required to support the population and validation of your backlog

    An understanding of what it means to create a quality backlog (quality filters)

    Defining the structural elements of your backlog that need to be considered

    Defining the content of your backlog and quality standards

    3 Build a Product Roadmap

    The Purpose

    Define standards and procedures for creating and updating your roadmap.

    Key Benefits Achieved

    Enable your team to create a product roadmap to communicate your product strategy in support of your digital product vision.

    Activities

    3.1 Disambiguating backlogs vs. roadmaps

    3.2 Defining audiences, accountability, and roadmap communications

    3.3 Exploring roadmap visualizations

    Outputs

    Understand the difference between a roadmap and a backlog

    Roadmap standards and agreed-to accountability for roadmaps

    Understand the different ways to visualize your roadmap and select what is relevant to your context

    4 Define Your Release, Communication, and Next Steps

    The Purpose

    Build a release plan aligned to your roadmap.

    Key Benefits Achieved

    Understand what goes into defining a release via the release canvas.

    Considerations in communication of your strategy.

    Understand how to frame your vision to enable the communication of your strategy (via an executive summary).

    Activities

    4.1 Lay out your release plan

    4.2 How to introduce your product vision

    4.3 Communicate changes to your strategy

    4.4 Where do we get started?

    Outputs

    Release canvas

    An executive summary used to introduce other parties to your product vision

    Specifics on communication of the changes to your roadmap

    Your first step to getting started

    Master the Public Cloud IaaS Acquisition Models

    • Buy Link or Shortcode: {j2store}228|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $3,820 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Understanding the differences in IaaS platform agreements, purchasing options, associated value, and risks. What are your options for:

    • Upfront or monthly payments
    • Commitment discounts
    • Support options
    • Migration planning and support

    Our Advice

    Critical Insight

    IaaS platforms offer similar technical features, but they vary widely on their procurement model. By fully understanding the procurement differences and options, you will be able to purchase wisely, save money both long and short term, and mitigate investment risk.

    Most vendors have similar processes and options to buy. Finding a transparent explanation and summary of each platform in a side-by-side review is difficult.

    • Are vendor reps being straight forward?
    • What are the licensing requirements?
    • What discounts or incentives can I negotiate?
    • How much do I have to commit to and for how long?

    Impact and Result

    This project will provide several benefits for both IT and the business. It includes:

    • Best IaaS platform to support current and future procurement requirements.
    • Right-sized cloud commitment tailored to the organization’s budget.
    • Predictable and controllable spend model.
    • Flexible and reliable IT infrastructure that supports the lines of business.
    • Reduced financial and legal risk.

    Master the Public Cloud IaaS Acquisition Models Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to learn how the public cloud IaaS procurement models compare. Review Info-Tech’s methodology and understand the top three platforms, features, and benefits to support and inform the IaaS vendor choice.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Educate

    Learn the IaaS basics, terminologies, purchasing options, licensing requirements, hybrid options, support, and organization requirements through a checklist process.

    • Master the Public Cloud IaaS Acquisition Models – Phase 1: Educate
    • Public Cloud Procurement Checklist
    • Microsoft Public Cloud Licensing Guide

    2. Evaluate

    Review and understand the features, downsides, and differences between the big three players.

    • Master the Public Cloud IaaS Acquisition Models – Phase 2: Evaluate
    • Public Cloud Procurement Comparison Summary

    3. Execute

    Decide on a primary vendor that meets requirements, engage with a reseller, negotiate pricing incentives, migration costs, review, and execute the agreement.

    • Master the Public Cloud IaaS Acquisition Models – Phase 3: Execute
    • Public Cloud Acquisition Executive Summary Template

    Infographic

    Key Metrics for Every CIO

    • Buy Link or Shortcode: {j2store}119|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement
    • As a CIO, you are inundated with data and information about how your IT organization is performing based on the various IT metrics that exist.
    • The information we receive from metrics is often just that – information. Rarely is it used as a tool to drive the organization forward.
    • CIO metrics need to consider the goals of key stakeholders in the organization.

    Our Advice

    Critical Insight

    • The top metrics for CIOs don’t have anything to do with IT.
    • CIOs should measure and monitor metrics that have a direct impact on the business.
    • Be intentional with the metric and number of metrics that you monitor on a regular basis.
    • Be transparent with your stakeholders on what and why you are measuring those specific metrics.

    Impact and Result

    • Measure fewer metrics, but measure those that will have a significant impact on how your deliver value to your organization.
    • Focus on the metrics that you can take action against, rather than simply monitor.
    • Ensure your metrics tie to your top priorities as a CIO.

    Key Metrics for Every CIO Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Key Metrics for Every CIO deck – The top metrics every CIO should measure and act on

    Leverage the top metrics for every CIO to help focus your attention and provide insight into actionable steps.

    • Key Metrics for Every CIO Storyboard
    [infographic]

    Further reading

    Key Metrics for Every CIO

    The top six metrics for CIOs – and they have very little to do with IT

    Analyst Perspective

    Measure with intention

    Be the strategic CIO who monitors the right metrics relevant to their priorities – regardless of industry or organization. When CIOs provide a laundry list of metrics they are consistently measuring and monitoring, it demonstrates a few things.

    First, they are probably measuring more metrics than they truly care about or could action. These “standardized” metrics become something measured out of expectation, not intention; therefore, they lose their meaning and value to you as a CIO. Stop spending time on these metrics you will be unable or unwilling to address.

    Secondly, it indicates a lack of trust in the IT leadership team, who can and should be monitoring these commonplace operational measures. An empowered IT leader will understand the responsibility they have to inform the CIO should a metric be derailing from the desired outcome.

    Photo of Brittany Lutes, Senior Research Analyst, Organizational Transformation Practice, Info-Tech Research Group. Brittany Lutes
    Senior Research Analyst
    Organizational Transformation Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    CIOs need to measure a set of specific metrics that:

    • Will support the organization’s vision, their career, and the IT function all in one.
    • Can be used as a tool to make informed decisions and take appropriate actions that will improve the IT function’s ability to deliver value.
    • Consider the influence of critical stakeholders, especially the end customer.
    • Are easily measured at any point in time.
    Common Obstacles

    CIOs often cannot define these metrics because:

    • We confuse the operational metrics IT leaders need to monitor with strategic metrics CIOs need to monitor.
    • Previously monitored metrics did not deliver value.
    • It is hard to decide on a metric that will prove both insightful and easily measurable.
    • We measure metrics without any method or insight on how to take actionable steps forward.
    Info-Tech’s Approach

    For every CIO, there are six areas that should be a focus, no matter your organization or industry. These six priorities will inform the metrics worth measuring:

    • Risk management
    • Delivering on business objectives
    • Customer satisfaction
    • Employee engagement
    • Business leadership relations
    • Managing to a budget

    Info-Tech Insight

    The top metrics for a CIO to measure and monitor have very little to do with IT and everything to do with ensuring the success of the business.

    Your challenge

    CIOs are not using metrics as a personal tool to advance the organization:
    • Metrics should be used as a tool by the CIO to help inform the future actions that will be taken to reach the organization’s strategic vision.
    • As a CIO, you need to have a defined set of metrics that will support your career, the organization, and the IT function you are accountable for.
    • CIO metrics must consider the most important stakeholders across the entire ecosystem of the organization – especially the end customer.
    • The metrics for a CIO are distinctly different from the metrics you use to measure the operational effectiveness of the different IT functions.
    “CIOs are businesspeople first and technology people second.” (Myles Suer, Source: CIO, 2019.)

    Common obstacles

    These barriers make this challenge difficult to address for many CIOs:
    • CIOs often do not measure metrics because they are not aware of what should or needs to be measured.
    • As a result of not wanting to measure the wrong thing, CIOs can often choose to measure nothing at all.
    • Or they get too focused on the operational metrics of their IT organization, leaving the strategic business metrics forgotten.
    • Moreover, narrowing the number of metrics that are being measured down to an actionable number is very difficult.
    • We rely only on physical data sets to help inform the measurements, not considering the qualitative feedback received.
    CIO priorities are business priorities

    46% of CIOs are transforming operations, focused on customer experiences and employee productivity. (Source: Foundry, 2022.)

    Finances (41.3%) and customers (28.1%) remain the top two focuses for CIOs when measuring IT effectiveness. All other focuses combine for the remaining 30.6%. (Source: Journal of Informational Technology Management, 2018.)

    Info-Tech’s approach

    Organizational goals inform CIO metrics

    Diagram with 'CIO Metrics' at the center surrounded by 'Directive Goals', 'Product/Service Goals', 'IT Goals', and 'Operations Goals', each of which are connected to eachother by 'Customers'.

    The Info-Tech difference:
    1. Every CIO has the same set of priorities regardless of their organization or industry given that these metrics are influenced by similar goals of organizations.
    2. CIO metrics are a tool to help inform the actions that will support each core area in reaching their desired goals.
    3. Be mindful of the goals different business units are using to reach the organization’s strategic vision – this includes your own IT goals.
    4. Directly or indirectly, you will always influence the ability to acquire and retain customers for the organization.

    CIO priorities

    MANAGING TO A BUDGET
    Reducing operational costs and increasing strategic IT spend.
    Table centerpiece for CIO Priorities. DELIVERING ON BUSINESS OBJECTIVES
    Aligning IT initiatives to the vision of the organization.
    CUSTOMER SATISFACTION
    Directly and indirectly impacting customer experience.
    EMPLOYEE ENGAGEMENT
    Creating an IT workforce of engaged and purpose-driven people.
    RISK MANAGEMENT
    Actively knowing and mitigating threats to the organization.
    BUSINESS LEADERSHIP RELATONS
    Establishing a network of influential business leaders.

    High-level process flow

    How do we use the CIO metrics?
    Process flow that starts at 'Consider - Identify and analyze CIO priorities', and is followed by 'Select priorities - Identify the top priorities for CIOs (see previous slide)', 'Create a measure - Determine a measure that aligns to each priority', 'Make changes & improvements - Take action to improve the measure and reach the goal you are trying to achieve', 'Demonstrate progress - Use the metrics to demonstrate progress against priorities'. Using priority-based metrics allows you to make incremental improvements that can be measured and reported on, which makes program maturation a natural process.

    Example CIO dashboard

    Example CIO dashboard.
    * Arrow indicates month-over-month trend

    Harness the value of metric data

    Metrics are rarely used accurately as a tool
    • When you have good metrics, you can:
      • Ensure employees are focused on the priorities of the organization
      • Have insight to make better decisions
      • Communicate with the business using language that resonates with each stakeholder
      • Increase the performance of your IT function
      • Continually adapt to meet changing business demands
    • Metrics are tools that quantifiably indicate whether a goal is on track to being achieved (proactive) or if the goal was successfully achieved (retroactive)
    • This is often reflected through two metric types:
      • Leading Metrics: The metric indicates if there are actions that should be taken in the process of achieving a desired outcome.
      • Lagging Metrics: Based on the desired outcome, the metric can indicate where there were successes or failures that supported or prevented the outcome from being achieved.
    • Use the data from the metrics to inform your actions. Do not collect this data if your intent is simply to know the data point. You must be willing to act.
    "The way to make a metric successful is by understanding why you are measuring it." (Jeff Neyland CIO)

    CIOs measure strategic business metrics

    Keep the IT leadership accountable for operational metrics
    • Leveraging the IT leadership team, empower and hold each leader accountable for the operational metrics specific to their functional area
    • As a CIO, focus on the metrics that are going to impact the business. These are often tied to people or stakeholders:
      • The customers who will purchase the product or service
      • The decision makers who will fund IT initiatives
      • The champions of IT value
      • The IT employees who will be driven to succeed
      • The owner of an IT risk event
    • By focusing on these priority areas, you can regularly monitor aspects that will have major business impacts – and be able to address those impacts.
    As a CIO, avoid spending time on operational metrics such as:
    • Time to deliver
    • Time to resolve
    • Project delivery (scope, time, money)
    • Application usage
    • User experiences
    • SLAs
    • Uptime/downtime
    • Resource costs
    • Ticket resolution
    • Number of phishing attempts
    Info-Tech Insight

    While operational metrics are important to your organization, IT leaders should be empowered and responsible for their management.

    SECTION 1

    Actively Managing IT Risks

    Actively manage IT risks

    The impact of IT risks to your organization cannot be ignored any further
    • Few individuals in an organization understand IT risks and can proactively plan for the prevention of those threats, making the CIO the responsible and accountable individual when it comes to IT risks – especially the components that tie into cybersecurity.
    • When the negative impacts of an IT threat event are translated into terms that can be understood and actioned by all in the organization, it increases the likelihood of receiving the sponsorship and funding support necessary.
    • Moreover, risk management can be used as a tool to drive the organization toward its vision state, enabling informed risk decisions.

    Risk management metric:

    Number of critical IT threats that were detected and prevented before impact to the organization.

    Beyond risk prevention
    Organizations that have a clear risk tolerance can use their risk assessments to better inform their decisions.
    Specifically, taking risks that could lead to a high return on investment or other key organizational drivers.

    Protect the organization from more than just cyber threats

    Other risk-related metrics:
    • Percentage of IT risks integrated into the organization’s risk management approach.
    • Number of risk management incidents that were not identified by your organization (and the potential financial impact of those risks).
    • Business satisfaction with IT actions to reduce impact of negative IT risk events.
    • Number of redundant systems removed from the organizations portfolio.
    Action steps to take:
    • Create a risk-aware culture, not just with IT folks. The entire organization needs to understand how IT risks are preventable.
    • Clearly demonstrate the financial and reputational impact of potential IT risks and ensure that this is communicated with decision-makers in the organization.
    • Have a single source of truth to document possible risk events and report prevention tactics to minimize the impact of risks.
    • Use this information to recommend budget changes and help make risk-informed decisions.

    49%

    Investing in Risk

    Heads of IT “cited increasing cybersecurity protections as the top business initiative driving IT investments this year” (Source: Foundry, 2022.)

    SECTION 2

    Delivering on Business Objectives

    Delivering on business objectives

    Deliver on initiatives that bring value to your organization and stop benchmarking
    • CIOs often want to know how they are performing in comparison to their competitors (aka where do you compare in the benchmarking?)
    • While this is a nice to know, it adds zero value in demonstrating that you understand your business, let alone the goals of your business
    • Every organization will have a different set of goals it is striving toward, despite being in the same industry, sector, or market.
    • Measuring your performance against the objectives of the organization prevents CIOs from being more technical than it would do them good.

    Business Objective Alignment Metric:

    Percentage of IT metrics have a direct line of impact to the business goals

    Stop using benchmarks to validate yourself against other organizations. Benchmarking does not provide:
    • Insight into how well that organization performed against their goals.
    • That other organizations goals are likely very different from your own organization's goals.
    • It often aggregates the scores so much; good and bad performers stop being clearly identified.

    Provide a clear line of sight from IT metrics to business goals

    Other business alignment metrics:
    • Number of IT initiatives that have a significant impact on the success of the organization's goals.
    • Number of IT initiatives that exceed the expected value.
    • Positive impact ($) of IT initiatives on driving business innovation.
    Action steps to take:
    • Establish a library or dashboard of all the metrics you are currently measuring as an IT organization, and align each of them to one or more of the business objectives your organization has.
    • Leverage the members of the organization’s executive team to validate they understand how your metric ties to the business objective.
    • Any metric that does not have a clear line of sight should be reconsidered.
    • IT metrics should continue to speak in business terms, not IT terms.

    50%

    CIOs drive the business

    The percentage of CEOs that recognize the CIO as the main driver of the business strategy in the next 2-3 years. (Source: Deloitte, 2020.)

    SECTION 3

    Impact on Customer Satisfaction

    Influencing end-customer satisfaction

    Directly or indirectly, IT influences how satisfied the customer is with their product or service
    • Now more than ever before, IT can positively influence the end-customer’s satisfaction with the product or service they purchase.
    • From operational redundancies to the customer’s interaction with the organization, IT can and should be positively impacting the customer experience.
    • IT leaders who take an interest in the customer demonstrate that they are business-focused individuals and understand the intention of what the organization is seeking to achieve.
    • With the CIO role becoming a strategic one, understanding why a customer would or would not purchase your organization’s product or service stops being a “nice to have.”

    Customer satisfaction metric:

    What is the positive impact ($ or %) of IT initiatives on customer satisfaction?

    Info-Tech Insight

    Be the one to suggest new IT initiatives that will impact the customer experience – stop waiting for other business leaders to make the recommendation.

    Enhance the end-customer experience with I&T

    Other customer satisfaction metrics:
    • Amount of time CIO spends interacting directly with customers.
    • Customer retention rate.
    • Customer attraction rate.
    Action steps to take:
    • Identify the core IT capabilities that support customer experience. Automation? Mobile application? Personal information secured?
    • Suggest an IT-supported or-led initiative that will enhance the customer experience and meet the business goals. Retention? Acquisition? Growth in spend?
    • This is where operational metrics or dashboards can have a real influence on the customer experience. Be mindful of how IT impacts the customer journey.

    41%

    Direct CX interaction

    In 2022, 41% of IT heads were directly interacting with the end customer. (Source: Foundry, 2022.)

    SECTION 4

    Keeping Employees Engaged

    Keeping employees engaged

    This is about more than just an annual engagement survey
    • As a leader, you should always have a finger on the pulse of how engaged your employees are
    • Employee engagement is high when:
      • Employees have a positive disposition to their place of work
      • Employees are committed and willing to contribute to the organization's success
    • Employee engagement comprises three types of drivers: organizational, job, and retention. As CIO, you have a direct impact on all three drivers.
    • Providing employees with a positive work environment where they are empowered to complete activities in line with their desired skillset and tied to a clear purpose can significantly increase employee engagement.

    Employee engagement metric:

    Number of employees who feel empowered to complete purposeful activities related to their job each day

    Engagement leads to increases in:
    • Innovation
    • Productivity
    • Performance
    • Teamwork
    While reducing costs associated with high turnover.

    Employees daily tasks need to have purpose

    Other employee engagement metrics:
    • Tenure of IT employees at the organization.
    • Number of employees who seek out or use a training budget to enhance their knowledge/skills.
    • Degree of autonomy employees feel they have in their work on a daily basis.
    • Number of collaboration tools provided to enable cross-organizational work.
    Action steps to take:
    • If you are not willing to take actionable steps to address engagement, don’t bother asking employees about it.
    • Identify the blockers to empowerment. Common blockers include insufficient team collaboration, bureaucracy, inflexibility, and feeling unsupported and judged.
    • Ensure there is a consistent understanding of what “purposeful” means. Are you talking about “purposeful” to the organization or the individual?
    • Provide more clarity on what the organization’s purpose is and the vision it is driving toward. Just because you understand does not mean the employees do.

    26%

    Act on engagement

    Only 26% of leaders actually think about and act on engagement every single day. (Source: SHRM, 2022.)

    SECTION 5

    Establishing Trusted Business Relationships

    Establishing trusted business partnerships

    Leverage your relationships with other C-suite executives to demonstrate IT’s value
    • Your relationship with other business peers is critical – and, funny enough, it is impacted by the use of good metrics and data.
    • The performance of your IT team will be recognized by other members of the executive leadership team (ELT) and is a direct reflection of you as a leader.
    • A good relationship with the ELT can alleviate issues if concerns about IT staff surface.
      • Of the 85% of IT leaders working on transformational initiatives, only 30% are trying to cultivate an IT/business partnership (Foundry, 2022).
    • Don’t let other members of the organizations ELT overlook you or the value IT has. Build the key relationships that will drive trust and partnerships.

    Business leadership relationship metric:

    Ability to influence business decisions with trusted partners.

    Some key relationships that are worth forming with other C-suite executives right now include:
    • Chief Sustainability Officer
    • Chief Revenue Officer
    • Chief Marketing Officer
    • Chief Data Officer

    Influence business decisions with trusted partners

    Other business relations metrics:
    • The frequency with which peers on the ELT complain about the IT organization to other ELT peers.
    • Percentage of business leaders who trust IT to make the right choices for their accountable areas.
    • Number of projects that are initiated with a desired solution versus problems with no desired solution.
    Action steps to take:
    • From lunch to the boardroom, it is important you make an effort to cultivate relationships with the other members of the ELT.
    • Identify who the most influential members of the ELT are and what their primary goals or objectives are.
    • Follow through on what you promise you will deliver – if you do not know, do not promise it!
    • What will work for one member of the ELT will not work for another – personalize your approach.

    60%

    Enterprise-wide collaboration

    “By 2023, 60% of CIOs will be primarily measured for their ability to co-create new business models and outcomes through extensive enterprise and ecosystem-wide collaboration.” (Source: IDC, 2021.)

    SECTION 6

    Managing to a Budget

    Managing to a budget

    Every CIO needs to be able to spend within budget while increasing their strategic impact
    • From security, to cloud, to innovating the organization's products and services, IT has a lot of initiatives that demand funds and improve the organization.
    • Continuing to demonstrate good use of the budget and driving value for the organization will ensure ongoing recognition in the form of increased money.
    • 29% of CIOs indicated that controlling costs and expense management was a key duty of a functional CIO (Foundry, 2022).
    • Demonstrating the ability to spend within a defined budget is a key way to ensure the business trusts you.
    • Demonstrating an ability to spend within a defined budget and reducing the cost of operational expenses while increasing spend on strategic initiatives ensures the business sees the value in IT.

    Budget management metric:

    Proportion of IT budget that is strategic versus operational.

    Info-Tech Insight

    CIOs need to see their IT function as its own business – budget and spend like a CEO.

    Demonstrate IT’s ability to spend strategically

    Other budget management metrics:
    • Cost required to lead the organization through a digital transformation.
    • Reduction in operational spend due to retiring legacy solutions.
    • Percentage of budget in the run, grow, and transform categories.
    • Amount of money spent keeping the lights on versus investing in new capabilities.

    Action steps to take:

    • Consider opportunities to automate processes and reduce the time/talent required to spend.
    • Identify opportunities and create the time for resources to modernize or even digitize the organization to enable a better delivery of the products or services to the end customer.
    • Review the previous metrics and tie it back to running the business. If customer satisfaction will increase or risk-related threats decrease through an initiative IT is suggesting, you can make the case for increased strategic spend.

    90%

    Direct CX interaction

    Ninety percent of CIOs expect their budget to increase or remain the same in their next fiscal year. (Source: Foundry, 2022.)

    Research contributors and experts

    Photo of Jeff Neyland. Jeff Neyland
    Chief Information Officer – University of Texas at Arlington
    Photo of Brett Trelfa. Brett Trelfa
    SVP and CIO – Arkansas Blue Cross Blue Shield
    Blank photo template. Lynn Fyhrlund
    Chief Information Officer – Milwaukee County Department of Administrative Services

    Info-Tech Research Group

    Vicki Van Alphen Executive Counselor Ibrahim Abdel-Kader Research Analyst
    Mary Van Leer Executive Counselor Graham Price Executive Counselor
    Jack Hakimian Vice President Research Valence Howden Principal Research Director
    Mike Tweedie CIO Practice Lead Tony Denford Organization Transformation Practice Lead

    Related Info-Tech Research

    Sample of the 'IT Metrics Library'. IT Metrics Library
    • Use this tool to review commonly used KPIs for each practice area
    • Identify KPI owners, data sources, baselines, and targets. It also suggests action and research for low-performing KPIs.
    • Use the "Action Plan" tab to keep track of progress on actions that were identified as part of your KPI review.
    Sample of 'Define Service Desk Metrics That Matter'. Define Service Desk Metrics That Matter
    • Consolidate your metrics and assign context and actions to those currently tracked.
    • Establish tension metrics to see and tell the whole story.
    • Split your metrics for each stakeholder group. Assign proper cadences for measurements as a first step to building an effective dashboard.
    Sample of 'CIO Priorities 2022'. CIO Priorities 2022
    • Understand how to respond to trends affecting your organization.
    • Determine your priorities based on current state and relevant internal factors.
    • Assign the right resources to accomplish your vision.
    • Consider what new challenges outside of your control will demand a response.

    Bibliography

    “Developing and Sustaining Employee Engagement.” SHRM, 2022.

    Dopson, Elise. “KPIs Vs. Metrics: What’s the Difference & How Do You Measure Both?” Databox, 23 Jun. 2021.

    Shirer, Michael, and Sarah Murray. “IDC Unveils Worldwide CIO Agenda 2022 Predictions.” IDC, 27 Oct. 2021.

    Suer, Myles. “The Most Important Metrics to Drive IT as a Business.” CIO, 19 Mar. 2019.

    “The new CIO: Business Savvy.” Deloitte Insights. Deloitte, 2020.

    “2022 State of the CIO: Rebalancing Act: CIO’s Operational Pandemic-Era Innovation.” Foundry, 2022.

    “Why Employee Engagement Matters for Leadership at all Levels.” Walden University, 20 Dec. 2019.

    Zhang, Xihui, et al. “How to Measure IT Effectiveness: The CIO’s Perspective.” Journal of Informational Technology Management, 29(4). 2018.

    Transform Your Field Technical Support Services

    • Buy Link or Shortcode: {j2store}112|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    Our Advice

    Critical Insight

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Impact and Result

    • Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model.
    • Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team.
    • With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    Transform Your Field Technical Support Services Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Transform Field Services Guide – A brief deck that outlines key migration steps to improve our remote client support services.

    This blueprint will help you:

    • Transform Your Field Technical Services Storyboard

    2. Transform Field Services Template – A template to create a transformation proposal.

    This template will help you to build your proposal to transform your field services.

    • Proposal to Transform Field Technical Services Template
    [infographic]

    Further reading

    Transform Your Field Technical Support Services

    Improve service and reduce costs through digital transformation.

    Analyst Perspective

    Improve staffing challenges through digital transformation.

    Many IT teams are struggling to keep up with demand while trying to refocus on customer service. With more remote workers than ever, organizations who have traditionally provided desktop and field services have been revaluating the role of the field service technicians. Add in the price of fuel, and there is even more reason to assess the support model. Often changes to the way IT does support, especially if moving centralized support to an outsourcer, is met with resistance by end users who don’t see the value of phoning someone else when their local technician is still available to problem solve. This speaks to the need to ensure the central group is providing value to end users as well as the technical team. With the challenges of finding the right number of technicians with the right skills, it’s time to rethink remote support and how that can be used to train and upskill the people you have. And it’s time to think about how to use field services tools to make the best use of your technician’s time.

    The image contains a picture of Sandi Conrad.

    Sandi Conrad

    Principal Research Director

    Infrastructure & Operations Practice

    Info-Tech Research Group

    Executive Summary

    Your Challenge

    With remote work becoming a normal employee offering for many organizations, self-serve/self-solve becoming more prominent, and a common call out to improve customer service, there is a need to re-examine the way many organizations are supplying onsite support. For organizations with a small number of offices, a central desk with remote tools may be enough or can be combined with a concierge service or technical center, but for organizations with multiple offices it becomes difficult to provide a consistent level of service for all customers unless there is a team onsite for each location. This may not be financially possible if there isn’t enough work to keep a technical team busy full-time.

    Common Obstacles

    Where people have a choice between calling a central phone number or talking to the technician down the hall, the in-person experience often wins out. End users may resist changes to in-person support as work is rerouted to a centralized group by choosing to wait for their favorite technician to show up onsite rather than reporting issues centrally. This can make the job of the onsite technician more challenging as they need to schedule time in every visit for unplanned work. And where technicians need to support multiple locations, travel needs to be calculated into lost technician time and costs.

    Info-Tech’s Approach

    • Service needs to be defined in a way that considers the organizational need for local, hands-on technicians, the need for customer service, and the need to make the best use of resources that you have.
    • Service-level agreements will need to be refined and metrics will need to be analyzed for capacity and skilled planning.
    • Organizational change management will be key to persuade users to engage with the technical team in a way that supports the new structure.

    Info-Tech Insight

    Improving process will be helpful for smaller teams, but as teams expand or work gets more complicated, investment in appropriate tools to support field services technicians will enable them to be more efficient, reduce costs, and improve outcomes when visits are warranted.

    Your challenge

    This research is designed to help organizations who are looking to:

    • Redefine the role of deskside or field technicians as demand for service evolves and service teams are restructured.
    • Redefine the role of onsite technicians when the help desk is outsourced.
    • Define requirements when supplementing with outsourced field services teams.
    • Identify barriers to streamlining processes.
    • Look for opportunities to streamline processes and better use technical teams.
    • Communicate and manage change to support roles.

    With many companies having new work arrangements for users, where remote work may be a permanent offering or if your digital transformation is well underway, this provides an opportunity to rethink how field support needs to be done.

    What is field services?

    Field services is in-person support delivered onsite at one or more locations. Management of field service technicians may include queue management, scheduling service and maintenance requests, triaging incidents, dispatching technicians, ordering parts, tracking job status, and billing.

    The image contains a diagram to demonstrate what may be supported by field services and what should be supported by field services.

    What challenges are you trying to solve within your field services offering?

    Focus on the reasons for the change to ensure the outcome can be met. Common goals include improved customer service, better technician utilization, and increased response time and stability.

    • Discuss specific challenges the team feels are contributing to less-than-ideal customer service.
    • Does the team have the skills, knowledge, and tools they need to be successful? Technicians may be solving issues with the customer looking over their shoulder. Having quick access to knowledge articles or to subject matter experts who can provide deeper expertise remotely may be the difference between a single visit to resolve or multiple or extended visits.
    • What percentage of tickets would benefit from triage and troubleshooting done remotely before sending a technician onsite? Where there are a high number of no-fault-found visits, this may be imperative to improving technician availability.
    • Review method for distribution of tickets, including batching criteria and dispatching of technicians. Are tickets being dispatched efficiently? By location and/or priority? Is there an attempt to solve more tickets centrally? Should there be? What SLA adjustment is reasonable for onsite visits?
    • Has the support value been defined?
    The image contains a graph to demonstrate Case Casuals in Field Services, where the highest at 55% is break/fix.

    Field services will see the biggest improvements through technology updates

    Customer Intake

    Provide tools for scheduling technicians, self-serve and self- or assisted-solve through ITSM or CRM-based portal and visual remote tools.

    The image contains a picture to demonstrate the different field services.

    Triage and Troubleshoot

    Upgrade remote tools to visual remote solutions to troubleshoot equipment as well as software. Eliminate no-fault-found visits and improve first-time fix rate by visually inspecting equipment before technician deployments.

    Improve Communications

    FSM GPS and SMS updates can be set to notify customers when a technician is close by and can be used for customer sign-off to immediately update service records and launch survey or customer billing where applicable.

    Schedule Technicians

    Field service management (FSM) ITSM modules will allow skills-based scheduling for remote technicians and determine best route for multi-site visits.

    Enable Work From Anywhere

    FSM mobile applications can provide technicians with daily schedules, turn-by-turn directions, access to inventory, knowledge articles, maintenance, and warranty and asset records. Visual remote captures service records and enables access to SMEs.

    Manage Expectations

    Know where technicians are for routing to emergency calls and managing workload using field service management solutions with GPS.

    Digital transformation can dramatically improve customer and technician experience

    The image contains an arrown that dips and rises dramatically to demonstrate how digital transformation can dramatically increase customer and technician experience.
    Sources: 1 - TechSee, 2019; 2 - Glartek; 3 - Geoforce; 4 - TechSee, 2020

    Improve technician utilization and scheduling with field services management software

    Field services management (FSM) software is designed to improve scheduling of technicians by skills and location while reducing travel time and mileage. When integrated with ITSM software, the service record is transferred to the field technician for continuity and to prepare for the job. FSM mobile apps will enable technicians to receive schedule updates through the day and through GPS update the dispatcher as technicians move from site to site.

    FSM solutions are designed to manage large teams of technicians, providing automated dispatch recommendations based on skills matching and proximity.

    Routes can be mapped to reduce travel time and mileage and adjusted to respond to emergency requests by technician skills or proximity. Automation will provide suggestions for work allocation.

    Spare parts management may be part of a field services solution, enabling technicians to easily identify parts needed and update real-time inventory as parts are deployed.

    Push notifications in real-time streamline communications from the field to the office, and enable technicians to close service records while in the field.

    Dispatchers can easily view availability, assign work orders, attach notes to work orders, and immediately receive updates if technicians acknowledge or reject a job.

    Maintenance work can be built into online checklists and forms to provide a technician with step-by-step instructions and to ensure a complete review.

    Skills and location-based routing allow dispatchers to be able to see closest tech for emergency deployments.

    Improve time to resolve while cutting costs by using visual remote support tools

    Visual remote support tools enable live video sessions to clearly see what the client or field service technician sees, enabling the experts to provide real-time assistance where the experts will provide guidance to the onsite person. Getting a view of the technology will reduce issues with getting the right parts, tools, and technicians onsite and dramatically reduce second visits.

    Visual remote tools can provide secure connections through any smartphone, with no need for the client to install an application.

    The technicians can take control of the camera to zoom in, turn on the flashlight for extra lighting, take photos, and save video directly to the tickets.

    Optical character recognition allows automatic text capture to streamline process to check warranty, recalls, and asset history.

    Visual, interactive workflows enhance break/fix and inspections, providing step-by-step guidance visual evidence and using AI and augmented reality to assess the images, and can provide next steps by connecting to a visual knowledgebase.

    Integration with field service management tools will allow information to easily be captured and uploaded immediately into the service record.

    Self-serve is available through many of these tools, providing step-by-step instructions using visual cues. These solutions are designed to work in low-bandwidth environments, using Wi-Fi or cellular service, and sessions can be started with a simple link sent through SMS.

    Take a Realistic Approach to Disaster Recovery Testing

    • Buy Link or Shortcode: {j2store}414|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity

    You have made significant investments in availability and disaster recovery – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Our Advice

    Critical Insight

    • If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience.
    • Focus on identifying gaps and risks, and addressing them, before a real disaster hits.
    • Take a realistic, iterative approach to resilience testing that starts with small, low-risk tests and builds on lessons learned.

    Impact and Result

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Demonstrate value from testing to gain buy-in for additional tests.

    Take a Realistic Approach to Disaster Recovery Testing Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take a Realistic Approach to Disaster Recovery Testing Storyboard – A guide to establishing a right-sized approach to DR testing that delivers durable value to your organization.

    Use this research to understand the different types of tests, prioritize and plan tests for your organization, review the results, and establish a cadence for testing.

    • Take a Realistic Approach to Disaster Recovery Testing Storyboard

    2. Disaster Recovery Test Plan Template – A template to document your organization's DR test plan.

    Use this template to document scope and goals, participants, key pre-test milestones, the test-day schedule, and your findings from the testing exercise.

    • Disaster Recovery Test Plan Template

    3. Disaster Recovery Testing Program Summary – A template to outline your organization's DR testing program.

    Identify the tests you will run over the next year and the expertise, governance, process, and funding required to support testing.

    • Disaster Recovery Testing Program Summary

    [infographic]

     

    Further reading

    Take a Realistic Approach to Disaster Recovery Testing

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Analyst Perspective

    Reduce costly downtime with a right-sized testing program that improves IT resilience.

    Andrew Sharp

    Most businesses make significant investments in disaster recovery and technology resilience. Redundant sites and systems, monitoring, intrusion prevention, backups, training, documentation: it all costs time and money.

    But does this investment deliver expected value? Specifically, can you deliver service continuity in a way that meets business requirements?

    You can’t know the answer without regularly testing recovery processes and systems. And more than just validation, testing helps you deliver service continuity by finding and addressing gaps in your plans and training your staff on recovery procedures.

    Use the insights, tools, and templates in this research to create a streamlined and effective resilience testing program that helps validate recovery capabilities and enhance service reliability, availability, and continuity.

    Andrew Sharp

    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have made significant investments in availability and disaster recovery (DR) – but your ability to recover hasn’t been tested in years. Testing will:

    • Improve your DR capabilities.
    • Identify required changes to planning documentation and procedures.
    • Validate DR capabilities for interested customers and auditors.

    Common Obstacles

    Despite the value testing can offer, actually executing on DR tests is difficult because:

    • Testing is often an IT-driven initiative, and it can be difficult to secure business buy-in to redirect resources away from other urgent projects or accept risks that come with testing.
    • Previous tests have been overly complex and challenging to coordinate and leave a hangover so bad that no one wants to do them again.

    Info-Tech's Approach

    Take a realistic approach to resilience testing by starting with small, low-risk tests, then iterating with the lessons you’ve learned:

    • Identify testing scenarios and scope that can deliver value to your organization.
    • Create practical test plans with Info-Tech’s template.
    • Get buy-in for regular DR testing from key stakeholders with a testing program summary.

    Info-Tech Insight

    If you treat testing as a pass/fail exercise, you aren’t meeting the end goal of improving organizational resilience. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Process and Outputs

    This research is accompanied by templates to help you achieve your goals faster.

    1 - Establish the business rationale for DR testing.
    2 - Review a range of options for testing.
    3 - Prioritize tests that are most valuable to your business.
    4 - Create a disaster recovery test plan.
    5 - Establish a Test Program to support a regular testing cycle.

    Outputs:

    DR Test Plan
    DR Testing Program Summary

    Example Orange Activity slide.
    Orange activity slides like the one on the left provide directions to help you make key decisions.

    Key Deliverable:

    Disaster Recovery Test Plan Template

    Build a plan for your first disaster recovery test.

    This document provides a complete example you can use to quickly build your own plan, including goals, milestones, participants, the test-day schedule, and findings from the after-action review.

    Why test?

    Testing helps you avoid costly downtime

    • In a disaster scenario, speed matters. Immediately after an outage, the impact on the organization is small, but impact increases rapidly the longer the outage continues.
    • A quick and reliable response and recovery can protect the organization from significant losses.
    • A DRP testing and maintenance program helps ensure you’re ready to recover when you need to, rather than figuring it out as you go.

    “Routine testing is vital to survive a disaster… that’s when muscle memory sets in. If you don’t test your DR plan it falls [in importance], and you never see how routine changes impact it.”

    – Jennifer Goshorn
    Chief Administrative Officer
    Gunderson Dettmer LLP

    Info-Tech members estimated even one day of system downtime could lead to significant revenue losses. Estimated loss of revenue over 24 hours. Core Infrastructure has the highest potential for lost revenue.

    Average estimated potential loss* in thousands of USD due to a 24-hour outage (N=41)

    *Data aggregated from 41 business impact analyses (BIAs) conducted with Info-Tech advisory assistance. BIAs evaluate potential revenue loss due to a full day of system downtime, at the worst possible time.

    Run tests to enhance disaster recovery plans

    Testing improves organizational resilience

    • Identify and address gaps in your plans before a real disaster strikes.
    • Cross-train staff on systems recovery.
    • Go beyond testing technology to test recovery processes.
    • Establish a culture that centers resilience in everyday decision-making.

    Testing keeps DR documentation ready for action

    • Update documentation ahead of tests to prepare for the testing exercise.
    • Update documentation after testing to incorporate any lessons learned.

    Testing validates that investments in resilience deliver value

    • Confirm your organization can meet defined recovery time objectives (RTOs) and recovery point objectives (RPOs).
    • Provide proof of testing for auditors, prospective customers, and insurance applications

    Overcome testing challenges

    Despite the value of effective recovery testing, most IT organizations struggle to test recovery plans

    Common challenges

    • Key resources don’t have time for testing exercises.
    • You don’t have the technology to support live recovery testing.
    • Tests are done ad hoc and lessons learned are lost.
    • A lack of business support for test exercises as the value isn’t understood.
    • Tests are always artificially simple because RTOs and RPOs must be met to satisfy customer or auditor inquiries

    Overcome challenges with a realistic approach:

    • Start small with tabletop and recovery tests for specific systems.
    • Include recovery tests in operational tasks (e.g. restore systems when you have a maintenance window).
    • Create testing plans for larger testing exercises.
    • Build on successful tests to streamline testing exercises in the future.
    • Don’t make testing a pass-fail exercise. Focus on identifying gaps and risks so you can address them before a real disaster hits.

    Go beyond traditional testing

    Different test techniques help validate recovery against different threats

    • There are many threats to service continuity, including ransomware, severe weather events, geopolitical conflict, legacy systems, staff turnover, and day-to-day outages caused by human error, software updates, hardware failures, or network outages.
    • At its core, disaster recovery planning is about recovery. A plan for service recovery will help you mitigate against many threats at once. The testing approaches on the right will help you validate different aspects of that recovery process.
    • This research will provide an overview of the approaches outlined on the right and help you prioritize tests that are most valuable to your organization.
    Different test techniques for disaster recover training: System Failover tests, tabletop exercises, ransomware recovery tests, etc.

    00 Identify a working group

    30 minutes

    Identify a group of participants who can fill the following roles and inform the discussions around testing in this research. A single person could fill multiple roles and some roles could be filled by multiple people. Many participants will be drawn from the larger DRP team.

    Roles and expectations for Disaster Recovery Planning. DRP sponsor, Testing coordinator, System testers, business liaisons, executive team.

    Input

    • Organizational context

    Output

    • A list of key participants for test planning and execution

    Participants

    • Typically, start by identifying the sponsor and coordinator and have them identify the other members of the working group.

    Start by updating your disaster recovery plan (DRP)

    Use Info-Tech’s Create a Right-Sized Disaster Recovery Plan research to identify recovery objectives based on business impact and outline recovery processes. Both are tremendously valuable inputs to your test plans.

    Overall Business Continuity Plan

    IT Disaster Recovery Plan

    A plan to restore IT services (e.g. applications and infrastructure) following a disruption. A DRP:

    • Identifies critical applications and dependencies.
    • Defines appropriate recovery objectives based on a business impact analysis (BIA).
    • Creates a step-by-step incident response plan.

    BCP for Each Business Unit

    A set of plans to resume business processes for each business unit. A business continuity plan (BCP) is also sometimes called a continuity of operations plan (COOP).

    BCPs are created and owned by each business unit, and creating a BCP requires deep involvement from the leadership of each business unit.

    Info-Tech’s Develop a Business Continuity Plan blueprint provides a methodology for creating business unit BCPs as part of an overall BCP for the organization.

    Crisis Management Plan

    A plan to manage a wide range of crises, from health and safety incidents to business disruptions to reputational damage.

    Info-Tech’s Implement Crisis Management Best Practices blueprint provides a framework for planning a response to any crisis, from health and safety incidents to reputational damage.

    01 Confirm: why test at all?

    15-30 minutes

    Identify the value recovery testing for your organization. Use language appropriate for a nontechnical audience. Start with the list below and add, modify, or delete bullet points to reflect your own organization.

     

    Drivers for testing – Examples:

     

    • Improve service continuity.
    • Identify and address gaps in recovery plans before a real disaster strikes.
    • Cross-train staff on systems recovery to minimize single points of failure.
    • Identify how we coordinate across teams during a major systems outage.
    • Exercise both recovery processes and technology.
    • Support a culture that centers system resilience in everyday decision-making.
    • Keep recovery documentation up-to-date and ready for action.
    • Confirm that our stated recovery objectives can be met.
    • Provide proof of testing for auditors, prospective customers, and insurance applications.
    • We require proof of testing to pass audits and renew cybersecurity insurance.

    Info-Tech Insight

    Time-strapped technical staff will sometimes push back on planning and testing, objecting that the team will “figure it out” in a disaster. But the question isn’t whether recovery is possible – it’s whether the recovery aligns with business needs. If your plan is to “MacGyver” a solution on the fly, you can’t know if it’s the right solution for your organization.

    Input

    • Business drivers and context for testing

    Output

    • Specific goals that are driving testing

    Participants

    • DR sponsor
    • Test coordinator

    Think about what and how you test

    Different layers of the stack to test: Network, Authentication, compute and storage, visualization platforms, database services, middleware, app servers, web servers.

    Find gaps and risks with tabletop testing

    Tabletop planning had the greatest impact on meeting recovery objectives (RTOs/RPOs).

    In a tabletop planning exercise, the team walks through a disaster scenario to outline the recovery workflow, and risks or gaps that could disrupt that workflow.

    Tabletops are particularly effective because:

    • It enables you to play out a wider range of scenarios than technology-based testing (e.g. full-scale, parallel) due to cost and complexity factors.
    • It is non-intrusive, so it can be executed more easily than other testing methodologies.
    • The exercise translates into recovery documentation: you create a workflow as you go.
    • A major site or service recovery scenario will review all aspects of the recovery process and create the backbone of your recovery plan.

    02 Run a tabletop exercise

    2 hours

    Tabletop testing is part of our core DRP methodology, Create a Right-Sized Disaster Recovery Plan. This exercise can be run using cue cards, sticky notes, or on a whiteboard; many of our facilitators find building the workflow directly in flowchart software to be very effective.

    Use our Recovery Workflow Template as a starting point.

    Some tips for running your first tabletop exercise:

    Do

    • Review the complete workflow from notification all the way to user acceptance testing.
    • Keep focused; stay on task and on time.
    • Revisit each step and record gaps and risks (and known solutions, but don’t dwell on this).
    • Revise and improve the plan with task owners.

    Don't

    • Get weighed down by tools.
    • Try to find solutions to every gap/risk as you go. Save in-depth research/discussion for later.
    • Document the details right away – stick to the high-level plan for the first exercise.
    1. Ahead of the exercise, decide on a scenario, identify participants, and book a meeting time.
      • For your first walkthrough of a DR scenario, we often recommend a scenario that considers a site failure requiring failover to a DR site.
      • For the first exercise, focus on technical aspects of recovery before bringing in members of the business. The technical team may need space to discuss the appropriate steps in the recovery process before you bring in business liaisons to discuss user acceptance testing (UAT).
      • A complete failover considers all systems, the viability of your second site, and can help identify parts of the process that require additional exercises.
    2. Review the scenario with participants. Then, discuss and document the recovery process, starting with initial notification of an event.
      • Record steps in the process on white cards or boxes.
      • On yellow and red cards, document gaps and risks in people process and technology requirements.
    3. Once you’ve walked through the process, return to the start.
      • Record the time required to complete each step. Consider identifying who is responsible for key steps. Identify any additional gaps and risks.
    4. Clean up and record the results of the workflow. Save a copy with your DRP documentation.

    Input

    • Expert knowledge on systems recovery

    Output

    • Recovery workflow, including gaps and risks

    Participants

    • Test coordinator
    • Technical SMEs

    Move from tabletop testing to functional exercises

    See how your plans fare in the real world

    In live exercises, some portion of your recovery plans are executed in a way that mimics a real recovery scenario. Some advantages of live testing:

    • See how standby systems behave. A tabletop exercise can miss small issues that can make or break the recovery process. For example, connectivity or integration issues on a new subnet might be difficult to predict prior to actually running services in that environment.
    • Hands-on practice: Familiarize the team with the steps, commands, and interfaces of your recovery toolset.
    • Manage the pressure of the DR scenario: Nothing’s quite like the real thing, but a live exercise may be the closest your team can get to a disaster situation without experiencing it firsthand.

    Examples of live exercises

    Boot and smoke test Turn on a standby system and confirm it boots up correctly.
    Restore and validate data Restore data or servers from backup. Confirm data integrity.
    Parallel testing Send familiar transactions to production and standby systems. Confirm both systems produce the same result.
    Failover systems Shut down the production system and use the standby system in production.

    Run local tests ahead of releases

    Think small

    Most unacceptable downtime is caused by localized issues, such as hardware or software failures, rather than widespread destructive events. Regular local testing can help validate the recovery plan for local issues and improve overall service continuity.

    Make local testing a standard step in maintenance work and new deployments to embed resilience considerations in day-to-day activities. Run the same tests in both your primary and your DR environment.

    Some examples of localized tests:

    • Review backup logs and check for errors.
    • Restore files or whole systems from backup.
    • Run application-based tests as part of release management, including unit, regression, and performance tests.
      • Ensure application tests are run for both the primary and DR environment.
      • For a deep-dive on application testing, see Info-Tech’s research Automate Testing to Get More Done.

    Info-Tech Insight

    Local tests will vary between different services, and local test design is usually best left to the system SMEs. At the same time, centralize reporting to understand where tests are being done.

    Investigate whether your IT Service Management or ticketing system can create recurring tasks or work orders to schedule, document, and track test exercises. Tasks can be pre-populated with checklists and documentation to support the test and provide a record of completed tests to support oversight and reporting.

    Have the business validate recovery

    If your business doesn’t think a system’s recovered, it’s not recovered.

    User acceptance testing (UAT) after system recovery is a key step in the recovery process. Like any step in the process, there’s value in testing it before it actually needs to be done. Assign responsibility for building UATs to the person who will be responsible for executing them.

    An acceptance test script might look something like the checklist below.

    • Does the application open?
    • Does the interface look right?
    • Do you see any unusual notifications or warnings?
    • Can you conduct a key transaction with dummy data?
    • Can you run key reports?

    “I cannot stress how important it is to assign ownership of responsibilities in a test; this is the only way to truly mitigate against issues in a test.”

    – Robert Nardella
    IT Service Management
    Certified z/OS Mainframe Professional

    Info-Tech Insight

    Build test scripts and test transactions ahead of time to minimize the amount of new work required during a recovery scenario.

    Beyond the Basics: Full Failover Testing

    • A failover test – a full failover of your production environment to a secondary environment – is what many IT and businesspeople think about when they think of disaster recovery testing.
    • A full test can validate previous local or tabletop tests, identify additional gaps and risks, and provide hands-on training experience with recovery processes and technologies.
    • Setting a date for failover testing can also inject some urgency into otherwise low-priority (but high importance) disaster recovery planning and documentation exercises, which need to be completed prior to the test.
    • Despite these benefits, full failover tests carry significant risk and require a great deal of effort and cost. Typically, only businesses that already have an active-active environment capable of supporting in-scope production systems are able to run a full environment failover.
    • This is especially true the first time you test. While in theory a DR plan should be ready to go at any time, there will be documents to update, gaps to address, and risks to mitigate before you go ahead with the test.

    Full Failover Testing

    What you get:

    • Provide hands-on experience with recovery processes and technology.
    • Confirm that site failover works in practice as you assumed in tabletop or local testing exercises.
    • Identify critical gaps you might have missed without a full failover test.

    What you need:

    • An active-active secondary site, with sufficient standby equipment, data, and licensed standby software to support production.
    • A completed tabletop exercise and documented recovery workflow.
    • A documented test plan, backout plan, and formal sign-off.
    • An off-hours downtime window.
    • Time from technical SMEs and business resources, both for creating the plan and executing the test.

    Beyond the Basics: Site Reliability Engineering

    • Site reliability engineering (SRE) is an application of skills and approaches from software engineering to improve system resilience.
    • SRE is focused on “availability, latency, performance, efficiency, change management, monitoring, emergency response, and capacity planning” across a set portfolio of services (Sloss, 2017).
    • In many organizations, SRE is implemented as a team that supports separate applications teams.
    • Applications must have defined and granular resilience requirements, translated into service objectives. The SRE team and applications teams will work together to meet these objectives.
    • Site reliability engineers (the folks that do SRE, and often also abbreviated as SREs) are expected to build solutions and processes to ensure services remain stable and performant, not just respond when they fail. For example, Google allows their SREs to spend just half their time on incident response, with the rest of their time focused on development and automation tasks.

    Site Reliability Testing

    What you get:

    • Improved reliability and reduced frequency and impact of downtime.
    • Increased use of automation to address problems before they cause an incident.
    • Granular resilience objectives.

    What you need:

    • Systems running on software-defined infrastructure.
    • Specialized skills in programming, infrastructure-as-code.
    • Business & product owners able to define and fund acceptable and appropriate resilience objectives.
    • Technical experts able to translate product requirements into technical design requirements.

    Beyond the Basics: Chaos Engineering

    • Chaos engineering, a term and approach first popularized by the team at Netflix, aims to improve the resilience of particularly large and distributed systems by simulating system failures and evaluating performance against a baseline.
    • Experiments simulate a variety of real-world events that could cause outages (e.g. network slowdowns or server failures). Experiments run continuously, and the recommendation is to run them in production where feasible while minimizing the impact on customers.
    • Tools to help you run chaos testing exist, including open-source toolkits like Chaos Monkey or Mangle and paid software as a service (SaaS) solutions like Gremlin.
    • Deciding whether the long-term benefits of tests that can degrade production are worth the potential risk of system slowdowns or outages is a business or product decision. Technical considerations aside, if the business owner of a particular system doesn’t see the value of continuous testing outweighing the introduced risk, this approach to testing isn’t going to happen.

    Chaos Engineering

    What you get:

    • Confidence that systems can weather volatile and unpredictable conditions in a production environment.
    • An embedded resilience culture.

    What you need:

    • High-maturity IT incident, monitoring and event practices.
    • Standby/resilient systems to minimize downtime impact.
    • Business buy-in for introducing risk into the production environment.
    • Specialized skills to identify, develop, and run tests that degrade production performance in a controlled way.
    • Budget and time to act on issues identified through testing.

    Beyond the Basics: Security Event Simulations

    • Ransomware is driving demands for proof of recovery testing from customers, executives, auditors, and insurance companies. Systems recovery is part of ransomware recovery, but recovering from a breach includes detection, analysis, containment, and eradication of the attack vector before systems recovery can begin.
    • Beyond technical recovery, internal legal and communications teams will have a role, as will your insurance provider, consultants specialized in ransomware recovery, or professional ransom negotiators.
    • A tabletop exercise focused on ransomware incident response is a key first step. You can find Info-Tech’s methodology for a ransomware tabletop in Phase 3 of Build Resilience Against Ransomware Attacks.
    • Live testing approaches can offer hands-on experience and further insight into how your systems are vulnerable to malware. A variety of open source and proprietary tools can simulate ransomware and help you identify problems, though it’s important to understand the limitations of different simulators (Allon, 2022).
    • A “red team” exercise simulates an adversarial attack against your processes and systems. A specialized penetration tester will often take on the role of the red team and provide a report of identified gaps and risks after the engagement.

    Security Event Simulation

    What you get:

    • Hands-on experience managing and recovering from a ransomware attack in a controlled environment.
    • A better understanding of gaps in your response process.

    What you need:

    • A completed ransomware tabletop exercise and mature security incident response processes.
    • For Ransomware Simulators: An air-gapped sandbox environment hosting a copy of your production systems and security tools, and time from your technical SMEs.
    • For Red Team Exercises: A trusted provider, scope for your testing plans, and time from your security incident response team.

    Prioritize tests by asking these three questions

    1. Will the scope of this test deliver sufficient value?

    • Yes, these are critical systems with low tolerance for downtime or data loss.
    • Yes, major changes or new systems require validation of DR capabilities.
    • Yes, there’s high probability of an outage, or recent experience of an outage.
    • •Yes, we have audit requirements or customer demands for testing.

    2. Are we ready for this test?

    • Yes, recovery plans and recovery objectives are documented.
    • Yes, key technical and business resources have time to commit to testing exercises.
    • Yes, technology is currently able to support proposed tests.

    3. Is it easy to do?

    • Yes, effort required to complete the test is low (i.e. minimal work, few participants).
    • Yes, the risks related to testing are low.
    • Yes, it won’t cost much.

    Info-Tech Insight

    More complex, challenging, risky, or costly tests, such as full failover tests, can deliver value. But do the high-value, low-effort stuff first!

    03 Brainstorm and prioritize test ideas

    30-60 minutes

    Even if you have an idea of what you need to test and how you want to run those tests, this brainstorming exercise can generate useful ideas for testing that might otherwise have been missed.

      1. Review the slides above to develop ideas on how and what you want to test. These slides may be enough to kickstart a brainstorming process. Don’t debate or discount ideas at this point. Write down these ideas in a space where all participants can see them (e.g. whiteboard or shared screen).

    The next steps will help you prioritize the list – if needed – to tests that are highest value and lowest effort.

    1. Discuss where you have the greatest need to test. Assign a score of 0 – 3 for each test, with a score of 3 being high-need and a score of zero being low-need. Consider whether:
      • These applications have a low tolerance for downtime.
      • There’s a high chance of an outage, or recent experience with an outage.
      • There’s a need to train or cross-train staff on recovery for the system(s) in question.
      • Major changes require a review or validation of DR capabilities.
      • Audit requirements or customer/executive demands can be met via testing.
    2. Discuss which tests will require the least effort to complete – where readiness is high and tests are easier to do. Assign a score between 0 and 3 for each test, with a score of 3 being least effort and a score of 0 being high effort. Consider whether:
      • Recovery plans and recovery objectives are documented for these systems.
      • Technical experts are available to work on testing exercises.
      • For active testing, standby/sandbox systems are available and capable of supporting proposed tests.
      • The effort required to complete the test is low (e.g. minimal new work, few participants).
      • The risks related to testing are low.
      • You will need to secure additional funding.
    3. Sum together the assigned scores for each test. Higher scores should be the highest priority, but of course use your judgement to validate the results and select one or two tests to execute in the coming year.

    “There are different levels of testing and it is very progressive. I do not recommend my clients to do anything, unless they do it in a progressive fashion. Don’t try to do a live failover test with your users, right out of the box.”

    – Steve Tower
    Principal Consultant
    Prompta Consulting Group

    Input

    • Organizational and technical context

    Output

    • Prioritize list of DR testing ideas

    Participants

    • DR sponsor
    • Test coordinator

    04 Build a test plan

    3-5 days

    Building a test plan helps the test run smoothly and can uncover issues with the underlying DRP as you dig into the details.

    The test coordinator will own the plan document but will rely on the sponsor to confirm scope and goals, technical SMEs to develop system recovery plans, and business liaisons to create UAT scripts.

    Download Info-Tech’s Disaster Recovery Test Plan Template. Use the structure of the template to build your own document, deleting example data as you go. Consider saving a separate copy of this document as an example and working from a second copy.

    Key sections of the document include:

    • Goals, scenario, and scope of the test.
    • Assumptions, constraints, risks, and mitigation strategies.
    • Test participants.
    • Key pre-test milestones, and test-day schedule.
    • After-action review.

    Download the Disaster Recovery Test Plan Template

    Input

    • Scope
    • High-level goals

    Output

    • Test plan, including goals, scope, key milestones, risks and mitigations, and test-day schedule

    Participants

    • Test coordinator develops the plan with support from:
      • Technical SMEs
      • Business liaisons
      • DR sponsor

    05 Run an after-action review

    30-60 minutes

    Take time after test exercises – especially large-scale tests with many participants – to consider what went well, what didn’t, and where you can improve future testing exercises. Track lessons learned and next steps at the bottom of your test plan.

    1. Start with a short (5-10 minute) debrief of the test and allow participants to ask questions. Confirm:
      • Did we meet the goals we set for the exercise, including RTOs and RPOs?
      • What was done well? What issues, gaps, and risks were identified?
    2. Work through variations of the following questions:
      • Was the test plan effective, and was the test well organized?
      • Was the documentation effective? Where did we follow the plan as documented, and where did we deviate from the plan?
      • Was our communication/collaboration during the test effective?
      • Have gaps and issues found during the test been reported to the testing coordinator? Could some of the issues uncovered apply more broadly to other IT services as well?
      • What could we test next, based on what was discovered?
      • Are there other tools or approaches that could be useful?

    Input

    • Insights and experience from a recent testing exercise

    Output

    • Identified gaps and risks, and action items to address them
    • Ideas to improve future test exercises

    Participants

    • Test coordinator develops the plan with support from:
      • Test coordinator
      • Test participants

    Follow a testing cycle

    All tests are expected to drive actions to improve resilience, as appropriate. Experience from previous tests will be applied to future testing exercises.

    The testing cycle: 1. Plan a test, 2. Run test, 3. Take action.

    Use your experience to simplify testing

    The fifth testing exercise should be easier than the first

    Outputs and lessons learned from testing should help you run future tests.

    • With past experience under their belt, participants should have a better understanding of their role, and of their peers’ roles, and the goal of the exercise.
    • Facilitators will be more comfortable facilitating the exercise, and everyone should be more confident in the steps required to recover their systems.
    • Gather feedback from participants through after-action reviews to identify what worked and what didn’t.
    • Documentation from previous tests can provide a template for future tests.
    • Gaps identified in previous tests can provide ideas for future tests.

    Experience, lessons learned, improved process, new test targets, repeat.

    Info-Tech Insight

    Testing should get easier over time. But if you’re easily passing every test, it’s a sign that you’re ready to run more challenging tests.

    06 Create a test program summary

    2-4 hours

    Regular testing allows you to build on prior tests and helps keep plans current despite changes to your environment.

    Keeping a regular testing schedule requires expertise, a process to coordinate your efforts, and a level of governance to provide oversight and ensure testing continues to deliver value. Create a call to action using Info-Tech’s Disaster Recovery Testing Program Summary Template.

    The result is a summary document that:

    • Identifies key takeaways and testing goals
    • Presents key elements of the testing program
    • Outlines the testing cycle
    • Lists expected milestones for the next year
    • Identifies participants
    • Recommends next steps

    “It is extremely important in the early stages of development to concentrate the focus on actual recoverability and data protection, enhancing these capabilities over time into a fully matured program that can truly test the recovery, and not simply focusing on the testing process itself.”

    – Joe Starzyk
    Senior Business Development Executive
    IBM Global Services

    Research Contributors and Experts

    • Bernard A. Jones, Business Continuity & Disaster Recovery Expert
    • Robert Nardella, IT Service Management, Certified z/OS Mainframe Professional
    • Larry Liss, Chief Technology Officer, Blank Rome LLP
    • Jennifer Goshorn, Chief Administrative and Chief Compliance Officer, Gunderson Dettmer LLP
    • Paul Kirvan, FBCI, CISA, Independent IT Consultant/Auditor, Paul Kirvan Associates
    • Steve Tower, Principal Consultant, Prompta Consulting Group
    • Joe Starzyk, Senior Business Development Executive, IBM Global Services
    • Thomas Bronack, Enterprise Resiliency and Corporate Certification Consultant, DCAG
    • Paul S. Randal, CEO & Owner, SQLskills.com
    • Tom Baumgartner, Disaster Recovery Analyst, Catholic Health

    Bibliography

    Alton, Yoni. “Ransomware simulators – reality or a bluff?” Palo Alto Blog, 2 May 2022. Accessed 31 Jan 2023.
    https://www.paloaltonetworks.com/blog/security-operations/ransomware-simulators-reality-or-a-bluff/

    Brathwaite, Shimon. “How to Test your Business Continuity and Disaster Recovery Plan,” Security Made Simple, 13 Nov 2022. Accessed 31 Jan 2023.
    https://www.securitymadesimple.org/cybersecurity-blog/how-to-test-your-business-continuity-and-disaster-recovery-plan

    The Business Continuity Institute. Good Practice Guidelines: 2018 Edition. The Business Continuity Institute, 2017.

    Emigh, Jacqueline. “Disaster Recovery Testing: Ensuring Your DR Plan Works,” Enterprise Storage Forum, 28 May 2019. Accessed 31 Jan 2023.
    Disaster Recovery Testing: Ensuring Your DR Plan Works | Enterprise Storage Forum

    Gardner, Dana. "Case Study: Strategic Approach to Disaster Recovery and Data Lifecycle Management Pays off for Australia's SAI Global." ZDNet. BriefingsDirect, 26 Apr 2012. Accessed 31 Jan 2023.
    http://www.zdnet.com/article/case-study-strategic-approach-to-disaster-recovery-and-data-lifecycle-management-pays-off-for-australias-sai-global/.

    IBM. “Section 11. Testing the Disaster Recovery Plan.” IBM, 2 Aug 2021. Accessed 31 Jan 2023. Section 11. Testing the disaster recovery plan - IBM Documentation Lutkevich, Ben and Alexander Gillis. “Chaos Engineering”. TechTarget, Jun 2021. Accessed 31 Jan 2023.
    https://www.techtarget.com/searchitoperations/definition/chaos-engineering

    Monperrus, Martin. “Principles of Antifragility.” Arxiv Forum, 7 June 2017. Accessed 31 Jan 2023.
    https://arxiv.org/ftp/arxiv/papers/1404/1404.3056.pdf

    “Principles of Chaos Engineering.” Principles of Chaos Engineering, 2019 March. Accessed 31 Jan 2023.
    https://principlesofchaos.org/

    Sloss, Benjamin Treynor. “Introduction.” Site Reliability Engineering. Ed. Betsy Beyer. O’Reilly Media, 2017. Accessed 31 Jan 2023.
    https://sre.google/sre-book/introduction/

    Identify and Manage Operational Risk Impacts on Your Organization

    • Buy Link or Shortcode: {j2store}230|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    More than any other time, our world is changing. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Our Advice

    Critical Insight

    • Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.
    • Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Impact and Result

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    • Prioritize and classify your vendors with quantifiable, standardized rankings.
    • Prioritize focus on your high-risk vendors.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Identify and Manage Operational Risk Impacts on Your Organization Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify and Manage Operational Risk Impacts to Your Organization Storyboard – Use this research to better understand the negative impacts of vendor actions to your brand reputation.

    Use this research to identify and quantify the potential operational impacts caused by vendors. Utilize Info-Tech's approach to look at the operational impact from various perspectives to better prepare for issues that may arise.

    • Identify and Manage Operational Risk Impacts to Your Organization Storyboard

    2. Operational Risk Impact Tool – Use this tool to help identify and quantify the operational impacts of negative vendor actions.

    By playing the “what if” game and asking probing questions to draw out – or eliminate - possible negative outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Operational Risk Impact Tool
    [infographic]

    Further reading

    Identify and Manage Operational Risk Impacts on Your Organization

    Understand internal and external vendor risks to avoid potential disaster.

    Analyst perspective

    Organizations need to be aware of the operational damage vendors may cause to plan around those impacts effectively.

    Frank Sewell

    Organizations must be mindful that operational risks come from internal and external vendor sources. Missing either component in the overall risk assessment can significantly impact day-to-day business processes that cost revenue, delay projects, and lead to customer dissatisfaction.

    Frank Sewell,

    Research Director, Vendor Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    More than any other time, our world is changing rapidly. As a result, organizations – and their vendors – need to be able to adapt their plans to accommodate risk on an unprecedented level.

    A new threat will impact your organization's operations at some point. Make sure your plans are flexible enough to manage the inevitable consequences and that you understand where those threats may originate.

    Common Obstacles

    Identifying and managing a vendor’s potential operational impact on your organization requires multiple people in the organization across several functions. Those people all need coaching on the potential changes in the market and how these changes may affect operations.

    Organizational leadership is often taken unaware during crises, and their plans lack the flexibility to adjust to significant market upheavals.

    Info-Tech's Approach

    Vendor management practices educate organizations on the different potential risks from vendors in your market and suggest creative and alternative ways to avoid and help manage them.

    Prioritize and classify your vendors with quantifiable, standardized rankings.

    Prioritize focus on your high-risk vendors.

    Standardize your processes for identifying and monitoring vendor risks to manage potential impacts with our Operational Risk Impact Tool.

    Info-Tech Insight

    Organizations must evolve their risk assessments to be more adaptive to respond to threats in the market. Ongoing monitoring of the vendors tied to company operations, and understanding where those vendors impact your operations, is imperative to avoiding disasters.

    Info-Tech’s multi-blueprint series on vendor risk assessment

    There are many individual components of vendor risk beyond cybersecurity.

    There are many components to vendor risk, including: Financial, Reputational, Operational, Strategic, Security, Regulatory & Compliance.

    This series will focus on the individual components of vendor risk and how vendor management practices can facilitate organizations’ understanding of those risks.

    Out of Scope:
    This series will not tackle risk governance, determining overall risk tolerance and appetite, or quantifying inherent risk.

    Operational risk impacts

    Potential losses to the organization due to incidents that affect operations.

    • In this blueprint we’ll explore operational risks, particularly from third-party vendors, and their impacts.
    • Identify potentially disruptive events to assess the overall impact on organizations and implement adaptive measures to identify, manage, and monitor vendor performance.
    Operational

    The world is constantly changing

    The IT market is constantly reacting to global influences. By anticipating changes, leaders can set expectations and work with their vendors to accommodate them.

    When the unexpected happens, being able to adapt quickly to new priorities ensures continued long-term business success.

    Below are some things no one expected to happen in the last few years:

    27%

    Businesses are changing their internal processes around TPRM in response to the Pandemic.

    70%

    Of organizations attribute a third-party breach to too much privileged access.

    85%

    Of breaches involved human factors (phishing, poor passwords, etc.).

    Assess internal and external operational risk impacts

    Due diligence and consistent monitoring are the keys to safeguarding your organization.

    Two sides of the Same Coin

    Internal

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    External

    • Cyberattacks
    • Supply Chain Issues
    • Geopolitical Disruptions
    • Vendor Acquisitions
    • N-Party Non-Compliance
    • Vendor Fraud

    Operational risk is the risk of losses caused by flawed or failed processes, policies, systems, or events that disrupt business operations.

    - Wikipedia

    Internal operational risk

    Vendors operating within your secure perimeter can open your organization to substantial risk.

    Frequently monitor your internal process around vendor management to ensure safe operations.

    • Poorly vetted supplemental staff
    • Bad system configurations
    • Lack of relevant skills
    • Poor vendor performance
    • Failure to follow established processes
    • Weak contractual accountability
    • Unsupportable or end-of-life system components

    Info-Tech Insight

    You may have solid policies, but if your employees and vendors are not following them, they will not protect the organization.

    External operational risks

    • Cyberattacks
    • Supplier issues and geopolitical instability
    • Vendor acquisitions
    • N-party vendor non-compliance

    Identify and manage operational risks

    Poorly configured systems

    Failing to ensure that your vendor-supported systems are properly configured and that your vendors are meeting your IT change control and configuration standards is more commonplace than expected. Proper oversight and management of your support vendors are crucial to ensure they are meeting expectations in this regard.

    Failure to follow processes

    Most companies have policies and procedures around IT change and configuration control, security standards, risk management, vendor performance standards, etc. While having these processes is a good start, failure to perform continuous monitoring and management of these leads to increased risks of incidents.

    Supply chain disruptions

    Awareness of the supply chain's complications, and each organization's dependencies, are increasing for everyone. However, most organizations still do not understand the chain of n-party vendors that support their specific vendors or how interruptions in their supply chains could affect them. The 2022 Toyota shutdown due to Kojima is a perfect example of how one essential parts vendor could shut down your operations.

    What to look for

    Identify operational risk impacts

    • Does the vendor have a business continuity plan they will share for your review?
    • Is the vendor operating on old hardware that may be out of warranty or at end of life?
    • Is the vendor operating on older software or shareware that may lack the necessary patches?
    • Does the vendor self-audit, or do they use a vetted third-party audit firm to issue a SOC report annually?
    • Does the vendor have sufficient personnel in acceptable regions to support your operations?
    • Is the vendor willing to make concessions on contractual protections, or are they only offering “one-sided” agreements with “as-is” warranties?

    Operational risks

    Not knowing where your risks come from creates additional risks to operations.

    • Supply chain disruptions and global shortages.
      • Geopolitical disruptions and natural disasters have caused unprecedented interruptions to business. Do you know where your critical vendors are getting their supplies? Are you aware of their business continuity plans to accommodate for those interruptions?
    • Poor vendor performance.
      • Organizations need to understand where vendors are acting in their operations and manage the impact of replacing that vendor and cutting their losses rather than continuing to throw good money away after a bad performance.
    • Vendor acquisitions.
      • A lot of acquisition is going on in the market today. Large companies are buying competitors, imposing new terms on customers, or removing competing products from the market. Understand your options if a vendor is acquired by a company with which you do not wish to be in a relationship.

    It is important to identify where potential risks to your operations may come from to manage and potentially eliminate them from impacting your organization.

    Info-Tech Insight

    Most organizations realize that their vendors could operationally affect them if an incident occurs. Still, they fail to follow the chain of events that might arise from those incidents to understand the impact fully.

    Prepare your vendor risk management for success

    Due diligence will enable successful outcomes.

    1. Obtain top-level buy-in; it is critical to success.
    2. Build enterprise risk management (ERM) through incremental improvement.
    3. Focus initial efforts on the “big wins” to prove the process works.
    4. Use existing resources.
    5. Build on any risk management activities that already exist in the organization.
    6. Socialize ERM throughout the organization to gain additional buy‑in.
    7. Normalize the process long term with ongoing updates and continuing education for the organization.

    How to assess third-party operational risk

    1. Review Organizational Operations

      Understand the organization’s operational risks to prepare for the “what if” game exercise.
    2. Identify and Understand Potential Operational Risks

      Play the “what if” game with the right people at the table.
    3. Create a Risk Profile Packet for Leadership

      Pull all the information together in a presentation document.
    4. Validate the Risks

      Work with leadership to ensure that the proposed risks are in line with their thoughts.
    5. Plan to Manage the Risks

      Lower the overall risk potential by putting mitigations in place.
    6. Communicate the Plan

      It is important not only to have a plan but also to socialize it in the organization for awareness.
    7. Enact the Plan

      Once the plan is finalized and socialized, put it in place with continued monitoring for success.

    Insight summary

    Operational risk impacts often come from unexpected places and have unforeseen impacts. Knowing where your vendors place in critical business processes and those vendors' business continuity plans concerning your organization should be a priority for those who manage the vendors.

    Insight 1

    Organizations fail to plan for vendor acquisitions appropriately.

    Vendors routinely get acquired in the IT space. Does your organization have appropriate safeguards from inadvertently entering a negative relationship? Do you have plans around replacing critical vendors purchased in such a manner?

    Insight 2

    Organizations often fail to understand how they factor into a vendor’s business continuity plan.

    If one of your critical vendors goes down, do you know how they intend to re-establish business? Do you know how you factor into their priorities?

    Insight 3

    Organizations need to have a comprehensive understanding of how their vendor-managed systems integrate with Operations.

    Do you understand where in the business processes vendor-supported systems lie? Do you have contingencies around disruptions that account for those pieces missing from the process?

    Identifying operational vendor risk

    Who should be included in the discussion

    • While it is true that executive-level leadership defines the strategy for an organization, it is vital for those making decisions to make informed decisions.
    • Getting input from operational experts at your organization will enhance your organization's long-term potential for success.
    • Involving those who not only directly manage vendors but also understand your business processes will aid in determining the forward path for relationships with your current vendors and identifying new emerging potential partners.

    See the blueprint Build an IT Risk Management Program

    Review your operational plans for new risks on a regular basis.

    Keep in mind Risk = Likelihood x Impact (R=L*I).

    Impact (I) tends to remain the same, while Likelihood (L) is becoming closer to 100% as threat actors become more prevalent

    Managing vendor operational risk impacts

    What can we realistically do about the risks?

    • Review vendors’ business continuity plans and disaster recovery testing.
      • Understand your priority in their plans.
    • Institute proper contract lifecycle management.
      • Make sure to follow corporate due diligence and risk assessment policies and procedures.
      • Failure to do so consistently can be a recipe for disaster.
    • Develop IT governance and change control.
    • Introduce continual risk assessment to monitor the relevant vendor markets.
      • Regularly review your operational plans for new risks and evolving likelihoods.
      • Risk = Likelihood x Impact (R=L*I).
        • Impact (I) tends to remain the same and be well understood, while Likelihood (L) may often be considered 100%.
    • Be adaptable and allow for innovations that arise from the current needs.
      • Capture lessons learned from prior incidents to improve over time and adjust your plans accordingly.

    Organizations need to review their organizational risk plans, considering the placement of vendors in their operations.

    Pandemics, extreme weather, and wars that affect global supply chains are current realities, not unlikely scenarios.

    Ongoing improvement

    Incorporating lessons learned

    • Over time, despite everyone’s best observations and plans, incidents will catch us off guard.
    • When it happens, follow your incident response plans and act accordingly.
    • An essential step is to document what worked and what did not – collectively known as the “lessons learned.”
    • Use the lessons learned document to devise, incorporate, and enact a better risk management process.

    Sometimes disasters occur despite our best plans to manage them.

    When this happens, it is important to document the lessons learned and improve our plans going forward.

    The "what if" game

    1-3 hours

    Vendor management professionals are in an excellent position to help senior leadership identify and pull together resources across the organization to determine potential risks. By playing the "what if" game and asking probing questions to draw out – or eliminate – possible adverse outcomes, everyone involved adds their insight into parts of the organization to gather a comprehensive picture of potential impacts.

    • Break into smaller groups (or if too small, continue as a single group).
    • Use the Operational Risk Impact Tool to prompt discussion on potential risks. Keep this discussion flowing organically to explore all potentials but manage the overall process to keep the discussion pertinent and on track.
    • Collect the outputs and ask the subject matter experts (SMEs) for management options for each one in order to present a comprehensive risk strategy. You will use this to educate senior leadership so that they can make an informed decision to accept or reject the solution.

    Download the Operational Risk Impact Tool

    Input

    • List of identified potential risk scenarios scored by likelihood and operational impact
    • List of potential management of the scenarios to reduce the risk

    Output

    • Comprehensive operational risk profile on the specific vendor solution

    Materials

    • Whiteboard/flip charts
    • Operational Risk Impact Tool to help drive discussion

    Participants

    • Vendor Management – Coordinator
    • Organizational Leadership
    • Operations Experts (SMEs)
    • Legal/Compliance/Risk Manager

    High risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes.

    Being overly reliant on a single talented individual can impose risk to your operations. Make sure you include resiliency in your skill sets for critical business practices.

    Impact score and level. Each score for impacts are unique to the organization.

    Low risk example from tool

    Sample Questions to Ask to Identify Impacts. Lists questions impact score, weight, question and comments or notes. Impact score and level. Each score for impacts are unique to the organization.

    Summary

    Seek to understand all aspects of your operations.

    • Organizations need to understand and map out where vendors are critical to their operations.
    • Those organizations that consistently follow their established risk assessment and due diligence processes will be better positioned to avoid disasters.
    • Bring the right people to the table to outline potential risks in the market and your organization.
    • Understand how your vendors prioritize your organization in their business continuity processes.
    • Incorporate “lessons learned” from prior incidents into your risk management process to build better plans for future issues.

    Organizations must evolve their operational risk assessments considering their vendor portfolio.

    Ongoing monitoring of the market and the vendors tied to company operations is imperative to avoiding disaster.

    Related Info-Tech Research

    Identify and Manage Financial Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential financial impacts that vendors may incur and suggest systems to help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage financial impacts with our Financial Risk Impact Tool.

    Identify and Manage Reputational Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your reputation and brand with our Reputational Risk Impact Tool.

    Identify and Manage Strategic Risk Impacts on Your Organization

    • Vendor management practices educate organizations on the different potential risks to vendors in your market and suggest creative and alternative ways to avoid and help manage them.
    • Standardize your processes for identifying and monitoring vendor risks to manage potential impacts on your strategic plan with our Strategic Risk Impact Tool.

    Bibliography

    “Weak Cybersecurity is taking a toll on Small Businesses.” Tripwire. August 7, 2022.

    SecureLink 2022 White Paper SL_Page_EA+PAM (rocketcdn.me)

    Member Poll March 2021 "Guide: Evolving Work Environments Impact of Covid-19 on Profile and Management of Third Parties.“ Shared Assessments. March 2021.

    “Operational Risk.” Wikipedia.

    Tonello, Matteo. “Strategic Risk Management: A Primer for Directors.” Harvard Law School Forum on Corporate Governance, August 23, 2012.

    Frigo, Mark L., and Richard J. Anderson. “Embracing Enterprise Risk Management: Practical Approaches for Getting Started.” COSO, 2011.

    Leadership, Culture and Values

    • Buy Link or Shortcode: {j2store}34|cart{/j2store}
    • Related Products: {j2store}34|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.4/10
    • member rating average dollars saved: $912
    • member rating average days saved: 7
    • Parent Category Name: People and Resources
    • Parent Category Link: /people-and-resources

    The challenge

    • Your talent pool determines IT performance and stakeholder satisfaction. You need to retain talent and continually motivate them to go the extra mile.
    • The market for IT talent is growing, in the sense that talent has many more options these days. Turnover is a serious threat to IT's ability to deliver top-notch service to your company.
    • Engagement is more than HR's responsibility. IT leadership is accountable for the retention of top talent and the overall productivity of IT employees.

    Our advice

    Insight

    • Engagement goes both ways. Your initiatives must address a real need, and employees must actively seek the outcomes. Engagement is not a management edict.
    • Engagement is not about access to the latest perks and gadgets. You must address the right and challenging issues. Use a systematic approach to find what lives among the employees and address these.
    • Your impact on your employees is many times bigger than HR's. Leverage your power to lead your team to success and peak performance.

    Impact and results 

    • Our engagement diagnostic and other tools will help get to the root of disengagement in your team.
    • Our guidance helps you to avoid common errors and engagement program pitfalls. They allow you to take control of your own team's engagement.

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get started

    Our concise executive brief shows you why engagement is critical to IT performance in your company. We'll show you our methodology and the ways we can help you in handling this.

    Measure your employee engagement

    You can use our full engagement surveys.

    • Improve Employee Engagement to Drive IT Performance – Phase 1: Measure Employee Engagement (ppt)
    • Engagement Strategy Record (doc)
    • Engagement Communication Template (doc)

    Analyze the results and brainstorm solutions

    Understand your employees' engagement drivers. Involve your team in brainstorming engagement initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 2: Analyze Results and Ideate Solutions (ppt)
    • Engagement Survey Results Interpretation Guide (ppt)
    • Full Engagement Survey Focus Group Facilitation Guide (ppt)
    • Pulse Engagement Survey Focus Group Facilitation Guide (ppt)
    • Focus Group Facilitation Guide Driver Definitions (doc)
    • One-on-One Manager Meeting Worksheet (doc)

    Select and implement engagement initiatives

    Choose those initiatives that show the most promise with the most significant impact. Create your action plan and establish transparent and open, and ongoing communication with your team.

    • IT Knowledge Transfer Plan Template (xls)
    • IT Knowledge Identification Interview Guide Template (doc)

    Build your knowledge transfer roadmap

    Knowledge transfer is an ongoing effort. Prioritize and define your initiatives.

    • Improve Employee Engagement to Drive IT Performance – Phase 3: Select and Implement Engagement Initiatives (ppt)
    • Summary of Interdepartmental Engagement Initiatives (doc)
    • Engagement Progress One-Pager (ppt)

     

    Endpoint Management Selection Guide

    • Buy Link or Shortcode: {j2store}65|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing Applications
    • Parent Category Link: /end-user-computing-applications

    Endpoint management solutions are becoming an essential solution: Deploying the right devices and applications to the right user and the need for zero-touch provisioning are indispensable parts of a holistic strategy for improving customer experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering a concrete business value.

    Our Advice

    Critical Insight

    Investigate vendors’ roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements, without any unnecessary investment in features that are not currently useful for you. Make sure you don’t purchase capabilities that you will never use.

    Impact and Result

    • Determine what you require from an endpoint management solution.
    • Review the market space and product offerings, and compare capabilities of key players.
    • Create a use case and use top-level requirements to determine use cases and shortlist vendors.
    • Conduct a formal process for interviewing vendors using Info-Tech’s templates to select the best platform for your requirements.

    Endpoint Management Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Endpoint Management Selection Guide Storyboard – A structured guide to walk you through the endpoint management market.

    This storyboard will help you understand endpoint management solution core capabilities and prepare you to select an appropriate tool.

    • Endpoint Management Selection Guide Storyboard

    2. UEM Requirements Workbook – A template to help you build your first draft of requirements for UEM selection.

    Use this spreadsheet to brainstorm use cases and features to satisfy your requirements. This document will be help you score solutions and narrow down the field to a list of candidates who can meet your requirements.

    • UEM Requirements Workbook
    [infographic]

    Further reading

    Endpoint Management Selection Guide

    Streamline your organizational approach to selecting a right-sized endpoint management platform.

    Endpoint Management Selection Guide

    Streamline your organizational approach toward the selection of a right-sized endpoint management platform.

    EXECUTIVE BRIEF

    Analyst Perspective

    Revolutionize your endpoint management with a proper tool selection approach

    The endpoint management market has an ever-expanding and highly competitive landscape. The market has undergone tremendous evolution in past years, from device management to application deployments and security management. The COVID-19 pandemic forced organizations to service employees and end users remotely while making sure corporate data is safe and user satisfaction doesn't get negatively affected. In the meantime, vendors were forced to leverage technology enhancements to satisfy such requirements.

    That being said, endpoint management solutions have become more complex, with many options to manage operating systems and run applications for relevant user groups. With the work-from-anywhere model, customer support is even more important than before, as a remote workforce may face more issues than before, or enterprises may want to ensure more compliance with policies.

    Moreover, the market has become more complex, with lots of added capabilities. Some features may not be beneficial to corporations, and with a poor market validation, businesses may end up paying for some capabilities that are not useful.

    In this blueprint, we help you quickly define your requirements for endpoint management and narrow down a list to find the solutions that fulfill your use cases.

    An image of Mahmoud Ramin, PhD

    Mahmoud Ramin, PhD
    Senior Research Analyst, Infrastructure and Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Endpoint management solutions are becoming increasingly essential – deploying the right devices and applications to the right users and zero-touch provisioning are indispensable parts of a holistic strategy for improving customers' experience. However, selecting the right-sized platform that aligns with your requirements is a big challenge.

    Following improvements in end-user computation strategies, selection of the right endpoint management solution is a crucial next step in delivering concrete business value.

    Common Obstacles

    Despite the importance of selecting the right endpoint management platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner. There are many options available, which can cause business and IT leaders to feel lost.

    The endpoint management market is evolving quickly, making the selection process tedious. On top of that, IT has a hard time defining their needs and aligning solution features with their requirements.

    Info-Tech's Approach

    Determine what you require from an endpoint management solution.

    Review the market space and product offerings, and compare the capabilities of key players.

    Create a use case – use top-level requirements to determine use cases and short-list vendors.

    Conduct a formal process for interviewing vendors, using Info-Tech's templates to select the best platform for your requirements.

    Info-Tech Insight

    Investigate vendors' roadmaps to figure out which of the candidate platforms can fulfill your long-term requirements without any unnecessary investment in features that are not currently useful for you. Make sure you don't purchase capabilities that you will never use.

    What are endpoint management platforms?

    Our definition: Endpoint management solutions are platforms that enable IT with appropriate provisioning, security, monitoring, and updating endpoints to ensure that they are in good health. Typical examples of endpoints are laptops, computers, wearable devices, tablets, smart phones, servers, and the Internet of Things (IoT).

    First, understand differences between mobile management solutions

    • Endpoint management solutions monitor and control the status of endpoints. They help IT manage and control their environment and provide top-notch customer service.
    • These solutions ensure a seamless and efficient problem management, software updates and remediations in a secure environment.
    • Endpoint management solutions have evolved very quickly to satisfy IT and user needs:
    • Mobile Device Management (MDM) helps with controlling features of a device.
    • Enterprise Mobile Management (EMM) controls everything in a device.
    • Unified Endpoint Management (UEM) manages all endpoints.

    Endpoint management includes:

    • Device management
    • Device configuration
    • Device monitoring
    • Device security

    Info-Tech Insight

    As endpoint management encompasses a broad range of solution categories including MDM, EMM, and UEM, look for your real requirements. Don't pay for something that you won't end up using.

    As UEM covers all of MDM and EMM capabilities, we overview market trends of UEM in this blueprint to give you an overall view of market in this space.

    Your challenge: Endpoint management has evolved significantly over the past few years, which makes software selection overwhelming

    An mage showing endpoint management visualzed as positions on an iceberg. at the top is UEM, at the midpoint above the waterline is Enterprise Mobile Management, and below the water is Mobile Device Management.

    Additional challenges occur in securing endpoints

    A rise in the number of attacks on cloud services creates a need to leverage endpoint management solutions

    MarketsandMarkets predicted that global cloud infrastructure services would increase from US$73 billion in 2019 to US$166.6 billion in 2024 (2019).

    A study by the Ponemon Institute showed that 68% of respondents believe that security attacks increased over the past 12 months (2020).

    The study reveals that over half of IT security professionals who participated in the survey believe that organizations are not very efficient in securing their endpoints, mainly because they're not efficient in detecting attacks.

    IT professionals would like to link endpoint management and security platforms to unify visibility and control, to determine potential risks to endpoints, and to manage them in a single solution.

    Businesses will continue to be compromised by the vulnerabilities of cloud services, which pose a challenge to organizations trying to maintain control of their data.

    Trends in endpoint management have been undergoing a tremendous change

    In 2020, about 5.2 million users subscribed to mobile services, and smartphones accounted for 65% of connections. This will increase to 80% by 2025.
    Source: Fortune Business Insights, 2021

    Info-Tech's methodology for selecting a right-sized endpoint management platform

    1. Understand Core Features and Build Your Use Case

    2. Discover the Endpoint Management Market Space and Select the Right Vendor

    Phase Steps

    1. Define endpoint management platforms
    2. Explore endpoint management trends
    3. Classify table stakes & differentiating capabilities
    4. Streamline the requirements elicitation process for a new endpoint management platform
    1. Discover key players across the vendor landscape
    2. Engage the shortlist and select finalists
    3. Prepare for implementation

    Phase Outcomes

    1. Consensus on scope of endpoint management and key endpoint management platform capabilities
    2. Top-level use cases and requirements
    1. Overview of shortlisted vendors
    2. Prioritized list of UEM features

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2

    Call #1: Understand what an endpoint management platform is and learn how it evolved. Discuss core capabilities and key trends.
    Call #2: Build a use case and define features to fulfill the use case.

    Call #3: Define your core endpoint management platform requirements.
    Call #4: Evaluate the endpoint management platform vendor landscape and shortlist viable options.
    Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The endpoint management purchase process should be broken into segments:

    1. Endpoint management vendor shortlisting with this buyer's guide
    2. Structured approach to selection
    3. Contract review

    Info-Tech's approach

    The Info-Tech difference:
    Analyze needs

    Evaluate solutions

    Determine where you need to improve the tools and processes used to support the company.

    Determine the best fit for your needs by scoring against features.

    Assess existing solution

    Features

    Determine if your solution can be upgraded or easily updated to meet your needs.

    Determine which features will be key to your success

    Create a business case for change

    Use Cases

    A two-part business case will focus on a need to change and use cases and requirements to bring stakeholders onboard.

    Create use cases to ensure your needs are met as you evaluate features

    Improve existing

    High-Level Requirements

    Work with Info-Tech's analysts to determine next steps to improve your process and make better use of the features you have available.

    Use the high-level requirements to determine use cases and shortlist vendors

    Complementary research:

    Create a quick business case and requirements document to align stakeholders to your vision with Info-Tech's Rapid Application Selection Framework.
    See what your peers are saying about these vendors at SoftwareReviews.com.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Phase 1

    Understand core features and build your business case

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:

    Define use cases and core features for meeting business and technical goals

    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    Mobile Device Management

    Enterprise Mobile Management

    MDM applies security over corporate-owned devices.

    What is MDM and what can you do with it?

    1. MDM helps manage and control corporate owned devices.
    2. You can enforce company policies, track, monitor, and lock device remotely by an MDM.
    3. MDM helps with remote wiping of the device when it is lost or stolen.
    4. You can avoid unsecure Wi-Fi connections via MDM.

    EMM solutions solve the restrictions arose with BYOD (Bring Your Own Device) and COPE (Corporate Owned, Personally Enabled) provisioning models.

    • IT needs to secure corporate-owned data without compromising personal and private data. MDM cannot fulfill this requirement. This led to the development of EMM solutions.
    • EMM tools allow you to manage multiple device platforms through MDM protocols. These tools enforce security settings, allow you to push apps to managed devices, and monitor patch compliance through reporting.

    MDM solutions function at the level of corporate devices. Something else was needed to enable personal device management.

    Major components of EMM solutions

    Mobile Application Management (MAM)

    Allows organizations to control individual applications and their associated data. It restricts malicious apps and enables in-depth application management, configuration, and removal.

    Containerization

    Enables separation of work-related data from private data. It provides encrypted containers on personal devices to separate the data, providing security on personal devices while maintaining users' personal data.

    Mobile Content Management (MCM)

    Helps remote distribution, control, management, and access to corporate data.

    Mobile Security Management (MSM)

    Provides application and data security on devices. It enables application analysis and auditing. IT can use MSM to provide strong passwords to applications, restrict unwanted applications, and protect devices from unsecure websites by blacklisting them.

    Mobile Expense Management (MEM)

    Enables mobile data communication expenses auditing. It can also set data limits and restrict network connections on devices.

    Identity Management

    Sets role-based access to corporate data. It also controls how different roles can use data, improving application and data security. Multifactor authentication can be enforced through the identity management featured of an EMM solution.

    Unified endpoint management: Control all endpoints in a single pane of glass

    IT admins used to provide customer service such as installation, upgrades, patches, and account administration via desktop support. IT support is not on physical assistance over end users' desktops anymore.

    The rise of BYOD enhanced the need to be able to control sensitive data outside corporate network connection on all endpoints, which was beyond the capability of MDM and EMM solutions.

    • It's now almost impossible for IT to be everywhere to support customers.
    • This created a need to conduct tasks simultaneously from one single place.
    • UEM enables IT to run, manage, and control endpoints from one place, while ensuring that device health and security remain uncompromised.
    • UEM combines features of MDM and EMM while extending EMM's capabilities to all endpoints, including computers, laptops, tablets, phones, printers, wearables, and IoT.

    Info-Tech Insight

    Organizations once needed to worry about company connectivity assets such as computers and laptops. To manage them, traditional client management tools like Microsoft Configuration Manager would be enough.

    With the increase in the work-from-anywhere model, it is very hard to control, manage, and monitor devices that are not connected to a VPN. UEM solutions enable IT to tackle this challenge and have full visibility into and management of any device.

    UEM platforms help with saving costs and increasing efficiency

    UEM helps corporates save on their investments as it consolidates use-case management in a single console. Businesses don't need to invest in different device and application management solutions.

    From the employee perspective, UEM enables them to work on their own devices while enforcing security on their personal data.

    • Security and privacy are very important criteria for organizations. With the rapid growth of the work-from-anywhere model, corporate security is a huge concern for companies.
    • Working from home has forced companies to invest a lot in data security, which has led to high UEM demand. UEM solutions streamline security management by consolidating device management in a single platform.
    • With the fourth-generation industrial revolution, we're experiencing a significant rise in the use of IoT devices. UEM solutions are very critical for managing, configuring, and securing these devices.
    • There will be a huge increase in cyber threats due to automation, IoT, and cloud services. The pandemic has sped up the adoption of such services, forcing businesses to rethink their enterprise mobility strategies. They are now more cautious about security risks and remediations. Businesses need UEM to simplify device management on multiple endpoints.
    • With UEM, IT environment management gets more granular, while giving IT better visibility on devices and applications.

    UEM streamlines mundane admin tasks and simplifies user issues.

    Even with a COPE or COBO provisioning model, without any IT intervention, users can decide on when to install relevant updates. It also may lead to shadow IT.

    Endpoint management, and UEM more specifically, enables IT to enforce administration over user devices, whether they are corporate or personally owned. This is enabled without interfering with private/personal data.

    Where it's going: The future state of UEM

    Despite the fast evolution of the UEM market, many organizations do not move as fast as technological capabilities. Although over half of all organizations have at least one UEM solution, they may not have a good strategy or policies to maximize the value of technology (Tech Orchard, 2022). As opposed to such organizations, there are others that use UEM to transform their endpoint management strategy and move service management to the next level. That integration between endpoint management and service management is a developing trend (Ivanti, 2021).

    • SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. Further, the pandemic saw 47% of organizations significantly increase their use of BYOD (Cybersecurity Insiders, 2021).
    • Over 2022, 78% of people worked remotely for at least some amount of time during the week (Tech Orchard, 2022).
    • 84% of organizations believe that cybersecurity threat alarms are becoming very overwhelming, and almost half of companies believe that the best way to tackle this is through consolidating platforms so that everything will be visible and manageable through a single pane of glass (Cybersecurity Insiders, 2022).
    • The UEM market was worth $3.39 billion in 2020. It is expected to reach $53.65 billion by 2030, with an annual growth rate of 31.7% (Datamation, 2022). This demonstrates how dependent IT is becoming on endpoint management solutions.

    An image of a donut chart showing the current state of UEM Strategy.

    Only 27% of organizations have "fully deployed" UEM "with easy management across all endpoints"
    Source: IT Pro Today, 2018.

    Endpoint Management Key Trends

    • Commoditization of endpoint management features. Although their focus is the same, some UEM solutions have unique features.
    • New endpoint management paradigms have emerged. Endpoint management has evolved from client management tools (CMT) and MDM into UEM, also known as "modern management" (Ivanti, 2022).
    • One pane of glass for the entire end-user experience. Endpoint management vendors are integrating their solution into their ITSM, ITOM, digital workspace, and security products.
    • AI-powered insights. UEM tools collect data on endpoints and user behavior. Vendors are using their data to differentiate themselves: Products offer threat reports, automated compliance workflows, and user experience insights. The UEM market is ultimately working toward autonomous endpoint management (Microsoft, 2022).
    • Web apps and cloud storage are the new normal. Less data is stored locally. Fewer apps need to be patched on the device. Apps can be accessed on different devices more easily. However, data can more easily be accessed on BYOD and on new operating systems like Chrome OS.
    • Lighter device provisioning tools. Instead of managing thick images, UEM tools use lighter provisioning packages. Once set up, Autopilot and UEM device enrollment should take less time to manage than thick images.
    • UEM controls built around SaaS. Web apps and the cloud allow access from any device, even unmanaged BYOD. UEM tools allow IT to apply the right level of control for the situation – mobile application management, mobile content management, or mobile device management.
    • Work-from-anywhere and 5G result in more devices outside of your firewalls. Cloud-based management tools are not limited by your VPN connection and can scale up more easily than traditional, on-prem tools.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Support the organization's operating systems:
    Many UEM vendors support the most dominant operating systems, Windows and Mac; however, they are usually stronger in one particular OS than the other. For instance, Intune supports both Windows and Mac, although there are some drawbacks with MacOS management by Intune. Conversely, Jamf is mainly for MacOS and iOS management. Enterprises look to satisfy their end users' needs. The more UEM vendors support different systems, the more likely enterprises will pick them. Although, as mentioned, in some instances, enterprises may need to select more than one option, depending on their requirements.

    Support BYOD and remote environments:
    With the impact of the pandemic on work model, 60-70% of workforce would like to have more flexibility for working remotely (Ivanti, 2022). BYOD is becoming the default, and SaaS tools like Office 365 are built to be used on multiple devices, including multiple computers. As BYOD can boost productivity (Samsung Insights, 2016), you may be interested in how your prospective UEM solution will enable this capability with remote wipe (corporate wipe capability vs. wiping the whole device), data and device tracking, and user activity auditing.

    Understand endpoint management table stakes features

    Determine high-level use cases to help you narrow down to specific features

    Integration with the enterprise's IT products:
    To get everything in a single platform and to generate better metrics and dashboards, vendors provide integrations with ticketing and monitoring solutions. Many large vendors have strong integrations with multiple ITSM and ITAM platforms to streamline incident management, request management, asset management, and patch management.

    Support security and compliance policies:
    With the significant boost in work-from-anywhere, companies would like to enable endpoint security more than ever. This includes device threat detection, malware detection, anti-phishing, and more. All UEMs provide these, although the big difference between them is how well they enable security and compliance, and how flexible they are when it comes to giving conditional access to certain data.

    Provide a fully automated vs manual deployment:
    Employees want to get their devices faster, IT wants to deploy devices faster, and businesses want to enable employees faster to get them onboard sooner. UEMs have the capability to provide automated and manual deployment. However, the choice of solution depends on enterprise's infrastructure and policies. Full automation of deployment is very applicable for corporate devices, while it may not be a good option for personally owned devices. Define your user groups and provisioning models, and make sure your candidate vendors satisfy requirements.

    Plan a proper UEM selection according to your requirements

    1. Identify IT governance, policy, and process maturity
      Tools cannot compensate for your bad processes. You should improve deploying and provisioning processes before rolling out a UEM. Automation of a bad process only wraps the process in a nicer package – it does not fix the problem.
      Refer to InfoTech's Modernize and Transform Your End-User Computing Strategy for more information on improving endpoint management procedures.
    2. Consider supported operating systems, cloud services, and network infrastructure in your organization
      Most UEMs support all dominant operating systems, but some solutions have stronger capability for managing a certain OS over the other.
    3. Define enterprise security requirements
      Investigate security levels, policies, and requirements to align with the security features you're expecting in a UEM.
    4. Selection and implementation of a UEM depends on use case. Select a vendor that supports your use cases
      Identify use cases specific to your industry.
      For example, UEM use cases in Healthcare:
      • Secure EMR
      • Enforce HIPAA compliance
      • Secure communications
      • Enable shared device deployment

    Activity: Define use cases and core features for meeting business and technical goals

    1-2 hours

    1. Brainstorm with your colleagues to discuss your challenges with endpoint management.
    2. Identify how these challenges are impacting your ability to meet your goals for managing and controlling endpoints.
    3. Define high-level goals you wish to achieve in the first year and in the longer term.
    4. Identify the use cases that will support your overall goals.
    5. Document use cases in the UEM Requirements Workbook.

    Input

    • List of challenges and goals

    Output

    • Use cases to be used for determining requirements

    Materials

    • Whiteboard/flip charts
    • Laptop to record output

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors

    Download the UEM Requirements Workbook

    Phase 2

    Discover the endpoint management market space and select the right vendor

    Phase 1

    Phase 2

    Define endpoint management platforms

    Explore endpoint management trends

    Classify table stakes & differentiating capabilities

    Streamline the requirements elicitation process for a new endpoint management platform

    Discover key players across the vendor landscape

    Engage the shortlist and select finalist

    Prepare for implementation

    This phase will walk you through the following activity:
    Define top-level features for meeting business and technical goals
    This phase involves the following participants:

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Elicit and prioritize granular requirements for your endpoint management platform

    Understanding business needs through requirements gathering is the key to defining everything about what is
    being purchased. However, it is an area where people often make critical mistakes.

    Risks of poorly scoped requirements

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of confusing and inconsistent detail in the requirements.
    • Drill down all the way to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are "obvious."

    Best practices

    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Review Info-Tech's blueprint Improve Requirements Gathering to improve your requirements gathering process.

    Consider the perspective of each stakeholder to ensure functionality needs are met

    Best of breed vs. "good enough" is an important discussion and will feed your success

    Costs can be high when customizing an ill-fitting module or creating workarounds to solve business problems, including loss of functionality, productivity, and credibility.

    • Start with use cases to drive the initial discussion, then determine which features are mandatory and which are nice-to-haves. Mandatory features will help determine high success for critical functionality and identify where "good enough" is an acceptable state.
    • Consider the implications of implementation and all use cases of:
      • Buying an all-in-one solution.
      • Integration of multiple best-of-breed solutions.
      • Customizing features that were not built into a solution.
    • Be prepared to shelve a use case for this solution and look to alternatives for integration where mandatory features cannot meet highly specialized needs that are outside of traditional endpoint management solutions.

    Pros and Cons

    An image showing the pros and cons of building vs buying

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews
    A screenshot of softwareReviews Data Quadrant analyis.. A screenshot of softwareReviews Emotonal Fotprint analyis
    • evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.
    • Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.
    • The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.
    • Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology.
    With the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    Get to Know the Key Players in the Endpoint Management Landscape

    The following slides provide a top-level overview of the popular players you will encounter in the endpoint management shortlisting process in alphabetical order.

    A screenshot showing a series of logos for the companies addressed later in this blueprint. It includes: Ciso; Meraki; Citrix; IBM MaaS360; Ivanti; Jamf|Pro; ManageEngine Endpoint Central; Microsoft Endpoint Manager, and VMWARE.

    Vendor scores are driven by real-world practitioner reviews via SoftwareReviews. Composite, CX, EF, and NPS scores are pulled from live data as of January 2023.

    Secure business units and enhance connection by simplifying the digital workplace

    A good option for enterprises that want a single-pane-of-glass UEM that is easy to use, with a modern-looking dashboard, high threat-management capability, and high-quality customer support.

    CISCO Meraki

    Est. 1984 | CA, USA | NASDAQ: CSCO

    8.8

    9.1

    +92

    91%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    This is a Screenshot of CISCO Meraki's dashboard.

    Screenshot of CISCO Meraki's dashboard. Source: Cisco

    Strengths:

    Areas to improve:

    • Cisco Meraki offers granular control over what users can and cannot use.
    • The system is user friendly and intuitive, with a variety of features.
    • The anti-malware capability enhances security.
    • Users are very satisfied with being able to control everything in a single platform.
    • System configuration is easy.
    • Vendor relationship is very high with a rate of 96%.
    • System setup is easy, and users don't need much experience for initial configuration of devices.
    • Users are also mostly satisfied with the platform design.
    • Monitoring within the tool is easy.
    • According to SoftwareReviews' survey report, the primary reason for leaving Cisco Meraki and switching over to another vendor is functionality.
    • Regardless of the top-notch offerings and high-quality features, the product is relatively expensive. The quality and price factors make the solution a better fit for large enterprises. However, SoftwareReviews' scorecard for Cisco Meraki shows that small organizations are the most satisfied compared to the medium and large enterprises, with a net promoter score of 81%.

    Transform work experience and support every endpoint with a unified view to ensure users are productive

    A tool that enables you to access corporate resources on personal devices. It is adaptable to your budget. SoftwareReviews reports that 75% of organizations have received a discount at initial purchase or renewal, which makes it a good candidate if looking for a negotiable option.

    Citrix Endpoint Management

    Est. 1989 | TX, USA | Private

    7.9

    8.0

    8.0

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Citrix Endpoint Management's dashboard.

    Screenshot of Citrix Endpoint Management's dashboard. Source: Citrix

    Strengths:

    Areas to improve:

    • Citrix Endpoint Management is a cloud-centric, easy-to-use UEM with an upgradable interface.
    • The solution simplifies endpoint management and provides real-time visibility and notifications.
    • Citrix allows deployments on different operating systems to meet organizations' infrastructure requirements.
    • The vendor offers different licenses and pricing models, allowing businesses of different sizes to use the tool based on their budgets and requirements.
    • Some users believe that integration with external applications should be improved.
    • Deployment is not very intuitive, making implementation process challenging.
    • User may experience some lagging while opening applications on Citrix. Application is even a bit slower when using a mobile device.

    Scale remote users, enable BYOD, and drive a zero-trust strategy with IBM's modern UEM solution

    A perfect option to boost cybersecurity. Remote administration and installation are made very easy and intuitive on the platform. It is very user friendly, making implementation straightforward. It comes with four licensing options: Essential, Deluxe, Premier, and Enterprise. Check IBM's website for information on pricing and offerings.

    IBM MaaS360

    Est. 1911 | NY, USA | NYSE: IBM

    7.7

    8.4

    +86

    76%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of IBM MaaS360's dashboard.

    Screenshot of IBM MaaS360's dashboard. Source: IBM

    Strengths:

    Areas to improve:

    • IBM MaaS360 is easy to install and implement.
    • It has different pricing models to fit enterprises' needs.
    • MaaS360 is compatible with different operating systems.
    • Security management is one of the strongest features, making the tool perfect for organizations that want to improve cybersecurity.
    • Vendor support is very effective, and users find knowledge articles very helpful.
    • It has a very intuitive dashboard.
    • The tool can control organizational data, allowing you to apply BYOD policy.
    • AI Advisor with Watson provides AI-driven reporting and insights.
    • Working with iOS may not be as intuitive as other operating systems.
    • Adding or removing users in a user group is not very straightforward.
    • Some capabilities are limited to particular Android or iOS devices.
    • Deploying application packages may be a bit difficult.
    • Hardware deployment may need some manual work and is not fully automated.

    Get complete device visibility from asset discovery to lifecycle management and remediation

    A powerful tool for patch management with a great user interface. You can automate patching and improve cybersecurity, while having complete visibility into devices. According to SoftwareReviews, 100% of survey participants plan to renew their contract with Ivanti.

    Ivanti Neurons

    Est. 1985 | CA, USA | Private

    8.0

    8.0

    +81

    83%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Ivanti Neurons UEM's dashboard.

    Screenshot of Ivanti Neurons UEM's dashboard. Source: Ivanti

    Strengths:

    Areas to improve:

    • The tool is intuitive and user friendly.
    • It's a powerful security management platform, supporting multiple operating systems.
    • Ivanti Neurons is very strong in patch management and inventory management. It helps a seamless application deployment.
    • Users can install their applications via Ivanti's portal.
    • The user interface is very powerful and easy to use.
    • AI-augmented process management automates protocols, streamlining device management and application updates.
    • Vendor is very efficient in training and provides free webinars.
    • Data integration is very easy. According to SoftwareReviews, it had a satisfaction score for ease of data integration of 86%, which makes Ivanti the top solution for this capability.
    • Data analytics is powerful but complicated.
    • Setup is easy for some teams but not as easy for others, which may cause delays for implementation.
    • Software monitoring is not as good as other competitors.

    Improve your end-user productivity and transform enterprise Apple devices

    An Apple-focused UEM with a great interface. Jamf can manage and control macOS and iOS, and it is one of the best options for Apple products, according to users' sentiments. However, it may not be a one-stop solution if you want to manage non-Apple products as well. In this case, you can use Jamf in addition to another UEM. Jamf has some integrations with Microsoft, but it may not be sufficient if you want to fully manage Windows endpoints.

    Jamf PRO

    Est. 2002 | MN, USA | NASDAQ: JAMF

    8.8

    8.7

    +87

    95%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Jamf PRO's dashboard.

    Screenshot of Jamf PRO's dashboard. Source: Jamf

    Strengths:

    Areas to improve:

    • Jamf Pro is a unique product with an easy implementation that enables IT with minimum admin intervention.
    • It can create smart groups (based on MDM profile and user group) to automatically assign users to their pertinent apps and updates.
    • It's a very user-friendly tool, conducting device management in fewer steps than other competitors.
    • Reports are totally customizable and dynamic.
    • Notifications are easy to navigate and monitor.
    • Self-service feature enables end users to download their predefined categories of applications in the App Store.
    • It can apply single sign-on integrations to streamline user access to applications.
    • Businesses can personalize the tool with corporate logos.
    • Vendor does great for customer service when problems arise.
    • It is a costly tool relative to other competitors, pushing prospects to consider other products.
    • The learning process may be long and not easy, especially if admins do not script, or it's their first time using a UEM.

    Apply automation of traditional desktop management, software deployment, endpoint security, and patch management

    A strong choice for patch management, software deployment, asset management, and security management. There is a free version of the tool available to try get an understanding of the platform before purchasing a higher tier of the product.

    ManageEngine Endpoint Central

    Est. 1996 | India | Private

    8.3

    8.3

    +81

    88%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of ME Endpoint Central's dashboard.

    Screenshot of ME Endpoint Central's dashboard. Source: ManageEngine

    Strengths:

    Areas to improve:

    • It supports several operating systems including Windows, Mac, Linux, Android, and iOS.
    • Endpoint Central provides end-to-end monitoring, asset management, and security in a single platform.
    • Setup is simple and intuitive, and it's easy to learn and configure.
    • The reporting feature is very useful and gives you clear visibility into dashboard.
    • Combined with ME Service Desk Plus, we can call Endpoint Central an all-in-one solution.
    • The tool provides a real-time report on devices and tracks their health status.
    • It has multiple integrations with third-party solutions.
    • Tool does not automate updates, making application updates time-consuming.
    • Sometimes, patches and software deployments fail, and the tool doesn't provide any information on the reason for the failure.
    • There is no single point of contact/account manager for the clients when they have trouble with the tool.
    • Remote connection to Android devices can sometimes get a little tedious.

    Get device management and security in a single platform with a combination of Microsoft Intune and Configuration Manager

    A solution that combines Intune and ConfigMgr's capabilities into a single endpoint management suite for enrolling, managing, monitoring, and securing endpoints. It's a very cost-effective solution for enterprises in the Microsoft ecosystem, but it also supports other operating systems.

    Microsoft Endpoint Manager

    Est. 1975 | NM, USA | NASDAQ: MSFT

    8.0

    8.5

    +83

    85%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of MS Endpoint Manager's dashboard.

    Screenshot of MS Endpoint Manager's dashboard. Source: Microsoft

    Strengths:

    Areas to improve:

    • Licensing for the enterprises that use Windows as their primary operating system is more efficient and cost effective.
    • Endpoint Manager is very customizable, with the ability to assign personas to device groups.
    • Besides Windows, it manages other operating systems, such as Linux, Android, and iOS.
    • It creates endpoint security and compliance policies for BitLocker that streamlines data protection and security. It also provides SSO.
    • It provides very strong documentation and knowledgebase.
    • User interface is not as good as competitors. It's a bit clunky and complex to use.
    • The process of changing configurations on devices can be time consuming.
    • Sometimes there are service outages such as Autopilot failure, which push IT to deploy manually.
    • Location tracking is not very accurate.

    Simplify and consolidate endpoint management into a single solution and secure all devices with real-time, "over-the-air" modern management across all use cases

    A strong tool for managing and controlling mobile devices. It can access all profiles through Google and Apple, and it integrates with various IT management solutions.

    VMware Workspace ONE

    Est. 1998 | CA, USA | NYSE: VMW

    7.5

    7.4

    +71

    75%

    COMPOSITE SCORE

    CX SCORE

    EMOTIONAL FOOTPRINT

    LIKELINESS TO RECOMMEND

    DOWNLOAD REPORT

    Screenshot of Workspace ONE's dashboard.

    Screenshot of Workspace ONE's dashboard. Source: VMware

    Strengths:

    Areas to improve:

    • Workspace ONE provides lots of information about devices.
    • It provides a large list of integrations.
    • The solution supports various operating systems.
    • The platform has many out-of-the-box features and helps with security management, asset management, and application management.
    • The vendor has a community forum which users find helpful for resolving issues or asking questions about the solution.
    • It is very simple to use and provides SSO capability.
    • Implementation is relatively easy and straightforward.
    • Customization may be tricky and require expertise.
    • The solution can be more user friendly with a better UI.
    • Because of intensive processing, updates to applications take a long time.
    • The tool may sometimes be very sensitive and lock devices.
    • Analytics and reporting may need improvement.

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements
    2. Checking out SoftwareReviews
    3. Shortlisting your vendors
    4. Conducting demos and detailed proposal reviews
    5. Selecting and contracting with a finalist!

    Activity: Define high-level features for meeting business and technical goals

    Input

    • List of endpoint management use cases
    • List of prioritized features

    Output

    • Vendor evaluation
    • Final list of candidate vendors

    Materials

    • Whiteboard/flip charts
    • Laptop
    • UEM Requirements Workbook

    Participants

    • CIO
    • IT manager
    • Infrastructure & Applications directors
    • Project managers

    Activity: Define top-level features for meeting business and technical goals

    As there are many solutions in the market that share capabilities, it is imperative to closely evaluate how well they fulfill your endpoint management requirements.
    Use the UEM Requirements Workbook to identify your desired endpoint solution features and compare vendor solution functionality based on your desired features.

    1. Refer to the output of the previous activity, the identified use cases in the spreadsheet.
    2. List the features you want in an endpoint solution for your devices that will fulfill these use cases. Record those features in the second column ("Detailed Feature").
    3. Prioritize each feature (must have, should have, nice to have, not required).
    4. Send this list to candidate vendors.
    5. When you finish your investigation, review the spreadsheet to compare the various offerings and pros and cons of each solution.

    Info-Tech Insight

    The output of this activity can be used for a detailed evaluation of UEM vendors. The next steps will be vendor briefing and having further discussion on technical capabilities and conducting demos of solutions. Info-Tech's blueprint, The Rapid Application Selection Framework, takes you to these next steps.

    This is a screenshot showing the high value use cases table from The Rapid Application Selection Framework.

    Download the UEM Requirements Workbook

    Leverage Info-Tech's research to plan and execute your endpoint management selection and implementation

    Use Info-Tech Research Group's blueprints for selection and implementation processes to guide your own planning.

    • Assess
    • Prepare
    • Govern & Course Correct

    This is a screenshot of the title pages from INfo-tech's Governance and management of enterprise Software Implementaton; and The Rapid Applicaton Selection Framework.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value can encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing those concerns.

    Proximity

    Distributed teams create complexity because communication can break down more easily. This can be mitigated by:

    • Location: Placing teams in proximity can close the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) can help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.

    • Role Clarity: Having a clear definition of what everyone's role is.

    Implementation with a partner typically results in higher satisfaction

    Align your implementation plans with both the complexity of the solution and internal skill levels

    Be clear and realistic in your requirements to the vendor about the level of involvement you need to be successful.

    Primary reasons to use a vendor:

    • Lack of skilled resources: For solutions with little configuration change happening after the initial installation, the ramp-up time for an individual to build skills for a single event is not practical.
    • Complexity of solution: Multiple integrations, configurations, modules, and even acquisitions that haven't been fully integrated in the solution you choose can make it difficult to complete the installation and rollout on time and on budget. Troubleshooting becomes even more complex if multiple vendors are involved.
    • Data migration: Decide what information will be valuable to transfer to the new solution and which will not benefit your organization. Data structure and residency can both be factors in the complexity of this exercise.

    This is an image of a bar graph showing the Satisfaction Net Promotor Score by Implementation type and Organization Size.

    Source: SoftwareReviews, January 2020 to January 2023, N= 20,024 unique reviews

    To ensure your SOW is mutually beneficial, download the blueprint Improve Your Statements of Work to Hold Your Vendors Accountable.

    Consider running a proof of concept if concerns are expressed about the feasibility of the chosen solution

    Proofs of concept (PoCs) can be time consuming, so make good choices on where to spend the effort

    Create a PoC charter that will enable a quick evaluation of the defined use cases and functions. These key dimensions should form the PoC.

    1. Objective – Giving an overview of the planned PoC will help to focus and clarify the rest of this section. What must the PoC achieve? Objectives should be specific, measurable, attainable, relevant, and time bound. Outline and track key performance indicators.
    2. Key Success Factors – These are conditions that will positively impact the PoC's success.
    3. Scope – High-level statement of scope. More specifically, state what is in scope and what is out of scope.
    4. Project Team – Identify the team's structure, e.g. sponsors, subject matter experts.
    5. Resource Estimation – Identify what resources (time, materials, space, tools, expertise, etc.) will be needed to build and socialize your prototype. How will they be secured?

    An image of two screenshots from Info-Tech Research Group showing documentaton used to generate effective proof of concepts.

    To create a full proof of concept plan, download the Proof of Concept Template and see the instructions in Phase 3 of the blueprint Exploit Disruptive Infrastructure Technology.

    Selecting a right-sized endpoint management platform

    This selection guide allows organizations to execute a structured methodology for picking a UEM platform that aligns with their needs. This includes:

    • Identifying and prioritizing key business and technology drivers for an endpoint management selection business case.
    • Defining key use cases and requirements for a right-sized UEM platform.
    • Reviewing a comprehensive market scan of key players in the UEM marketspace.

    This formal UEM selection initiative will map out requirements and identify technology capabilities to fill the gap for better endpoint management. It also allows a formal roll-out of a UEM platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    Contact your account representative for more information

    workshops@infotech.com
    1-888-670-8889

    Summary of Accomplishment

    Knowledge Gained

    • What endpoint management is
    • Historical origins and evolution of endpoint management platforms
    • Current trends and future state of endpoint management platforms

    Processes Optimized

    • Identifying use cases
    • Gathering requirements
    • Reviewing market key players and their capabilities
    • Selecting a UEM tool that fulfills your requirements

    UEM Solutions Analyzed

    • CISCO Meraki
    • Citrix Endpoint Management
    • IBM MaaS360
    • Ivanti Neurons UEM
    • Jamf Pro
    • ManageEngine Endpoint Central
    • Microsoft Endpoint Manager
    • VMware Workspace ONE

    Related Info-Tech Research

    Modernize and Transform Your End-User Computing Strategy

    This project helps support the workforce of the future by answering the following questions: What types of computing devices, provisioning models, and operating systems should be offered to end users? How will IT support devices? What are the policies and governance surrounding how devices are used? What actions are we taking and when? How do end-user devices support larger corporate priorities and strategies?

    Best Unified Endpoint Management (UEM) Software | SoftwareReviews

    Compare and evaluate Unified Endpoint Management vendors using the most in-depth and unbiased buyer reports available. Download free comprehensive 40+ page reports to select the best Unified Endpoint Management software for your organization.

    The Rapid Application Selection Framework

    This blueprint walks you through a process for a fast and efficient selection of your prospective application. You will be enabled to use a data-driven approach to select the right application vendor for your needs, shatter stakeholder expectations with truly rapid application selections, boost collaboration and crush the broken telephone with concise and effective stakeholder meetings, and lock in hard savings.

    Bibliography

    "BYOD Security Report." Cybersecurity Insiders, 2021. Accessed January 2023.
    "Cloud Infrastructure Services Market." MarketsAnd Markets, 2019. Accessed December 2022.
    Evans, Alma. "Mastering Mobility Management: MDM Vs. EMM Vs. UEM." Hexnode, 2019. Accessed November 2022.
    "Evercore-ISI Quarterly Enterprise Technology Spending Survey." Evercore-ISI, 2022. Accessed January 2023.
    "5G Service Revenue to Reach $315 Billion Globally in 2023." Jupiter Research, 2022. Accessed January 2023.
    Hein, Daniel. "5 Common Unified Endpoint Management Use Cases You Need to Know." Solutions Review, 2020. Accessed January 2023.
    "Mobile Device Management Market Size, Share & COVID-19 Impact Analysis." Fortune Business Insights, 2021. Accessed December 2022.
    Ot, Anina. "The Unified Endpoint Management (UEM) Market." Datamation, 14 Apr. 2022. Accessed Jan. 2023.
    Poje, Phil. "CEO Corner: 4 Trends in Unified Endpoint Management for 2023." Tech Orchard, 2022. Accessed January 2023.
    "The Future of UEM November 2021 Webinar." Ivanti, 2021. Accessed January 2023.
    "The Third Annual Study on the State of Endpoint Security Risk." Ponemon Institute, 2020. Accessed December 2022.
    "The Ultimate Guide to Unified Endpoint Management (UEM)." MobileIron. Accessed January 2023.
    "Trends in Unified Endpoint Management." It Pro Today, 2018. Accessed January 2023.
    Turek, Melanie. "Employees Say Smartphones Boost Productivity by 34 Percent: Frost & Sullivan Research." Samsung Insights, 3 Aug. 2016.
    "2023 State of Security Report." Cybersecurity Insiders, 2022. Accessed January 2023.
    Violino, Bob. "Enterprise Mobility 2022: UEM Adds User Experience, AI, Automation." Computerworld, 2022. Accessed January 2023.
    Violino, Bob. "How to Choose the Right UEM Platform." Computerworld, 2021. Accessed January 2023.
    Violino, Bob. "UEM Vendor Comparison Chart 2022." Computerworld, 2022. Accessed January 2023.
    Wallent, Michael. "5 Endpoint Management Predictions for 2023." Microsoft, 2022. Accessed January 2023.
    "What Is the Difference Between MDM, EMM, and UEM?" 42Gears, 2017. Accessed November 2022.

    Reduce Risk With Rock-Solid Service-Level Agreements

    • Buy Link or Shortcode: {j2store}365|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management

    Organizations can struggle to understand what service-level agreements (SLAs) are required and how they can differ depending on the service type. In addition, these other challenges can also cloud an organization’s knowledge of SLAs:

    • No standardized SLAs documents, service levels, or metrics
    • Dealing with lost productivity and revenue due to persistent downtime
    • Not understanding SLAs components and what service levels are required for a particular service
    • How to manage the SLA and hold the vendor accountable

    Our Advice

    Critical Insight

    SLAs need to have clear, easy-to-measure objectives, to meet expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to its obligations.

    Impact and Result

    This project will provide several benefits and learnings for almost all IT workers:

    • Better understanding of an SLA framework and required SLA elements
    • Standardized service levels and metrics aligned to the organization’s requirements
    • Reduced time in reviewing, evaluating, and managing service provider SLAs

    Reduce Risk With Rock-Solid Service-Level Agreements Research & Tools

    Start here – Read our Executive Brief

    Understand how to resolve your challenges with SLAs and their components and ensuring adequate metrics. Learn how to create meaningful SLAs that meet your requirements and manage them effectively.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand SLA elements – Understand the elements of SLAs, service types, service levels, metrics/KPIs, monitoring, and reporting

    • SLA Checklist
    • SLA Evaluation Tool

    2. Create requirements – Create your own SLA criteria and templates that meet your organization’s requirements

    • SLA Template & Metrics Reference Guide

    3. Manage obligations – Learn the SLA Management Framework to track providers’ performance and adherence to their commitments.

    • SLO Tracker & Trending Tool

    Infographic

    Workshop: Reduce Risk With Rock-Solid Service-Level Agreements

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Elements of SLAs

    The Purpose

    Understand key components and elements of an SLA.

    Key Benefits Achieved

    Properly evaluate an SLA for required elements.

    Activities

    1.1 SLA overview, objectives, SLA types, service levels

    1.2 SLA elements and objectives

    1.3 SLA components: monitoring, reporting, and remedies

    1.4 SLA checklist review

    Outputs

    SLA Checklist 

    Evaluation Process

    SLA Checklist

    Evaluation Process

    SLA Checklist

    Evaluation Process

    SLA Checklist

    Evaluation Process

    2 Create SLA Criteria and Management Framework

    The Purpose

    Apply knowledge of SLA elements to create internal SLA requirements.

    Key Benefits Achieved

    Templated SLAs that meet requirements.

    Framework to manage SLOs.

    Activities

    2.1 Creating SLA criteria and requirements

    2.2 SLA templates and policy

    2.3 SLA evaluation activity

    2.4 SLA Management Framework

    2.5 SLA monitoring, tracking, and remedy reconciliation

    Outputs

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Internal SLA Management Framework

    Evaluation of current SLAs

    SLA tracking and trending

    Further reading

    Reduce Risk With Rock-Solid Service-Level Agreements

    Hold Service Providers more accountable to their contractual obligations with meaningful SLA components & remedies

    EXECUTIVE BRIEF

    Analyst Perspective

    Reduce Risk With Rock-Solid Service-Level Agreements

    Every year organizations outsource more and more IT infrastructure to the cloud, and IT operations to managed service providers. This increase in outsourcing presents an increase in risk to the CIO to save on IT spend through outsourcing while maintaining required and expected service levels to internal customers and the organization. Ensuring that the service provider constantly meets their obligations so that the CIO can meet their obligation to the organization can be a constant challenge. This brings forth the importance of the Service Level Agreement.

    Research clearly indicates that there is a general lack of knowledge when comes to understanding the key elements of a Service Level Agreement (SLA). Even less understanding of the importance of the components of Service Levels and the Service Level Objectives (SLO) that service provider needs to meet so that the outsourced service consistently meets requirements of the organization. Most service providers are very good at providing the contracted service and they all are very good at presenting SLOs that are easy to meet with very few or no ramifications if they don’t meet their objectives. IT leaders need to be more resolute in only accepting SLOs that are meaningful to their requirements and have meaningful, proactive reporting and associated remedies to hold service providers accountable to their obligations.

    Ted Walker

    Principal Research Director, Vendor Practice

    Info-Tech Research Group

    Executive Brief

    Vendors provide service level commitments to customers in contracts to show a level of trust, performance, availability, security, and responsiveness in an effort create a sense of confidence that their service or platform will meet your organization’s requirements and expectations. Sifting through these promises can be challenging for many IT Leaders. Customers struggle to understand and evaluate what’s in the SLA – are they meaningful and protect your investment? Not understanding the details of SLAs applicable to various types of Service (SaaS, MSP, Service Desk, DR, ISP) can lead to financial and compliance risk for the organization as well as poor customer satisfaction.

    This project will provide IT leadership the knowledge & tools that will allow them to:

    • Understand what SLAs are and why they need them.
    • Develop standard SLAs that meet the organization’s requirements.
    • Negotiate meaningful remedies aligned to Service Levels metrics or KPIs.
    • Create SLA monitoring & reporting and remedies requirements to hold the provider accountable.

    This research:

    1. Is designed for:
    • The CIO or CFO who needs to better understand their provider’s SLAs.
    • The CIO or BU that could benefit from improved service levels.
    • Vendor management who needs to standardize SLAs for the organization IT leadership that needs consistent service levels to the business
    • The contract manager who needs a better understanding of contact SLAs
  • Will help you:
    • Understand what a Service Level Agreement is and what it’s for
    • Learn what the components are of an SLA and why you need them
    • Create a checklist of required SLA elements for your organization
    • Develop standard SLA template requirements for various service types
    • Learn the importance of SLA management to hold providers accountable
  • Will also assist:
    • Vendor management
    • Procurement and sourcing
    • Organizations that need to understand SLAs within contract language
    • With creating standardized monitoring & reporting requirements
    • Organizations get better position remedies & credits to hold vendors accountable to their commitments
  • Reduce Risk With Rock-Solid Service-Level Agreements (SLAs)

    Hold service providers more accountable to their contractual obligations with meaningful SLA components and remedies

    The Problem

    IT Leadership doesn't know how to evaluate an SLA.

    Misunderstanding of obligations given the type of service provided (SAAS, IAAS, DR/BCP, Service Desk)

    Expectations not being met, leading to poor service from the provider.

    No way to hold provider accountable.

    Why it matters

    SLAS are designed to ensure that outsourced IT services meet the requirements and expectations of the organization. Well-written SLAs with all the required elements, metrics, and remedies will allow IT departments to provide the service levels to their customer and avoid financial and contractual risk to the organization.

    The Solution

    1. Understand the key service elements within an SLA
    • Develop a solid understanding of the key elements within an SLA and why they're important.
  • Establish requirements to create SLA criteria
    • Prioritize contractual services and establish concise SLA checklists and performance metrics.
  • Manage SLA obligations to ensure commitments are met
    • Review the five steps for effective SLA management to track provider performance and deal with chronic issues.
  • Service types

    • Availability/Uptime
    • Response Times
    • Resolution Time
    • Accuracy
    • First-Call Resolution

    Agreement Types

    • SaaS/IaaS
    • Service Desk
    • MSP
    • Co-Location
    • DR/BCP
    • Security Ops

    Performance Metrics

    • Reporting
    • Remedies & Credits
    • Monitoring
    • Exclusion

    Example SaaS Provider

    • Response Times ✓
    • Availability/Uptime ✓
    • Resolution Time ✓
    • Update Times ✓
    • Coverage Time ✓
    • Monitoring ✓
    • Reporting ✓
    • Remedies/Credits ✓

    SLA Management Framework

    1. SLO Monitoring
    • SLOs must be monitored by the provider, otherwise they can't be measured.
  • Concise Reporting
    • This is the key element for the provider to validate their performance.
  • Attainment Tracking
    • Capturing SLO metric attainment provides performance trending for each provider.
  • Score carding
    • Tracking details provide input into overall vendor performance ratings.
  • Remedy Reconciliation
    • From SLO tracking, missed SLOs and associated credits needs to be actioned and consumed.
  • Executive Summary

    Your Challenge

    To understand which SLAs are required for your organization and how they can differ depending on the service type. In addition, these other challenges can also cloud your knowledge of SLAs

    • No standardized SLA documents, Service levels, or metrics
    • Dealing with lost productivity & revenue due to persistent downtime
    • Understanding SLA components and what service levels are requires for a particular service
    • How to manage the SLA and hold the vendor accountable

    Common Obstacles

    There are several unknowns that SLA can present to different departments within the organization:

    • Little knowledge of what service levels are required
    • Not knowing SLO standards for a service type
    • Lack of resources to manage vendor obligations
    • Negotiating required metrics/KPIs with the provider
    • Low understanding of the risk that poor SLAs can present to the organization

    Info-Tech's Approach

    Info-Tech has a three-step approach to effective SLAs

    • Understand the elements of an SLA
    • Create Requirements for your organization
    • Manage the SLA obligations

    There are some basic components that every SLA should have – most don’t have half of what is required

    Info-Tech Insight

    SLAs need to have clear, easy to measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

    Your challenge

    This research is designed to help organizations gain a better understanding of what an SLA is, understand the importance of SLAs in IT contracts, and ensure organizations are provided with rock-solid SLAs that meet their requirements and not just what the vendor wants to provide.

    • Vendors can make SLAs weak and difficult to understand; sometimes the metrics are meaningless. Not fully understanding what makes up a good SLA can bring unknown risks to the organization.
    • Managing vendor SLA obligations effectively is important. Are adequate resources available? Does the vendor provide manual vs. automated processes and which do you need? Is the process proactive from the vendor or reactive from the customer?

    SLAs come in many variations and for many service types. Understanding what needs to be in them is one of the keys to reducing risk to your organization.

    “One of the biggest mistakes an IT leader can make is ignoring the ‘A’ in SLA,” adds Wendy M. Pfeiffer, CIO at Nutanix. “

    An agreement isn’t a one-sided declaration of IT capabilities, nor is it a one-sided demand of business requirements,” she says. “An agreement involves creating a shared understanding of desired service delivery and quality, calculating costs related to expectations, and then agreeing to outcomes in exchange for investment.” (15 SLA mistakes IT leaders still make | CIO)

    Common obstacles

    There are typically a lot of unknowns when it comes to SLAs and how to manage them.

    Most organizations don’t have a full understanding of what SLAs they require and how to ensure they are met by the vendor. Other obstacles that SLAs can present are:

    • Inadequate resources to create and manage SLAs
    • Poor awareness of standard or required SLA metrics/KPIs
    • Lack of knowledge about each provider’s commitment as well as your obligations
    • Low vendor willingness to provide or negotiate meaningful SLAs and credits
    • The know-how or resources to effectively monitor and manage the SLA’s performance

    SLAs need to address your requirements

    55% of businesses do not find all of their service desk metrics useful or valuable (Freshservice.com)

    27% of businesses spend four to seven hours a month collating metric reports (Freshservice.com)

    Executive Summary

    Info-Tech’s Approach

    • Understand the elements of an SLA
      • Availability
      • Monitoring
      • Response Times
      • SLO Calculation
      • Resolution Time
      • Reporting
      • Milestones
      • Exclusions
      • Accuracy
      • Remedies & Credits
    • Create standard SLA requirements and criteria
      • SLA Element Checklist
      • Corporate Requirements and Standards
      • SLA Templates and Policy
    • Effectively Manage the SLA Obligations
      • SLA Management Framework
        • SLO Monitoring
        • Concise Reporting
        • Attainment Tracking
        • Score Carding
        • Remedy Reconciliation

    Info-Tech’s three phase approach

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 1

    Understand SLA Elements

    Phase Content:

    • 1.1 What are SLAs, types of SLAs, and why are they needed?
    • 1.2 Elements of an SLA
    • 1.3 Obligation management monitoring, Reporting requirements
    • 1.4 Exclusions
    • 1.5 SLAs vs. SLOs vs. SLIs

    Outcome:

    This phase will present you with an understanding of the elements of an SLA: What they are, why you need them, and how to validate them.

    Phase 2

    Create Requirements

    Phase Content:

    • 2.1 Create a list of your SLA criteria
    • 2.2 Develop SLA policy & templates
    • 2.3 Create a negotiation strategy
    • 2.4 SLA Overachieving discussion

    Outcome:

    This phase will leverage knowledge gained in Phase 1 and guide you through the creation of SLA requirements, criteria, and templates to ensure that providers meet the service level obligations needed for various service types to meet your organization’s service expectations.

    Phase 3

    Manage Obligations

    Phase Content:

    • 3.1 SLA Monitoring, Tracking
    • 3.2 Reporting
    • 3.3 Vendor SLA Reviews & Optimizing
    • 3.4 Performance management

    Outcome:

    This phase will provide you with an SLA management framework and the best practices that will allow you to effectively manage service providers and their SLA obligations.

    Insight summary

    Overarching insight

    SLAs need to have clear, easy-to-measure objectives to meet your expectations and service level requirements, including meaningful reporting and remedies to hold the provider accountable to their obligations.

    Phase 1 insight

    Not understanding the required elements of an SLA and not having meaningful remedies to hold service providers accountable to their obligations can present several risk factors to your organization.

    Phase 2 insight

    Creating standard SLA criteria for your organization’s service providers will ensure consistent service levels for your business units and customers.

    Phase 3 insight

    SLAs can have appropriate SLOs and remedies but without effective management processes they could become meaningless.

    Tactical insight

    Be sure to set SLAs that are easily measurable from regularly accessible data and that are straight forward to interpret.

    Tactical insight

    Beware of low, easy to attain service levels and metrics/KPIs. Service levels need to meet your expectations and needs not the vendor’s.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    SLA Tracker & Trending Tool

    Track the provider’s SLO attainment and see how their performance is trending over time

    SLA Evaluation Tool

    Evaluate SLA service levels, metrics, credit values, reporting, and other elements

    SLA Template & Metrics Reference Guide

    Reference guide for typical SLA metrics with a generic SLA Template

    Service-Level Agreement Checklist

    Complete SLA component checklist for core SLA and contractual elements.

    Key deliverable:

    Service-Level Agreement Evaluation Tool

    Evaluate each component of the SLA , including service levels, metrics, credit values, reporting, and processes to meet your requirements

    Blueprint objectives

    Understand the components of an SLA and effectively manage their obligations

    • To provide an understanding of different types of SLAs, their required elements, and what they mean to your organization. How to identify meaningful service levels based on service types. We will break down the elements of the SLA such as service types and define service levels such as response times, availability, accuracy, and associated metrics or KPIs to ensure they are concise and easy to measure.
    • To show how important it is that all metrics have remedies to hold the service provider accountable to their SLA obligations.

    Once you have this knowledge you will be able to create and negotiate SLA requirements to meet your organization’s needs and then manage them effectively throughout the term of the agreement.

    InfoTech Insight:

    Right-size your requirements and create your SLO criteria based on risk mitigation and create measurements that motivate the desired behavior from the SLA.

    Blueprint benefits

    IT Benefits

    • An understanding of standard SLA service levels and metrics
    • Reduced financial risk through clear and concise easy-to-measure metrics and KPIs
    • Improved SLA commitments from the service provider
    • Meaningful reporting and remedies to hold the provider accountable
    • Service levels and metrics that meet your requirements to support your customers

    Business Benefits

    • Better understanding of an SLA framework and required SLA elements
    • Improved vendor performance
    • Standardized service levels and metrics aligned to your organization’s requirements
    • Reduced time in reviewing and comprehending vendor SLAs
    • Consistent performance from your service providers

    Measure the value of this blueprint

    1. Dollars Saved
    • Improved performance from your service provider
    • Reduced financial risk through meaningful service levels & remedies
    • Dollars gained through:
      • Reconciled credits from obligation tracking and management
      • Savings due to automated processes
  • Time Saved
    • Reduced time in creating effective SLAs through requirement templates
    • Time spent tracking and managing SLA obligations
    • Reduced negotiation time
    • Time spent tracking and reconciling credits
  • Knowledge Gained
    • Understanding of SLA elements, service levels, service types, reporting, and remedies
    • Standard metrics and KPIs required for various service types and levels
    • How to effectively manage the service provider obligations
    • Tactics to negotiate appropriate service levels to meet your requirements
  • Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way wound help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between three to six calls over the course of two to three months.

    Phase 1 - Understand

    • Call #1: Scope requirements, objectives, and your specific SLA challenges

    Phase 2 - Create Requirements

    • Call #2: Review key SLA and how to identify them
    • Call #3: Deep dive into SLA elements and why you need them
    • Call #4: Review your service types and SLA criteria
    • Call #5: Create internal SLA requirements and templates

    Phase 3 - Management

    • Call #6: Review SLA Management Framework
    • Call #7: Review and create SLA Reporting and Tracking

    Workshop Overview

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Day 1 Day 2
    Understanding SLAs SLA Templating & Management
    Activities

    1.1 SLA overview, objectives, SLA types, service levels

    1.2 SLA elements and objectives

    1.3 SLA components – monitoring, reporting, remedies

    1.4 SLA Checklist review

    2.1 Creating SLA criteria and requirements

    2.2 SLA policy & template

    2.3 SLA evaluation activity

    2.4 SLA management framework

    2.5 SLA monitoring, tracking, remedy reconciliation

    Deliverables
    1. SLA Checklist
    2. SLA policy & template creation
    3. SLA management gap analysis
    1. Evaluation of current SLAs
    2. SLA tracking and trending
    3. Create internal SLA management framework

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 1

    Phase 1

    Understand SLA Elements

    Phase Steps

    • 1.1 What are SLAs, the types of SLAs, and why are they needed?
    • 1.2 Elements of an SLA
    • 1.3 Obligation management monitoring, Reporting requirements
    • 1.4 Exclusions and exceptions
    • 1.5 SLAs vs. SLOs vs. SLIs

    Create Requirements

    Manage Obligations

    1.1 What are SLAs, the types of SLAs, and why are they needed?

    SLA Overview

    What is a Service Level Agreement?

    An SLA is an overarching contractual agreement between a service provider and a customer (can be external or internal) that describes the services that will be delivered by the provider. It describes the service levels and associated performance metrics and expectations, how the provider will show it has attained the SLAs, and defines any remedies or credits that would apply if the provider fails to meet its commitments. Some SLAs also include a change or revision process.

    SLAs come in a few forms. Some are unique, separate, standalone documents that define the service types and levels in more detail and is customized to your needs. Some are separate documents that apply to a service and are web posted or linked to an MSA or SSA. The most common is to have them embedded in, or as an appendix to an MSA or SSA. When negotiating an MSA it’s generally more effective to negotiate better service levels and metrics at the same time.

    Objectives of an SLA

    To be effective, SLAs need to have clearly described objectives that define the service type(s) that the service provider will perform, along with commitment to associated measurable metrics or KPIs that are sufficient to meet your expectations. The goal of these service levels and metrics is to ensure that the service provider is committed to providing the service that you require, and to allow you to maintain service levels to your customers whether internal or external.

    1.1 What are SLAs, the types of SLAs, and why are they needed?

    Key Elements of an SLA

    Principle service elements of an SLA

    There are several more common service-related elements of an SLA. These generally include:

    • The Agreement – the document that defines service levels and commitments.
    • The service types – the type of service being provided by the vendor. These can include SaaS, MSP, Service Desk, Telecom/network, PaaS, Co-Lo, BCP, etc.
    • The service levels – these are the measurable performance objectives of the SLA. They include availability (uptime), response times, restore times, priority level, accuracy level, resolution times, event prevention, completion time, etc.
    • Metrics/KPIs – These are the targets or commitments associated to the service level that the service provider is obligated to meet.
    • Other elements – Reporting requirements, monitoring, remedies/credit values and process.

    Contractual Construct Elements

    These are construct components of an SLA that outline their roles and responsibilities, T&Cs, escalation process, etc.

    In addition, there are several contractual-type elements including, but not limited to:

    • A statement regarding the purpose of the SLA.
    • A list of services being supplied (service types).
    • An in-depth description of how services will be provided and when.
    • Vendor and customer requirements.
    • Vendor and customer obligations.
    • Acknowledgment/acceptance of the SLA.
    • They also list each party’s responsibilities and how issues will be escalated and resolved.

    Common types of SLAs explained

    Service-level SLA

    • This service-level agreement construct is the Service-based SLA. This SLA covers an identified service for all customers in general (for example, if an IT service provider offers customer response times for a service to several customers). In a service-based agreement, the response times would be the same and apply to all customers using the service. Any customer using the service would be provided the same SLA – in this case the same defined response time.

    Customer-based SLA

    • A customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer (for example, you may use several services from one telecom vendor). The SLAs for these services would be covered in one contract between you and the vendor, creating a unique customer-based vendor agreement. Another scenario could be where a vendor offers general SLAs for its services but you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

    Multi-level SLA

    • This service-level agreement construct is the multi-level SLA. In a multi-level SLA, components are defined to the organizational levels of the customer with cascading coverage to sublevels of the organization. The SLA typically entails all services and is designed to the cover each sub-level or department within the organization. Sometimes the multi-level SLA is known as a master organization SLA as it cascades to several levels of the organization.

    InfoTech Insight: Beware of low, easy to attain Service levels and metrics/KPIs. Service levels need to meet your requirements, expectations, and needs not the vendor’s.

    1.2 Elements of SLA-objectives, service types, and service levels

    Objectives of Service Levels

    The objective of the service levels and service credits are to:

    • Ensure that the services are of a consistently high quality and meet the requirements of the customer
    • Provide a mechanism whereby the customer can attain meaningful recognition of the vendors failure to deliver the level of service for which it was contracted to deliver
    • Incentivize the vendor or service provider to comply with and to expeditiously provide a remedy for any failure to attain the service levels committed to in the SLA
    • To ensure that the service provider fulfills the defined objectives of the outsourced service

    Service types

    There are several service types that can be part of an SLA. Service types are the different nature of services associated with the SLA that the provider is performing and being measured against. These can include:

    Service Desk, SaaS, PaaS, IaaS, ISP/Telecom/Network MSP, DR & BCP, Co-location security ops, SOW.

    Each service type should have standard service level targets or obligations that can vary depending on your requirements and reliance on the service being provided.

    Service levels

    Service levels are measurable targets, metrics, or KPIs that the service provider has committed to for the particular service type. Service levels are the key element of SLAs – they are the performance expectations set between you and the provider. The service performance of the provider is measured against the service level commitments. The ability of the provider to consistently meet these metrics will allow your organization to fully benefit from the objectives of the service and associated SLAs. Most service levels are time related but not all are.

    Common service levels are:

    Response times, resolution times per percent, restore/recovery times, accuracy, availability/uptime, completion/milestones, updating/communication, latency.

    Each service level has standard or minimum metrics for the provider. The metrics, or KPIs, should be relatively easy to measure and report against on a regular basis. Service levels are generally negotiable to meet your requirements.

    1.2.1 Activity SLA Checklist Tool

    1-2 hours

    Input

    • SLA content, Service elements
    • Contract terms & exclusions
    • Service metrices/KPIs

    Output

    • A concise list of SLA components
    • A list of missing SLA elements
    • Evaluation of the SLA

    Materials

    • Comprehensive checklist
    • Service provider SLA
    • Internal templates or policies

    Participants

    • Vendor or contract manager
    • IT or business unit manager
    • Legal
    • Finance

    Using this checklist will help you review a provider’s SLA to ensure it contains adequate service levels and remedies as well as contract-type elements.

    Instructions:

    Use the checklist to identify the principal service level elements as well as the contractual-type elements within the SLA.

    Review the SLA and use the dropdowns in the checklist to verify if the element is in the SLA and whether it is within acceptable parameters as well the page or section for reference.

    The checklist contains a list of service types that can be used for reference of what SLA elements you should expect to see in that service type SLA.

    Download the SLA Checklist Tool

    1.3 Monitoring, reporting requirements, remedies/credit process

    Monitoring & Reporting

    As mentioned, well-defined service levels are key to the success of the SLA. Validating that the metrics/KPIs are being met on a consistent basis requires regular monitoring and reporting. These elements of the SLA are how you hold the provider accountable to the SLA commitments and obligations. To achieve the service level, the service must be monitored to validate that timelines are met and accuracy is achieved.

    • Data or details from monitoring must then be presented in a report and delivered to the customer in an agreed-upon format. These formats can be in a dashboard, portal, spreadsheet, or csv file, and they must have sufficient criteria to validate the service-level metric. Reports should be kept for future review and to create historical trending.
    • Monitoring and reporting should be the responsibility of the service provider. This is the only way that they can validate to the customer that a service level has been achieved.
    • Reporting criteria and delivery timelines should be defined in the SLA and can even have a service level associated with it, such as a scheduled report delivery on the fifth day of the following month.
    • Reports need to be checked and balanced. When defining report criteria, be sure to define data source(s) that can be easily validated by both parties.
    • Report criteria should include compliance requirements, target metric/KPIs, and whether they were attained.
    • The report should identify any attainment shortfall or missed KPIs.

    Too many SLAs do not have these elements as often the provider tries to put the onus on the customer to monitor their performance of the service levels. .

    1.3.1 Monitoring, reporting requirements, remedies/credit process

    Remedies and Credits

    Service-level reports validate the performance of the service provider to the SLA metrics or KPIs. If the metrics are met, then by rights, the service provider is doing its job and performing up to expectations of the SLA and your organization.

    • What if the metrics are not being met either periodically or consistently? Solving this is the goal of remedies. Remedies are typically monetary costs (in some form) to the provider that they must pay for not meeting a service-level commitment. Credits can vary significantly and should be aligned to the severity of the missed service level. Sometimes there no credits offered by the vendor. This is a red flag in an SLA.
    • Typically expressed as a monetary credit, the SLA will have service levels and associated credits if the service-level metric/KPI is not met during the reporting period. Credits can be expressed in a dollar format, often defined as a percentage of a monthly fee or prorated annual fee. Although less common, some SLAs offer non-financial credits. These could include: an extension to service term, additional modules, training credits, access to a higher support level, etc.
    • Regardless of how the credit is presented, this is typically the only way to hold your provider accountable to their commitments and to ensure they perform consistently to expectations. You must do a rough calculation to validate the potential monetary value and if the credit is meaningful enough to the provider.

    Research shows that credit values that equate to just a few dollars, when you are paying the provider tens of thousands of dollars a month for a service or product, the credit is insignificant and therefore doesn’t incent the provider to achieve or maintain a service level.

    1.3.2 Monitoring, reporting requirements, remedies/credit process

    Credit Process

    Along with meaningful credit values, there must be a defined credit calculation method and credit redemption process in the SLA.

    Credit calculation. The credit calculation should be simple and straight forward. Many times, we see providers define complicated methods of calculating the credit value. In some cases complicated service levels require higher effort to monitor and report on, but this shouldn’t mean that the credit for missing the service level needs to require the same effort to calculate. Do a sample credit calculation to validate if the potential credit value is meaningful enough or meets your requirements.

    Credit redemption process. The SLA should define the process of how a credit is provided to the customer. Ideally the process should be fairly automated by the service provider. If the report shows a missed service level, that should trigger a credit calculation and credit value posted to account followed by notification. In many SLAs that we review, the credit process is either poorly defined or not defined at all. When it is defined, the process typically requires the customer to follow an onerous process and submit a credit request that must then be validated by the provider and then, if approved, posted to your account to be applied at year end as long as you are in complete compliance with the agreement and up-to-date on your account etc. This is what we need to avoid in provider-written SLAs. You need a proactive process where the service provider takes responsibility for missing an SLA and automatically assigns an accurate credit to your account with an email notice.

    Secondary level remedies. These are remedies for partial performance. For example, the platform is accessible but some major modules are not working (i.e.: the payroll platform is up and running and accessible but the tax table is not working properly so you can’t complete your payroll run on-time). Consider the requirement of a service level, metric, and remedy for critical components of a service and not just the platform availability.

    Info-Tech Insight SLA’s without adequate remedies to hold the vendor accountable to their commitments make the SLAs essentially meaningless.

    1.4 Exclusions indemnification, force majeure, scheduled maintenance

    Contract-Related Exclusions

    Attaining service-level commitments by the provider within an SLA can depend on other factors that could greatly influence their performance to service levels. Most of these other factors are common and should be defined in the SLA as exclusions or exceptions. Exceptions/exclusions can typically apply to credit calculations as well. Typical exceptions to attaining service levels are:

    • Denial of Service (DoS) attacks
    • Communication/ISP outage
    • Outages of third-party hosting
    • Actions or inactions of the client or third parties
    • Scheduled maintenance but not emergency maintenance
    • Force majeure events which can cover several different scenarios

    Attention should be taken to review the exceptions to ensure they are in fact not within the reasonable control of the provider. Many times the provider will list several exclusions. Often these are not reasonable or can be avoided, and in most cases, they allow the service provider the opportunity to show unjustified service-level achievements. These should be negotiated out of the SLA.

    1.5 Activity SLA Evaluation Tool

    1-2 hours

    Input

    • SLA content
    • SLA elements
    • SLA objectives
    • SLO calculation methods

    Output

    • Rating of the SLA service levels and objectives
    • Overall rating of the SLA content
    • Targeted list of required improvements

    Materials

    • SLA comprehensive checklist
    • Service provider SLA

    Participants

    • Vendor or contract manager
    • IT manager or leadership
    • Application or business unit manager

    The SLA Evaluation Tool will allow you evaluate an SLA for content. Enter details into the tool and evaluate the service levels and SLA elements and components to ensure the agreement contains adequate SLOs to meet your organization’s service requirements.

    Instructions:

    Review and identify SLA elements within the service provider’s SLA.

    Enter service-level details into the tool and rate the SLOs.

    Enter service elements details, validate that all required elements are in the SLA, and rate them accordingly.

    Capture and evaluate service-level SLO calculations.

    Review the overall rating for the SLA and create a targeted list for improvements with the service provider.

    Download the SLA Evaluation Tool

    1.5 Clarification: SLAs vs. SLOs vs. SLIs

    SLA – Service-Level Agreement The promise or commitment

    • This is the formal agreement between you and your service provider that contains their service levels and obligations with measurable metrics/KPIs and associated remedies. SLAs can be a separate or unique document, but are most commonly embedded within an MSA, SOW, SaaS, etc. as an addendum or exhibit.

    SLO – Service-Level Objective The goals or targets

    • This service-level agreement construct is the customer-based SLA. A Customer-based SLA is a unique agreement with one customer. The entire agreement is defined for one or all service levels provided to a particular customer. For example, you may use several services from one telecom vendor. The SLAs for these services would be covered in one contract between you and the Telco vendor, creating a unique customer-based to vendor agreement. Another scenario: a vendor offers general SLAs for its services and you negotiate a specific SLA for a particular service that is unique or exclusive to you. This would be a customer-based SLA as well.

    Other common names are Metrics and Key Performance Indicators (KPIs )

    SLI – Service-Level Indicator How did we do? Did we achieve the objectives?

    • An SLI is the actual metric attained after the measurement period. SLI measures compliance with an SLO (service level objective). So, for example, if your SLA specifies that your systems will be available 99.95% of the time, your SLO is 99.95% uptime and your SLI is the actual measurement of your uptime. Maybe it’s 99.96%. maybe 99.99% or even 99.75% For the vendor to be compliant to the SLA, the SLI(s) must meet or exceed the SLOs within the SLA document.

    Other common names: attainment, results, actual

    Info-Tech Insight:

    Web-posted SLAs that are not embedded within a signed MSA, can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 2

    Understand SLA Elements

    Phase 2

    Create Requirements

    Phase Steps

    • 2.1 Create a list of your SLA criteria
    • 2.2 Develop SLA policy & templates
    • 2.3 Create a negotiation strategy
    • 2.4 SLA overachieving discussion

    Manage Obligations

    2.1 Create a list of your SLA criteria

    Principle Service Elements

    With your understanding of the types of SLAs and the elements that comprise a well-written agreement

    • The next step is to start to create a set of SLA criteria for service types that your organization outsources or may require in the future.
    • This criteria should define the elements of the SLA with tolerance levels that will require the provider to meet your service expectations.
    • Service levels, metrics/KPIs, associated remedies and reporting criteria. This criteria could be captured into table-like templates that can be referenced or inserted into service provider SLAs.
    • Once you have defined minimum service-level criteria, we recommend that you do a deeper review of the various service provider types that your organization has in place. The goal of the review is to understand the objective of the service type and associated service levels and then compare them to your requirements for the service to meet your expectations. Service levels and KPIs should be no less than if your IT department was providing the service with its own resources and infrastructure.
    • Most IT departments have service levels that they are required to meet with their infrastructure to the business units or organization, whether it’s App delivery, issue or problem resolution, availability etc. When any of these services are outsourced to an external service provider, you need to make all efforts to ensure that the service levels are equal to or better than the previous or existing internal expectations.
    • Additionally, the goal is to identify service levels and metrics that don’t meet your requirements or expectations and/or service levels that are missing.

    2.2 Develop SLA policies and templates

    Contract-type Elements

    After creating templates for minimum-service metrics & KPIs, reporting criteria templates, process, and timing, the next step should be to work on contract-type elements and additional service-level components. These elements should include:

    • Reporting format, criteria, and timelines
    • Monitoring requirements
    • Minimum acceptable remedy or credits process; proactive by provider vs. reactive by customer
    • Roles & responsibilities
    • Acceptable exclusion details
    • Termination language for persistent failure to meet SLOs

    These templates or criteria minimums can be used as guidelines or policy when creating or negotiating SLAs with a service provider.

    Start your initial element templates for your strategic vendors and most common service types: SaaS, IaaS, Service Desk, SecOps, etc. The goal of SLA templates is to create simple minimum guidelines for service levels that will allow you to meet your internal SLAs and expectations. Having SLA templates will show the service provider that you understand your requirements and may put you in a better negotiating position when reviewing with the provider.

    When considering SLO metrics or KPIs consider the SMART guidance:

    Simple: A KPI should be easy to measure. It should not be complicated, and the purpose behind recording it must be documented and communicated.

    Measurable: A KPI that cannot be measured will not help in the decision-making process. The selected KPIs must be measurable, whether qualitatively or quantitatively. The procedure for measuring the KPIs must be consistent and well-defined.

    Actionable: KPIs should contribute to the decision-making process of your organization. A KPI that does not make any such contributions serves no purpose.

    Relevant: KPIs must be related to operations or functions that a security team seeks to assess.

    Time-based: KPIs should be flexible enough to demonstrate changes over time. In a practical sense, an ideal KPI can be grouped together by different time intervals.

    (Guide for Security Operations Metrics)

    2.2.1 Activity: Review SLA Template & Metrics Reference Guide

    1-2 hours

    Input

    • Service level metrics
    • List of who is accountable for PPM decisions

    Output

    • SLO templates for service types
    • SLA criteria that meets your organization’s requirements

    Materials

    • SLA Checklist
    • SLA criteria list with SLO & credit values
    • PPM Decision Review Workbook

    Participants

    • Vendor manager
    • IT leadership
    • Procurement or contract manager
    1. Review the SLA Template and Metrics Reference Guide for common metrics & KPIs for the various service types. Each Service Type tab has SLA elements and SLO metrics typically associated with the type of service.
    2. Some service levels have common or standard credits* that are typically associated with the service level or metric.
    3. Use the SLA Template to enter service levels, metrics, and credits that meet your organization’s criteria or requirements for a given service type.

    Download the SLA Template & Metrics Reference Guide

    *Credit values are not standard values, rather general ranges that our research shows to be the typical ranges that credit values should be for a given missed service level

    2.3 Create a negotiation strategy

    Once you have created service-level element criteria templates for your organization’s requirements, it’s time to document a negotiation position or strategy to use when negotiating with service providers. Not all providers are flexible with their SLA commitments, in fact most are reluctant to change or create “unique” SLOs for individual customers. Particularly cloud vendors providing IaaS, SaaS, or PaaS, SLAs. ISP/Telcom, Co-Lo and DR/BU providers also have standard SLOs that they don’t like to stray far from. On the other hand, security ops (SIEM), service desk, hardware, and SOW/PS providers who are generally contracted to provide variable services are somewhat more flexible with their SLAs and more willing to meet your requirements.

    • Service providers want to avoid being held accountable to SLOs, and their SLAs are typically written to reflect that.

    The goal of creating internal SLA templates and policies is to set a minimum baseline of service levels that your organization is willing to accept, and that will meet their requirements and expectations for the outsourced service. Using these templated SLOs will set the basis for negotiating the entire SLA with the provider. You can set the SLA purpose, objectives, roles, and responsibilities and then achieve these from the service provider with solid SLOs and associated reporting and remedies.

    Info-Tech Insight

    Web-posted SLAs that are not embedded within a signed MSA can present uncertainty and risk as they can change at any time and typically without direct notice to the customer

    2.3.1 Negotiating strategy guidance

    • Be prepared. Create a negotiating plan and put together a team that understands your organization’s requirements for SLA.
    • Stay informed. Request provider’s recent performance data and negotiate SLOs to the provider’s average performance.
    • Know what you need. Corporate SLA templates or policies should be positioned to service providers as baseline minimums.
    • Show some flexibility. Be willing to give up some ground on one SLO in exchange for acceptance of SLOs that may be more important to your organization.
    • Re-group. Have a fallback position or Plan B. What if the provider can’t or won’t meet your key SLOs? Do you walk?
    • Do your homework. Understand what the typical standard SLOs are for the type of service level.

    2.4 SLO overachieving incentive discussion

    Monitoring & Reporting

    • SLO overachieving metrics are seen in some SLAs where there is a high priority for a service provider to meet and or exceed the SLOs within the SLA. These are not common terms but can be used to improve the overall service levels of a provider. In these scenarios the provider is sometimes rewarded for overachieving on the SLOs, either consistently or on a monthly or quarterly basis. In some cases, it can make financial sense to incent the service provider to overachieve on their commitments. Incentives can drive behaviors and improved performance by the provider that can intern improve the benefits to your organization and therefore justify an incent of some type.
    • Example: You could have an SLO for invoice accuracy. If not achieved, it could cost the vendor if they don’t meet the accuracy metric, however if they were to consistently overachieve the metric it could save accounts payable hours of time in validation and therefore you could pass on some of these measurable savings to the provider.
    • Overachieving incentives can add complexity to the SLA so they need to be easily measurable and simple to manage.
    • Overachieving incentives can also be used in provider performance improvement plans, where a provider might have poor trending attainment and you need to have them improve their performance in a short period of time. Incentives typically will motivate provider improvement and generally will cost much less than replacing the provider.
    • There is another school of thought that you shouldn’t have to pay a provider for doing their job; however, others are of the opinion that incentives or bonuses improve the overall performance of individuals or teams and are therefore worth consideration if both parties benefit from the over performance.

    Reduce Risk With Rock-Solid Service-Level Agreements

    Phase 3

    Understand SLA Elements

    Create Requirements

    Phase 3

    Manage Obligations

    Phase Steps

    • 3.1 SLA monitoring and tracking
    • 3.2 Reporting
    • 3.3 Vendor SLA reviews & optimizing
    • 3.4 Performance management

    3.1 SLA monitoring, tracking, and remedy reconciliation

    The next step to effective SLAs is the management component. It could be fruitless if you were to spend your time and efforts negotiating your required service levels and metrics and don’t have some level of managing the SLA. In that situation you would have no way of knowing if the service provider is attaining their SLOs.

    There are several key elements to effective SLA management:

    • SLO monitoring
    • Simple, concise reporting
    • SLO attainment tracking
    • Score carding & trending
    • Remedy reconciliation

    SLA Management framework

    SLA Monitoring → Concise Reporting → Attainment Tracking → Score Carding →Remedy Reconciliation

    “A shift we’re beginning to see is an increased use of data and process discovery tools to measure SLAs,” says Borowski of West Monroe. “While not pervasive yet, these tools represent an opportunity to identify the most meaningful metrics and objectively measure performance (e.g., cycle time, quality, compliance). When provided by the client, it also eliminates the dependency on provider tools as the source-of-truth for performance data.” – Stephanie Overby

    3.1 SLA management framework

    SLA Performance Management

    • SLA monitoring provides data for SLO reports or dashboards. Reports provide attainment data for tacking over time. Attainment data feeds scorecards and allows for trending analysis. Missed attainment data triggers remedies.
    • All service providers monitor their systems, platforms, tickets, agents, sensors etc. to be able to do their jobs. Therefore, monitoring is readily available from your service provider in some form.
    • One of the key purposes of monitoring is to generate data into internal reports or dashboards that capture the performance metrics of the various services. Therefore, service-level and metric reports are readily available for all of the service levels that a service provider is contracted or engaged to provide.
    • Monitoring and reporting are the key elements that validate how your service provider is meeting its SLA obligations and thus are very important elements of an SLA. SLO report data becomes attainment data once the metric or KPI has been captured.
    • As a component of effective SLA management, this attainment data needs to be tracked/recorded in an easy-to-read format or table over a period of time. Attainment data can then be used to generate scorecards and trending reports for your review both internally and with the provider as required.
    • If attainment data shows that the service provider is meeting their SLA obligations, then the SLA is meeting your requirements and expectations. If on the other hand, attainment data shows that obligations are not being met, then actions must be taken to hold the service provider accountable. The most common method is through remedies that are typically in the form of a credit through a defined process (see Sec. 1.3). Any credits due for missed SLOs should also be tracked and reported to stakeholders and accounting for validation, reconciliation, and collection.

    3.2 Reporting

    Monitoring & Reporting

    • Many SLAs are silent on monitoring and reporting elements and require that the customer, if aware or able, to monitor the providers service levels and attainment and create their own KPI and reports. Then if SLOs are not met there is an arduous process that the customer must go through to request their rightful credit. This manual and reactive method creates all kinds of risk and cost to the customer and they should make all attempts to ensure that the service provider proactively provides SLO/KPI attainment reports on a regular basis.
    • Automated monitoring and reporting is a common task for many IT departments. There is no reason that a service provider can’t send reports proactively in a format that can be easily interpreted by the customer. The ideal state would be to capture KPI report data into a customer’s internal service provider scorecard.
    • Automated or automatic credit posting is another key element that service providers tend to ignore, primarily in hopes that the customer won’t request or go through the trouble of the process. This needs to change. Some large cloud vendors already have automated processes that automatically post a credit to your account if they miss an SLO. This proactive credit process should be at the top of your negotiation checklist. Service providers are avoiding thousands of credit dollars every year based on the design of their credit process. As more customers push back and negotiate more efficient credit processes, vendors will soon start to change and may use it as a differentiator with their service.

    3.2.1 Performance tracking and trending

    What gets measured gets done

    SLO Attainment Tracking

    A primary goal of proactive and automated reporting and credit process is to capture the provider’s attainment data into a tracker or vendor scorecard. These tracking scorecards can easily create status reports and performance trending of service providers, to IT leadership as well as feed QBR agenda content.

    Remedy Reconciliation

    Regardless of how a credit is processed it should be tracked and reconciled with internal stakeholders and accounting to ensure credits are duly applied or received from the provider and in a timely manner. Tracking and reconciliation must also align with your payment terms, whether monthly or annually.

    “While the adage, ‘You can't manage what you don't measure,’ continues to be true, the downside for organizations using metrics is that the provider will change their behavior to maximize their scores on performance benchmarks.” – Rob Lemos

    3.2.1 Activity SLA Tracker and Trending Tool

    1-2 hours setup

    Input

    • SLO metrics/KPIs from the SLA
    • Credit values associated with SLO

    Output

    • Monthly SLO attainment data
    • Credit tracking
    • SLO trending graphs

    Materials

    • Service provider SLO reports
    • Service provider SLA
    • SLO Tracker & Trending Tool

    Participants

    • Contract or vendor managers
    • Application or service managers
    • Service provider

    An important activity in the SLA management framework is to track the provider’s SLO attainment on a monthly or quarterly basis. In addition, if an SLO is missed, an associated credit needs to be tracked and captured. This activity allows you to capture the SLOs from the SLA and track them continually and provide data for trending and review at vendor performance meetings and executive updates.

    Instructions: Enter SLOs from the SLA as applicable.

    Each month, from the provider’s reports or dashboards, enter the SLO metric attainment.

    When an SLO is met, the cell will turn green. If the SLO is missed, the cell will turn red and a corresponding cell in the Credit Tracker will turn green, meaning that a credit needs to be reconciled.

    Use the Trending tab to view trending graphs of key service levels and SLOs.

    Download the SLO Tracker and Trending Tool

    3.3 Vendor SLA reviews and optimizing

    Regular reviews should be done with providers

    Collecting attainment data with scorecards or tracking tools provides summary information on the performance of the service provider to their SLA obligations. This information should be used for regular reviews both internally and with the provider.

    Regular attainment reviews should be used for:

    • Performance trending upward or downward
    • Identifying opportunities to revise or improve SLOs
    • Optimizing SLO and processes
    • Creating a Performance Improvement Plan (PIP) for the service provider

    Some organizations choose to review SLA performance with providers at regular QBRs or at specific SLA review meetings

    This should be determined based on the criticality, risk, and strategic importance of the provider’s service. Providers that provide essential services like ERP, payroll, CRM, HRIS, IaaS etc. should be reviewed much more regularly to ensure that any decline in service is identified early and addressed properly in accordance with the service provider. Negative trending performance should also be documented for consideration at renewal time.

    3.4 Performance management

    Dealing with persistent poor performance and termination

    Service providers that consistently miss key service level metrics or KPIs present financial and security risk to the organization. Poor performance of a service provider reflects directly on the IT leadership and will affect many other business aspects of the organization including:

    • Ability to conduct day-to-day business activities
    • Meet internal obligations and expectations
    • Employee productivity and satisfaction
    • Maintain corporate policies or industry compliance
    • Meet security requirements

    Communication is key. Poor performance of a service provider needs to be dealt with in a timely manner in order to avoid more critical impact of the poor performance. Actions taken with the provider can also vary depending again on the criticality, risk, and strategic importance of the provider’s service.

    Performance reviews should provide the actions required with the goal of:

    • Making the performance problems into opportunities
    • Working with the provider to create a PIP with aggressive timelines and ramifications if not attained
    • Non-renewal or termination consideration, if feasible including provider replacement options, risk, costs, etc.
    • SLA renegotiation or revisions
    • Warning notifications to the service provider with concise issues and ramifications

    To avoid the issues and challenges of dealing with chronic poor performance, consider a Persistent or Chronic Failure clause into the SLA contract language. These clauses can define chronic failure, scenarios, ramifications there of, and defined options for the client including increased credit values, non-monetary remedies, and termination options without liability.

    Info-Tech Insight

    It’s difficult to prevent chronic poor performance but you can certainly track it and deal with it in a way that reduces risk and cost to your organization.

    SLA Hall of Shame

    Crazy service provider SLA content collection

    • Excessive list of unreasonable exclusions
    • Subcontractors’ behavior could be excluded
    • Downtime credit, equal to downtime percent x the MRC
    • Controllable FM events (internal labor issues, health events)
    • Difficult downtime or credit calculations that don’t make sense
    • Credits are not valid if agreement is terminated early or not renewed
    • Customer is not current on their account, SLA or credits do not count/apply
    • Total downtime = to prorated credit value (down 3 hrs = 3/720hrs = 0.4% credit)
    • SLOs don’t apply if customer fails to report the issue or request a trouble ticket
    • Downtime during off hours (overnight) do not count towards availability metrics
    • Different availability commitments based on different support-levels packages
    • Extending the agreement term by the length of downtime as a form of a remedy

    SLA Dos and Don’ts

    Dos

    • Do negotiate SLOs to vendor’s average performance
    • Do strive for automated reporting and credit processes
    • Do right-size and create your SLO criteria based on risk mitigation
    • Do review SLA attainment results with strategic service providers on a regular basis
    • Do ensure that all key elements and components of an SLA are present in the document or appendix

    Don'ts

    • Don’t accept the providers response that “we can’t change the SLOs for you because then we’d have to change them for everyone”
    • Don’t leave SLA preparation to the last minute. Give it priority as you negotiate with the provider
    • Don’t create complex SLAs with numerous service levels and SLOs that need to be reported and managed
    • Don’t aim for absolute perfection. Rather, prioritize which service levels are most important to you for the service

    Summary of Accomplishment

    Problem Solved

    Knowledge Gained

    • Understanding of the elements and components of an SLA
    • A list of SLO metrics aligned to service types that meet your organization’s criteria
    • SLA metric/KPI templates
    • SLA Management process for your provider’s service objectives
    • Reporting and tracking process for performance trending

    Deliverables Completed

    • SLA component and contract element checklist
    • Evaluation or service provider SLAs
    • SLA templates for strategic service types
    • SLA tracker for strategic service providers

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com

    1-888-670-8889

    Related Info-Tech Research

    Improve IT-Business Alignment Through an Internal SLA

    • Understand business requirements, clarify current capabilities, and enable strategies to close service-level gaps.

    Data center Co-location SLA & Service Definition Template

    • In essence, the SLA defines the “product” that is being purchased, permitting the provider to rationalize resources to best meet the needs of varied clients, and permits the buyer to ensure that business requirements are being met.

    Ensure Cloud Security in IaaS, PaaS, and SaaS Environments

    • Keep your information security risks manageable when leveraging the benefits of cloud computing.

    Bibliography

    Henderson, George. “3 Most Common Types of Service Level Agreement (SLA).” Master of Project Academy. N.d. Web.

    “Guide to Security Operations Metrics.” Logsign. Oct 5, 2020. Web.

    Lemos, Rob. “4 lessons from SOC metrics: What your SpecOps team needs to know.” TechBeacon. N.d. Web.

    “Measuring and Making the Most of Service Desk Metrics.” Freshworks. N.d. Web.

    Overby, Stephanie. “15 SLA Mistakes IT Leaders Still Make.” CIO. Jan 21, 2021.

    Initiate Digital Accessibility for IT

    • Buy Link or Shortcode: {j2store}520|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn’t sustainable.

    Our Advice

    Critical Insight

    • Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.
    • Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative, however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging, the tendency is to start with tech or compliance, however, starting with the people is key. It must be culture.
    • Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Impact and Result

    • Take away the overwhelm that many feel when they hear ‘accessibility’ and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization’s key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.
    • Build your accessibility plan while prioritizing the necessary culture change
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Initiate Digital Accessibility for IT Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Initiate Digital Accessibility for IT – Use this blueprint to narrow down the requirements for your organization and team while also clearly communicating why accessibility is critical and how it supports the organization’s key objectives and initiatives.

    A step-by-step approach to walk you through understanding the IT accessibility compliance requirements, building your roadmap, and communicating with your department. This storyboard will help you figure out what’s needed from IT to support the business and launch accessibility with your team.

    • Initiate Digital Accessibility for IT – Phases 1-2

    2. IT Manager Meeting Template – A clear, concise, and compelling communication to introduce accessibility for your organization to IT managers and to facilitate their participation in building the roadmap.

    Accessibility compliance can be overwhelming at first. Use this template to simplify the requirements for the IT managers and build out a roadmap.

    • IT Manager Meeting Template

    3. Accessibility Compliance Tracking Tool – This tool helps to decrease the overwhelm of accessibility compliance. Narrow down the list of controls needed to the ones that apply to your organization and to IT.

    Using the EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. Use this tool to build a priorities list of requirements that are applicable to your organization.

    • Accessibility Compliance Tracking Tool

    4. Departmental Meeting Template – Cascade your communication down to the IT department with this facilitation guide for introducing accessibility and the roadmap to the entire IT team.

    Use this pre-built slide deck to customize your accessibility communication to the IT department. It will help you build a shared vision for accessibility, a current state picture, and plans to build to the target future state.

    • Departmental Meeting Template
    • Accessibility Quick Cards

    Infographic

    Further reading

    Initiate Digital Accessibility For IT

    Make accessibility accessible.

    EXECUTIVE BRIEF

    Analyst Perspective

    Accessibility is a practice, not a project.

    Accessibility is an organizational directive; however, IT plays a fundamental role in its success. As business partners require support and expertise to assist with their accessibility requirements IT needs to be ready to respond. Even if your organization hasn't fully committed to an accessibility standard, you can proactively get ready by planting the seeds to change the culture. By building understanding and awareness of the significant impact technology has on accessibility, you can start to change behaviors.

    Implementing an accessibility program requires many considerations: legal requirements; international guidelines, such as Web Content Accessibility Guidelines (WCAG); training for staff; ongoing improvement; and collaborating with accessibility experts and people with disabilities. It can be overwhelming to know where to start. The tendency is to start with compliance, which is a fantastic first step. For a sustained program use, change management practices are needed to change behaviors and build inclusion for people with disabilities.

    15% of the world's population identify as having some form of a disability (not including others that are impacted, e.g. caretakers, family). Why would anyone want to alienate over 1.1 billion people?

    This is a picture of Heather Leier-Murray

    Heather Leier-Murray
    Senior Research Analyst, People & Leadership
    Info-Tech Research Group

    Disability is part of being human

    Merriam-Webster defines disability as a "physical, mental, cognitive, or developmental condition that impairs, interferes with, or limits a person's ability to engage in certain tasks or actions or participate in typical daily activities and interactions."(1)

    The World Health Organization points out that a crucial part of the definition of disability is that it's not just a health problem, but the environment impacts the experience and extent of disability. Inaccessibility creates barriers for full participation in society.(2)

    The likelihood of you experiencing a disability at some point in your life is very high, whether a physical or mental disability, seen or unseen, temporary or permanent, severe or mild.(2)

    Many people acquire disabilities as they age yet may not identify as "a person with a disability."3 Where life expectancies are over 70 years of age, 11.5% of life is spent living with a disability. (4)

    "Extreme personalization is becoming the primary difference in business success, and everyone wants to be a stakeholder in a company that provides processes, products, and services to employees and customers with equitable, person-centered experiences and allows for full participation where no one is left out."
    – Paudie Healy, CEO, Universal Access

    (1.) Merriam-Webster
    (2.) World Health Organization, 2022
    (3.) Digital Leaders, as cited in WAI, 2018
    (4.) Disabled World, as cited in WAI, 2018

    Executive Summary

    Your Challenge

    You know the push for accessibility is coming in your organization. You might even have a program started or approval to build one. But you're not sure if you and your team are ready to support and enable the organization on its accessibility journey.

    Common Obstacles

    Understanding where to start, where accessibility lives, and if or when you're done can be overwhelmingly difficult. Accessibility is an organizational initiative that IT enables; being able to support the organization requires a level of understanding of common obstacles.

    • Determining IT requirements (legal and business needs) is overwhelming.
    • Prioritizing people in the process is often overlooked.
    • Mandating changes instead of motivating change isn't sustainable.

    Info-Tech's Approach

    Prepare your people for accessibility and inclusion, even if your organization doesn't have a formal standard yet. Take your accessibility from mandate to movement, i.e. from Phase 1 - focused on compliance to Phase 2 - driven by experience for sustained change.

    • Use this blueprint to build your accessibility plan while prioritizing the necessary culture change.
    • Use change management and communication practices to elicit the behavior shift needed to sustain accessibility.

    Info-Tech Insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging because the tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Your challenge

    This research is designed to help IT leaders who are looking to:

    • Determine accessibility requirements of IT based on the business' needs and priorities, and the existing standards and regulations.
    • Prepare the IT leaders to implement and sustain accessibility and prepare for the behavior shift that is necessary.
    • Build the plan for IT as it pertains to accessibility, including a list of business needs and priorities, and prioritization of accessibility initiatives that IT is responsible for.
    • Ensure that accessibility is sustained in the IT department by following phase 2 of this blueprint on using change management and communication to impact behavior and change the culture.

    90% of companies claim to prioritize diversity.
    Source: Harvard Business Review, 2020

    Over 30% of those that claim to prioritize diversity are focused on compliance.
    Source: Harvard Business Review, 2022

    Accessibility is an organizational initiative

    Is IT ready and capable to enable it?

    • With increasing rates of lawsuits related to digital accessibility, more organizations are prioritizing initiatives to support increased accessibility. About 68% of Applause's survey respondents indicated that digital accessibility is a higher priority for their organization than it was last year.
    • This increase in priority will trickle into IT's tasks – get ahead and start working toward accessibility proactively so you're ready when business requests start coming in.

    A survey of nearly 1,800 respondents conducted by Applause found that:

    • 79% of respondents rated digital accessibility either a top priority or important for their organizations.
    • 42% of respondents indicated they have limited or no in-house expertise or resources to test accessibility.
      Source: Business Wire, May 2022

    How organizations prioritize digital accessibility

    • 43% rated accessibility as a top priority.
    • 36% rated accessibility as important.
    • Fewer than 5% rated accessibility as either low priority or not even on the radar.
    • More than 65% agreed or strongly agreed that accessibility is a higher priority than last year.

    Source: Angel Business Communications, 2022

    Why organizations address accessibility

    Top three reasons:

    1. 61% To comply with laws
    2. 62% To provide the best user experience
    3. 78% To include people with disabilities
      Source: Level Access, 2022

    Still, most businesses aren't meeting compliance standards. Even though legislation has been in place for over 30 years, a 2022 study by WebAIM of 1,000,000 homepages returned a 96.8% WCAG 2.0 failure rate.

    Source: Institute for Disability Research, Policy, and Practice, 2022

    Info-Tech's approach to Initiate Digital Accessibility

    An image of the Business Case for Accessibility

    The Info-Tech difference:

    1. Phase 1 of this blueprint gets you started and helps you build a plan to get you to the initial compliance driven maturity level. It's focused more on standards and regulations than on the user and employee experience.
    2. Phase 2 takes you further in maturity and helps you become experience driven in your efforts. It focuses on building your accessibility maturity into the developing, defined, and managed levels, as well as balancing mandate and movement of the accessibility maturity continuum.

    Determining conformance seems overwhelming

    Unfortunately, it's the easier part.

    • Focus on local regulations and what corporate leaders are setting as accessibility standards for the organization. This will narrow down the scope of what compliance looks like for your team.
    • Look to best practices like WCAG guidelines to ensure digital assets are accessible and usable for all users. WCAG's international guideline outlines principles that can also aid in scoping.
    • In phase 1 of this blueprint, use the Accessibility Compliance Tracking Toolto prioritize criteria and legislation for which IT is responsible.
    • Engage with business partners and other areas of the organization to figure out what is needed from IT. Accessibility is an organizational initiative; it shouldn't be on IT to figure it all out. Determine what your team is specifically responsible for before tackling it all.

    Motivating behavior change

    This is the hard part.

    Changing behaviors and mindsets is necessary to be experience driven and sustain accessibility.

    • Compliance is the minimum when it comes to accessibility, much like employment or labor regulations.
    • Making accessibility an organizational imperative is an iterative process. Managing the change is hard. People, culture, and behavior change matures accessibility from compliance driven to experience driven, increasing the benefits of accessibility.
    • Focus accessibility initiatives on improving the experience of everyone and improving engagement (customer and employee).
    • Being people focused and experience driven enables the organization to provide the best user experience and realize the benefits of accessibility.

    A picture of Jordyn Zimmerman

    "Compliance is the minimum. And when we look at web tech, people are still arguing about their positioning on the standards that need to be enforced in order to comply, forgetting that it isn't enough to comply."
    -- Jordyn Zimmerman, M.Ed., Director of Professional Development, The Nora Project, and Appointee, President's Committee for People with Intellectual Disabilities.

    This is an image of the Info-Tech Accessibility Maturity Framework Table.

    To see more on the Info-Tech Accessibility Maturity Framework:

    The Accessibility Business Case for IT

    Think of accessibility like you think of IT security

    Use IT security concepts to build your accessibility program.

    • Risk management: identify and prioritize accessibility risks and implement controls to mitigate those risks.
    • Compliance: use an IT security-style compliance approach to ensure that the accessibility program is compliant with the many accessibility regulations and standards.
    • Defense in depth: implement multiple layers of accessibility controls to address different types of accessibility risks and issues.
    • Response and recovery: quickly and effectively respond to accessibility issues, minimizing the potential impact on the organization and its users.
    • End-user education: educate end users about accessibility best practices, such as how to use assistive technologies and how to report accessibility issues.
    • Monitor and audit: use monitoring and auditing tools to ensure that accessibility remains over time and to identify and address issues that arise.
    • Collaboration: ensure the accessibility program is effective and addresses the needs of all users by collaborating with accessibility experts and people with disabilities.

    "As an organization matures, the impact of accessibility shifts. A good company will think of security at the very beginning. The same needs to be applied to accessibility thinking. At the peak of accessibility maturity an organization will have people with disabilities involved at the outset."
    -- Cam Beaudoin, Owner, Accelerated Accessibility

    This is a picture of Cam Beaudoin

    Info-Tech's methodology for Initiate Digital Accessibility for IT

    1. Planning IT's accessibility requirements

    2. Change enablement of accessibility

    Phase Steps

    1. Determine accessibility requirements of IT
    2. Build the IT accessibility plan
    1. Build awareness
    2. Support new behaviors
    3. Continuous reinforcement

    Phase Outcomes

    List of business needs and priorities related to accessibility

    IT accessibility requirements for conformance

    Assessment of state of accessibility conformance

    Prioritization of accessibility initiatives for IT

    Remediation plan for IT related to accessibility conformance

    Accessibility commitment statement

    Team understanding of what, why, and how

    Accessibility Quick Cards

    Sustainment plan

    Insight summary

    Overarching insight

    Accessibility is a practice, not a project. Therefore, accessibility is an organizational initiative; however, IT support is critical. Use change management theory to guide the new behaviors, processes, and thinking to adopt accessibility beyond compliance. Determining where to start is challenging. The tendency is to start with tech or compliance; however, starting with the people is key. It must be a change in organizational culture.

    Insight 1

    Compliance is the minimum; people and behavior changes are the hardest part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility makes the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    Insight 2

    Think about accessibility like you think about IT security. Use IT security concepts that you and your team are already familiar with to initiate the accessibility program.

    Insight 3

    People are learning a new way to behave and think; this can be an unsettling period. Patience, education, communication, support, and time are keys for success of the implementation of accessibility. There is a transition period needed; people will gradually change their practices and attitudes. Celebrate small successes as they arise.

    Insight 4

    Accessibility isn't a project as there is no end. Effective planning and continuous reinforcement of "the new way of doing things" is necessary to enable accessibility as the new status quo.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals.

    IT Manager Meeting Template

    IT Manager Meeting Template
    Use this meeting slide deck to work with IT managers to build out the accessibility remediation plan and commitment statement.

    Departmental Meeting Template

    Departmental Meeting Template
    Use this meeting slide deck to introduce the concept of accessibility and communicate IT goals and objectives.

    Accessibility Quick Cards

    Accessibility Quick Cards
    Using the Info-Tech IT Management and Governance Framework to identify key activities to help improve and maintain the accessibility of your organization and your core IT processes.

    Key deliverable:

    Accessibility Compliance Tracking Tool

    Accessibility Compliance Tracking Tool
    This tool will assist you in identifying remediation priorities applicable to your organization.

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Know and understand your role and responsibility in accessibility implementation within the organization.
    • Provide effective support and excellent business service experience to internal stakeholders related to accessibility.
    • You will be set up to effectively support your team through the necessary behavior, process, and thinking changes.
    • Proactively prepare for accessibility requests that will be coming in.
    • Move beyond compliance to support your organization's sustainment of accessibility.
    • Don't lose out on a trillion-dollar market.
    • Don't miss opportunities to work with organizations because you're not accessible.
    • Enable and empower current employees with disabilities.
    • Minimize potential for negative brand reputation due to a lack of consideration for people with disabilities.
    • Decrease the risk of legal action being brought upon the organization.

    Measure the value of this blueprint

    Improve IT effectiveness and employee buy-in to change.

    Measuring the effectiveness of your program helps contribute to a culture of continuous improvement. Having consistent measures in place helps to inform decisions and enables your plan to be iterative to take advantage of emerging opportunities.

    Monitor employee engagement, overall stakeholder satisfaction with IT, and the overall end-customer satisfaction.

    Remember, accessibility is not a project – just because measures are positive does not mean your work is done.

    In phase 1 of this blueprint, we will help you establish metrics for your organization.
    In phase 2, we will help you develop a sustainment for achieving those metrics.

    A screenshot of the slide titled Establish Baseline Metrics.

    Suggested Metrics
    • Overall end-customer satisfaction
    • Requests for accommodation or assistive technology fulfilled
    • Employee engagement
    • Overall compliance status

    Info-Tech's IT Metrics Library

    Executive brief case study

    INDUSTRY: Technology


    SOURCE: Microsoft.com
    https://blogs.microsoft.com/accessibility/accessib...

    Microsoft

    Microsoft's accessibility journey starts with the goal of building a culture of accessibility and disability inclusion. They recognize that the starting point for the magnitude of organizational change is People.

    "Accessibility in Action Badge"

    Every employee at Microsoft is trained on accessibility to build understanding of why and how to be inclusive using accessibility. The program entails 90 minutes of virtual content.

    Microsoft treats accessibility and inclusion like a business, managing and measuring it to ensure sustained growth and success. They have worked over the years to bust systemic bias company-wide and to build a program with accessibility criteria that works for their business.

    Results

    The program Microsoft has built allows them to shift the accessibility lens earlier in their processes and listen to its users' needs. This allows them to continuously mature their accessibility program, which means continuously improving its users' experience.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided implementation

    What does a typical guided implementation (GI) on this topic look like?

    Phase 1 Phase 2

    Call #1: Discuss motivation for the initiative and foundational knowledge requirements.
    Call #2: Discuss stakeholder analysis and business needs of IT.

    Call #3: Identify current maturity and IT accountabilities.
    Call #4: Discuss introduction to senior IT leaders and drivers.
    Call #5: Discuss manager meeting outline and slides.

    Call #6: Review key messages and next steps to prepare for departmental meeting.
    Call #7: Discuss post-meetings next steps and timelines.

    Call #8: Review sustainment plan and plan next steps.

    A GI is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is eight to ten calls over the course of four to six months.

    Workshop overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Understand Your Legislative Environment

    Understand Your Current State

    Define the
    IT Target State

    Build the IT Accessibility Plan

    Prepare for Change Enablement

    Next Steps and
    Wrap-Up

    Activities

    0.1 Make a list of the legislation you need to comply with
    0.2 Seek legal counsel or and/or professional services' input on compliance
    0.3 Complete the Accessibility Maturity Assessment
    0.4 Conduct stakeholder analysis

    1.1 Define the risks of inaction
    1.2 Review maturity assessment
    1.3 Conduct stakeholder focus group

    2.1 Define IT compliance accountabilities
    2.2 Define IT accessibility goals/objectives/ metrics
    2.3 Indicate the target-state maturity

    3.1 Assess current accessibility compliance and mitigation
    3.2 Decide on priorities
    3.3 Write an IT accessibility commitment statement

    4.1 Prepare the roadmap
    4.2 Prepare the communication plan

    5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Legislative requirements for your organization
    2. List of stakeholders
    3. Completed maturity assessment.
    1. Defined risks of inaction
    2. Stakeholder analysis completed with business needs identified
    1. IT accessibility goals/objectives
    2. Target maturity
    1. Accessibility Compliance Tracking Tool completed
    2. Accessibility commitment statement
    3. Current compliance and mitigation assessed
    1. IT accessibility roadmap
    2. Communication plan
    1. IT accessibility roadmap
    2. Communication plan

    Phase 1

    Planning IT's Accessibility Requirements.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    Initiate Digital Accessibility For IT

    This phase will walk you through the following activities:

    • Analyzing stakeholders to determine accessibility needs of business for IT.
    • Determining accessibility compliance requirements of IT.
    • Build a manager communication deck.
    • Assess current accessibility compliance and mitigation.
    • Prioritize and assign timelines.
    • Build a sunrise diagram to visualize your accessibility roadmap.
    • Write an IT accessibility commitment statement.

    This phase involves the following participants:

    • CIO
    • IT leadership team
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Step 1.1

    Determine the accessibility requirements of IT.

    Activities

    1.1.1 Determine what the business needs from IT
    1.1.2 Complete the Accessibility Maturity Assessment (optional)
    1.1.3 Determine IT compliance requirements
    1.1.4 Define target state
    1.1.5 Create a list of goals and objectives
    1.1.6 Finalize key metrics
    1.1.7 Prepare a meeting for IT managers

    Prepare to support the organization with accessibility

    This step involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Business partners in other areas of the organization (e.g., HR, finance, communications)

    Outcomes of this step

    • Stakeholder analysis with business needs listed
    • Defined target future state
    • List of goals and objectives
    • Key metrics
    • Communication deck for IT management rollout meeting

    While defining future state, consider your drivers

    The Info-Tech Accessibility Maturity Framework identifies three key strategic drivers: compliance, experience, and incorporation.

    • Over 30% of organizations are focused on compliance, according to a 2022 survey by Harvard Business Review and Slack's Future Forum. The survey asked more than 10,000 workers in six countries about their organizations' approach to diversity, equity, and inclusion (DEI).(2)
    • Even though 90% of companies claim to prioritize diversity, over 30% are focused on compliance.(1)

    1. Harvard Business Review, 2020
    2. Harvard Business Review, 2022

    31.6% of companies remain in the compliant stage where they are focused on DEI compliance and not on integrating DEI throughout the organization or on creating continual improvement, from Harvard Business Review 2022.

    Info-Tech accessibility maturity framework

    This is an image of Info-Tech's accessibility maturity framework

    Info-Tech Insight

    IT typically works through maturity frameworks from the bottom to the top, progressing at each level until they reach the end. When it comes to IT accessibility initiatives, being especially thorough, thoughtful, and collaborative is critical to success. This will mean spending more time in the Developing, Defined, and Managed levels of maturity rather than trying to reach Optimized as quickly as you can. This may feel contrary to what IT historically considers as a successful implementation.

    After initially ensuring your organization is compliant with regulations and standards, you will progress to building disciplined process and consistent standardized processes. Eventually you will build the ability for predictable process, and lastly, you'll optimize by continuously improving.

    Depending on the level of maturity you are trying to achieve, it could take months or even years to implement. The important thing to understand, however, is that accessibility work is never done.

    At all levels of the maturity framework, you must consider the interconnected aspects of people, process, and technology. However, as the organization progresses, the impact will shift from largely being focused on process and technology improvement to being focused on people.

    Align the benefits of program drivers to organizational goals or outcomes

    Although there will be various motivating factors, aligning the drivers of your accessibility program provides direction to the program. Connecting the advantages of program drivers to organizational goals builds the confidence of senior leaders and decision makers, increasing the continued commitment to invest in accessibility programming.

    This is an image of a table describing the maturity level; Description; Advantages, and Disadvantages for the three drivers: Compliance; Experience; and Incorporation.

    Accessibility maturity levels

    Driver Description Benefits
    Initial Compliance
    • Accessibility processes are mostly undocumented.
    • Accessibility happens mostly on a reactive or ad hoc basis.
    • No one is aware of who is responsible for accessibility or what role they play.
    • Heavily focused on complying with regulations and standards to decrease legal risk.
    • The organization is aware of the need for accessibility.
    • Legal risk is decreased.
    Developing Experience
    • The organization is starting to take steps to increase accessibility beyond compliance.
    • Lots of opportunity for improvement.
    • Defining and refining processes.
    • Working toward building a library of assistive tools.
    • Awareness of the need for accessibility is growing.
    • Process review for accessibility increases process efficiency through avoiding rework.
    Defined Experience
    • Accessibility processes are repeatable.
    • There is a tendency to resort to old habits under stress.
    • Tools are in place to facilitate accommodation.
    • Employees know accommodations are available to them.
    • Accessibility is becoming part of daily work.
    Managed Experience
    • Defined by effective accessibility controls, processes, and metrics.
    • Mostly anticipating preferences.
    • Roles and responsibilities are defined.
    • Disability is included as part of DEI.
    • Employees understand their role in accessibility.
    • Engagement is positively impacted.
    • Attraction and retention are positively impacted.
    Optimized Incorporation
    • Not the goal for every organization.
    • Characterized by a dramatic shift in organizational culture and a feeling of belonging.
    • Ongoing continuous improvement.
    • Seamless interactions with the organization for everyone.
    • Using feedback to inform future initiatives.
    • More likely to be innovative and inclusive, reach more people positively, and meet emerging global legal requirements.
    • Better equipped for success.

    Cheat sheet: Identify stakeholders

    Ask stakeholders, "Who else should I be talking to?" to discover additional stakeholders and ensure you don't miss anyone.

    Identify stakeholders through the following questions:

    Take a 360-degree view of potential internal and external stakeholders who might be impacted by the initiative.

    • Who in areas of influence will be adversely affected by potential environmental and social impacts of what you are doing?
    • At which stage will stakeholders be most affected (e.g. procurement, implementation, operations, decommissioning)?
    • Will other stakeholders emerge as the phases are started and completed?
    • Who is sponsoring the initiative?
    • Who benefits from the initiative?
    • Who is negatively impacted by the initiative?
    • Who can make approvals?
    • Who controls resources?
    • Who has specialist skills?
    • Who implements the changes?
    • Who are the owners, governors, customers, and suppliers of impacted capabilities or functions?
    • Executives
    • Peers
    • Direct reports
    • Partners
    • Customers
    • Subcontractors
    • Suppliers
    • Contractors
    • Lobby groups
    • Regulatory agencies

    Categorize your stakeholders with a stakeholder prioritization map

    A stakeholder prioritization map help teams categorize their stakeholders by their level of influence and ownership.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    This is an image of a quadrant analysis for mediators; players; spectators; and noisemakers.
    • Players – Players have a high interest in the initiative and high influence to affect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.
    • Mediators – Mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.
    • Noisemakers – Noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.
    • Spectators – Generally, spectators are apathetic and have little influence over or interest in the initiative.

    Strategize to engage stakeholders by type

    Each group of stakeholders draws attention and resources away from critical tasks.

    By properly identifying your stakeholder groups, you can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy spectators and noisemakers while ensuring the needs of the mediators and players are met.

    Type Quadrant Actions
    Players High influence, high interest Actively Engage
    Keep them engaged through continuous involvement. Maintain their interest by demonstrating their value to its success.
    Mediators High influence, low interest Keep Satisfied
    They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust, and include them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest Keep InformedTry to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using mediators to help them.
    Spectators Low influence, low interest MonitorThey are followers. Keep them in the loop by providing clarity on objectives and status updates.

    1.1.1 Determine what the business needs from IT (stakeholder analysis)

    1.5 hours

    1. Consider all the potential individuals or groups of individuals who will be impacted or influence the accessibility needs of IT.
    2. List each of the stakeholders you identify. If in person, use sticky notes to define the target audiences. The individuals or group of individuals that potentially have needs from IT related to accessibility before, during, or after the initiative.
    3. As you list each stakeholder, consider how they perceive IT. This perception could impact how you choose to interact with them.
    4. For each stakeholder identified as potentially having a business need requirement for IT related to accessibility, conduct an analysis to understand their degree of influence or impact.
    5. Based on the stakeholder, the influence or impact of the business need can inform the interaction and prioritization of IT requirements.
    6. Update slide 9 of the IT Manager Meeting Template.

    Input

    • The change
    • Why the change is needed
    • Key stakeholder map from activity 2.1.1 of The Accessibility Business Case for IT (optional)

    Output

    • The degree of influence or impact each stakeholder has on accessibility needs from IT

    Materials

    • Stakeholder Management Analysis Tool (optional)

    Participants

    • CIO/ head of IT/ initiative lead
    • Business partners

    Proactively consider how accessibility could be received

    Think about the positive and negative reactions you could face about implementing accessibility.

    It's likely individuals will have an emotional reaction to change and may have different emotions at different times during the change process.
    Plan for how to leverage support and deal with resistance to change by assessing people's emotional responses:

    • What are possible questions, objections, suggestions, and concerns that might arise.
    • How will you respond to the possible questions and concerns.
    • Include proactive messaging in your communications that address possible objections.
    • Express an understanding for others point of views by re-positioning objections and suggestions as questions.

    This is an image of the 10 change chakras

    Determine your level of maturity

    Use Info-Tech's Accessibility Maturity Assessment.

    On the accessibility questionnaire, tab 2, choose the amount you agree or disagree with each statement. Answer the questions based on your knowledge of your current state organizationally.

    Once you've answered all the questions, see the results on the tab 3, Accessibility Results. You can see your overall maturity level and the maturity level for each of six dimensions that are necessary to increase the success of an accessibility program.

    Click through to tab 4, Recommendations, to see specific recommendations based on your results and proven research to progress through the maturity levels. Keep in mind that not all organizations will or should aspire to the "Optimize" maturity level.

    A series of three screenshots from the Accessibility Maturity Assessment

    Download the Accessibility Maturity Assessment

    1.1.2 Complete the Accessibility Maturity Assessment (optional)

    1. Download the Accessibility Maturity Assessment and save it with the date so that as you work on your accessibility program, you can reassess later and track your progress.
    2. Once you have saved the assessment, select the appropriate answer for each statement on tab 2, Accessibility Questions, based on your knowledge of the organization's approach.
    3. After reviewing all the accessibility statements, see your maturity level results on tab 3, Accessibility Results. Then see tab 4, Recommendations, for suggestions based on your answers.
    4. Document your accessibility maturity results on slides 12 and 13 of the IT Manager Meeting Template and slide 17 of the Departmental Meeting Template.
    5. Use the maturity assessment results in activity 1.1.3.

    Input

    • Assess your current state of accessibility by choosing all the statements that apply to your organization

    Output

    • Identified accessibility maturity level

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • Project leader/sponsor
    • IT leadership team

    1.1.3 Determine IT compliance responsibilities

    1-3 hours

    Before you start this activity, you may need to discuss with your organization's legal counsel to determine the legislation that applies to your organization.

    1. Determine which controls apply to your organization based on your knowledge of the organization goals, stakeholders, and accessibility maturity target. If you haven't determined your current and future state maturity model, use the Info-Tech resource from the Accessibility Business Case for IT(see previous two slides).
    2. Using the drop down in column J – Applies to My Org., select "Yes" or "No" for each control on each of the data entry tabs of the Accessibility Compliance Tracking Tool.
    3. For each control you have selected "Yes" for in column J, identify the control owner in column I.
    4. Update slide 10 in the IT Manager Meeting Template and slide 13 in the IT Departmental Meeting Template.

    Input

    • Local, regional, and/or global legislation and guidelines applicable to your organization
    • Organizational accessibility standard
    • Business needs list
    • Completed Accessibility Maturity Assessment (optional)

    Output

    • List of legislation and standards requirements that are narrowed based on organization need

    Materials

    • Accessibility Maturity Assessment
    • Accessibility Business Case Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader
    • Legal counsel

    Download the Accessibility Compliance Tracking Tool

    1.1.4 Conduct future-state analysis*

    Identify your target state of maturity.

      1. Provide the group with the accessibility maturity levels to review as well as the slides on the framework and drivers (slides 27-29).
      2. Ask the group to brainstorm pain points created by inaccessibility (e.g. challenges related to stakeholders, process issues).
      3. Next, discuss opportunities to be gained from improving these practices.
      4. Then, have everyone look at the accessibility maturity levels and, based on the descriptions, determine as a group the current maturity level of accessibility in your organization .
      5. Next, review the benefits listed on the accessibility maturity levels slide to those that you named in step 3 and determine which maturity level best describes your target state. Discuss as a group and agree on one desired maturity level to reach.
      6. Document your current and target states on slide 14 of the IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activities 2.1.2 and 2.1.3.

    Input

    • Accessibility maturity levels chart, framework, and drivers slides
    • Maturity level assessment results (optional)

    Output

    • Target maturity level documented

    Materials

    • Paper and pens
    • Handouts of maturity levels

    Participants

    • CIO
    • IT senior leaders

    What does a good goal look like?

    SMART is a common framework for setting effective goals. Make sure your goals satisfy these criteria to ensure you can achieve real results.

    Use the SMART framework to build effective goals.

    S

    Specific: Is the goal clear, concrete, and well defined?

    M

    Measurable: How will you know when the goal is met?

    A

    Achievable: Is the goal possible to achieve in a reasonable time?

    R

    Relevant: Does this goal align with your responsibilities and with departmental and organizational goals?

    T

    Time-based: Have you specified a time frame in which you aim to achieve the goal?

    1.1.5 Create a list of goals and objectives*

    Use the outcomes from activity 1.2.1.

    1. Using the information from activity 1.2.1, develop goals.
    2. Remember to use the SMART goal framework to build out each goal (see the previous slide for more information on SMART goals).
    3. Ensure each goal supports departmental and organizational goals to ensure it is meaningful.
    4. Document your goals and objectives on slides 6 and 9 in your IT Manager Meeting Template.

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.1.

    Input

    • Outcomes of activity 1.2.1
    • Organizational and departmental goals

    Output

    • Accessibility goals and objectives identified

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders

    Establish baseline metrics

    Baseline metrics will be improved through:

    1. Progressing through the accessibility maturity model.
    2. Addressing accessibility earlier in processes with input from people with disabilities.
    3. Motivating behavior changes and culture that supports accessibility and disability inclusion.
    4. Ensuring compliance with regulations and standards.
    5. Focusing on experience and building a disability inclusive culture.
    Metric Definition Calculation
    Overall end-customer satisfaction The percentage of end customers who are satisfied with the IT department. Number of end customers who are satisfied / Total number of end customers
    Requests for accommodation or assistive technology fulfilled The percentage of accommodation/assistive technology requests fulfilled by the IT department. Number of requests fulfilled / Total number of requests
    Employee engagement The percentage of employees who are engaged within an organization. Number of employees who are engaged / Total number of employees
    Overall compliance status The percentage of accessibility controls in place in the IT department. The number of compliance controls in place / Total number of applicable accessibility controls

    1.1.6 Finalize key metrics*

    Finalize key metrics the organization will use to measure accessibility success.

    1. Brainstorm how you will measure the success of each goal you identified in the previous activity, based on the benefits, challenges, and risks you previously identified.
    2. Write each of the metric ideas down and finalize three to five key metrics which you will track. The metrics you choose should relate to the key challenges or risks you have identified and match your desired maturity level and driver.
    3. Document your key metrics on slide 15 of your IT Manager Meeting Templateand slide 23 of the Departmental Meeting Template.

    Input

    • Accessibility challenges and benefits
    • Goals from activity 1.2.2

    Output

    • Three to five key metrics to track

    Materials

    • n/a

    Participants

    • IT leadership team
    • Project lead/sponsor

    *Note: If you've completed the Accessibility Business Case for IT blueprint you may already have this information compiled. Refer to activity 2.2.2.

    Use Info-Tech's template to communicate with IT managers

    Cascade messages down to IT managers next. This ensures they will have time to internalize the change before communicating it to others.

    Communicate with and build the accessibility plan with IT managers by customizing Info-Tech's IT Manager Meeting Template, which is designed to effectively convey your key messages. Tailor the template to suit your needs.

    It includes:

    • Project scope and objectives
    • Current state analysis
    • Compliance planning
    • Commitment statement drafting

    IT Manager Meeting Template

    Download the IT Manager Meeting Template

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    1.1.7 Prepare a meeting for IT managers

    Now that you understand your current and desired accessibility maturity, the next step is to communicate with IT managers and begin planning your initiatives.

    Know your audience:

    1. Consider who will be included in your presentation audience.
    2. You want your presentation to be succinct and hard-hitting. Managers are under huge demands and time is tight, they will lose interest if you drag out the delivery.
    3. Contain the presentation and planning activities to no more than an afternoon. You want to ensure adequate time for questions and answers, as well as the planning activities necessary to inform the roll out to the larger IT department later.
    4. Schedule a meeting with the IT managers.

    Download the IT Manager Meeting Template

    Input

    • Activity results

    Output

    • A completed presentation to communicate your accessibility initiatives to IT managers

    Materials

    • IT Manager Meeting Template

    Participants

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Step 1.2

    Build the IT accessibility action plan.

    Activities

    1.2.1 Assess current accessibility compliance and mitigation

    1.2.2 Decide on your priorities

    1.2.3 Add priorities to the roadmap

    1.2.4 Write an IT accessibility commitment statement

    Planning IT's accessibility requirements

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT senior leaders
    • IT managers

    Outcomes of this step

    • Priority controls and mitigation list with identified control owners.
    • IT accessibility commitment statement.
    • Draft visualization of roadmap/sunrise diagram.

    Involve managers in assessing current compliance

    To know what work needs to happen you need to know what's already happening.

    Use the spreadsheet from activity 1.1.3 where you identified which controls apply to your organization.

    Have managers work in groups to identify which controls (of the applicable ones) are currently being met and which ones have an existing mitigation plan.

    Info-Tech Insight

    Based on EN 301 549 V3.2.1 (2021-03) as a basis for digital accessibility conformance. This tool is designed to assist you in building a priorities list of requirements that are applicable to your organization. EN 301 549 is currently the most robust accessibility regulation and encompasses other regulations within it. Although EN 301 549 is the European Standard, other countries are leaning on it as the standard they aspire to as well.

    This is an image of the Compliance Tracing Tool, with a green box drawn around the columns for Current Compliance, and Mitigation.

    1.2.1 Assess current accessibility compliance and mitigation

    1-3 hours

    1. Share the Accessibility Compliance Tracking Tool with the IT leaders and managers during the meeting with IT management that you scheduled in activity 1.1.7.
    2. Break into smaller groups (or if too small, continue as a single group):
      1. Divide up the controls between the small groups to work on assessing current compliance and mitigation plans.
      2. For each control that is identified as applying to your organization, identify if there currently is compliance by selecting "yes" from the drop-down. For controls where the organization is not compliant, select "no" and identify if there is a mitigation plan in place by selecting "yes" or "no" in column L.
      3. Use the comments column to add any pertinent information regarding the control.

    Input

    • List of IT compliance requirements applicable to the org. from activities 1.1.2 and 1.1.3

    Output

    • List of IT compliance requirements that have current compliance or mitigation plans

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Involve managers in building accountability into the accessibility plan

    Building accountability into your compliance tracking will help ensure accessibility is prioritized.

    Use the spreadsheet from activity 1.3.1.

    Have managers work in the same groups to prioritize controls by assigning a quarterly timeline for compliance.

    An image of the Compliance Tracking tool, with the timeline column highlighted in green.

    1.2.2 Decide on your priorities

    1-3 hours

    1. In the same groups used in activity 1.2.1, prioritize the list of controls that have no compliance and no mitigation plan.
    2. As you work through the spreadsheet again, assign a timeline using the drop-down menu in column M for each control that applies to the organization and has no current compliance. Consider the following in your prioritization:
      1. Does the control impact customers or is it public-facing?
      2. What are the business needs related to accessibility?
      3. Does the team currently have the skills and knowledge needed to address the control?
      4. What future state accessibility maturity are you targeting?
    3. Be prepared to review with the larger group.

    Input

    • List from activity 1.2.1
    • Business needs from activity 1.1.1

    Output

    • List of IT compliance requirements with accountability timelines

    Materials

    • Accessibility Compliance Tracking Tool

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Download the Accessibility Compliance Tracking Tool

    Review your timeline

    Don't overload your team. Make sure the timelines assigned in the breakout groups make sense and are realistic.

    A screenshot of the Accessibility Compliance Dashboard.

    Download the Accessibility Compliance Tracking Tool

    Empty roadmap template

    An image of an empty Roadmap Template.

    1.2.3 Add priorities to the roadmap

    1 hour

    1. Using the information entered in the compliance tracking spreadsheet during activities 1.2.1 and 1.2.2, build a visual representation to capture your strategic initiatives over time, using themes and timelines. Consider group initiatives in four categories, technology, people, process, and other.
    2. Copy and paste the controls onto the roadmap from the Accessibility Compliance Tracking Toolto the desired time quadrant on the roadmap.
    3. Set your desired timelines by changing the Q1-Q4 blocks (set the timelines that make sense for your situation).

    Input

    • Output of activity 1.2.2
    • Roadmap template
    • Other departmental project plans and timelines

    Output

    • Visual roadmap of accessibility compliance controls

    Materials

    • n/a

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Communicate commitment

    Support people leaders in leading by example with an accessibility commitment statement.

    A commitment statement communicates why accessibility and disability inclusion are important and guides behaviors toward the ideal state. The statement will guide and align work, build accountability, and acknowledge the dedication of the leadership team to accessibility and disability inclusion. The statement will:

    • Publicly commit the team to fostering disability inclusivity.
    • Highlight related values and goals of the team or organization.
    • Set expectations.
    • Help build trust and increase feelings of belonging.
    • Connect the necessary changes (people, process, and technology related) to organization strategy.

    Take action! Writing the statement is only the first step. It takes more than words to build accessibility and make your work environment more disability inclusive.

    Info-Tech Insight

    Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier.

    Sample accessibility commitment statements

    theScore

    "theScore strives to provide products and services in a way that respects the dignity and independence of persons with disabilities. We are committed to giving persons with disabilities the same opportunity to access our products and services and allowing them to benefit from the same services, in the same place and in a similar way as other clients. We are also committed to meeting the needs of persons with disabilities in a timely manner, and we will meet applicable legislative requirements for preventing and removing barriers."(1)

    Apple Canada

    "Apple Canada is committed to ensuring equal access and participation for people with disabilities. Apple Canada is committed to treating people with disabilities in a way that allows them to maintain their dignity and independence. Apple Canada believes in integration and is committed to meeting the needs of people with disabilities in a timely manner. Apple Canada will do so by removing and preventing barriers to accessibility and meeting accessibility requirements under the AODA and provincial and federal laws across Canada." (2)

    Google Canada

    "We are committed to meeting the accessibility needs of people with disabilities in a timely manner, and will do so by identifying, preventing and removing barriers to accessibility, and by meeting the accessibility requirements under the AODA." (3)

    Source 1: theScore
    Source 2: Apple Canada
    Source 3: Google Canada.

    1.2.4 Write an IT accessibility commitment statement

    45 minutes

    1. As a group, brainstorm the key reasons and necessity for disability inclusion and accessibility for your organization, and the drivers and behaviors required. Record the ideas brainstormed by the group.
    2. Break into smaller groups or pairs (or if too small, continue as a single group):
      • Each group uses the brainstormed ideas to draft an accessibility commitment statement.
    3. Each smaller group shares their statement with the larger group and receives feedback. Smaller groups redraft their statements based on the feedback.
    4. Post each redrafted statement and provide each person two dot stickers to place on the two statements that resonate the most with them.
    5. Using the two statements with the highest number of dot votes, write the final accessibility commitment statement.
    6. Add the commitment statement to slide 18 of the Departmental Meeting Template.

    Input

    • Business objectives
    • Risks related to accessibility
    • Target future accessibility maturity

    Output

    • IT accessibility commitment statement

    Materials

    • Whiteboard/flip charts
    • Dot stickers or other voting mechanism

    Participants

    • CIO
    • IT senior leaders
    • IT managers

    Phase 2

    Change Enablement for Accessibility.

    Phase 1

    Phase 2

    1.1 Determine accessibility requirements of IT

    1.2 Build IT accessibility plan

    2.1 Build awareness

    2.2 Support new behaviors

    2.3 Continuous reinforcement

    This phase will walk you through the following activities:

    • Clarifying key messages
    • IT department accessibility presentation
    • Establishing a frequency and timeframe for communications
    • Obtaining feedback
    • Sustainment plan

    This phase involves the following participants:

    • CIO
    • IT senior leaders
    • IT managers
    • Other key business stakeholders
    • Marketing and communications team

    Be experience driven

    Building awareness and focusing on experience helps move along the accessibility maturity framework. Shifting from mandate to movement.

    In this phase, start to move beyond compliance. Build the IT team's understanding of accessibility, disability inclusion, and their role.
    Communicate the following messages to your team:

    • The motivation behind the change.
    • The reasons for the change.
    • And encourage feedback.

    Info-Tech Accessibility Maturity Framework

    an image of the Info-Tech Accessibility Maturity Framework

    Info-Tech Insight

    Compliance is the minimum; the people and behavior changes are the harder part and have the largest impact on accessibility. Preparing for and building awareness of the reasons for accessibility make the necessary behavior changes easier. Communicate, communicate, and communicate some more.

    What is an organizational change?

    Before communicating, understand the degree of change.

    Incremental Change:

    • Changes made to improve current processes or systems (e.g. optimizing current technology).

    Transitional Change:

    • Changes that involve dismantling old systems and/or processes in favor of new ones (e.g. new product or services added).

    Transformational Change:

    • Significant change in organizational strategy or culture resulting in substantial shift in direction.

    Examples:

    • New or changed policy
    • Switching from on-premises to cloud-first infrastructure
    • Implementing ransomware risk controls
    • Implementing a Learning and Development Plan

    Examples:

    • Moving to an insourced or outsourced service desk
    • Developing a BI and analytics function
    • Integrating risk into organization risk
    • Developing a strategy (technology, architecture, security, data, service, infrastructure, application)

    Examples:

    • Organizational redesign
    • Acquisition or merger of another organization
    • Implementing a digital strategy
    • A new CEO or board taking over the organization's direction

    Consider the various impacts of the change

    Invest time at the start to develop a detailed understanding of the impact of the change. This will help to create a plan that will simplify the change and save time. Evaluate the impact from a people, process, and technology perspective.

    Leverage a design thinking principle: Empathize with the stakeholder – what will change?

    People

    Process Technology
    • Team structure
    • Reporting structure
    • Career paths
    • Job skills
    • Responsibilities
    • Company vision/mission
    • Number of FTE
    • Culture
    • Training required
    • Budget
    • Work location
    • Daily workflow
    • Working conditions
    • Work hours
    • Reward structure
    • Required number of completed tasks
    • Training required
    • Required tools
    • Required policies
    • Required systems
    • Training required

    Change depends on how well people understand it

    Help people internalize what they can do to make the organization more inclusive.

    Anticipate responses to change:

    1. Emotional reaction – different people require different styles of management to guide them through the change. Individual's may have different emotions at different times during the change process. The more easily you can identify persona characteristics, the better you can manage them.
    2. Level of impact – the higher level of change on an individual's day-to-day, the more difficult it will be to adjust to the change. The more impactful the change, the more time focused on people management.

    an image showing staff personas at different stages through the change process.

    Quickly assess the size of change by answering these questions:

    1. Will the change affect your staff's daily work?
    2. Is the change high urgency?
    3. Is there a change in reporting relationships?
    4. Is there a change in skills required for staff to be successful?
    5. Will the change modify entrenched cultural practices?
    6. Is there a change in the mission or vision of the role?

    If you answered "Yes" to two or more questions, the change is bigger than you think. Your staff will feel the impact.

    Ensure effective communication by focusing on four key elements

    1. Audience
    • Stakeholders (either groups or individuals) who will receive the communication.
  • Message
    • Information communicated to impacted stakeholders. Must be rooted in a purpose or intent.
  • Messenger
    • Person who delivers the communication to the audience. The communicator and owner are two different things.
  • Channel
    • Method or channel used to communicate to the audience.
  • Step 2.1

    Build awareness and define key messages for IT.

    This step involves the following participants:

    • IT leadership team
    • Marketing/communications (optional)

    Outcomes of this step

    • Key accessibility messages

    Determine the desired outcome of communicating within IT

    This phase is focused on communicating within IT. All communication has an overall goal. This outcome or purpose of communicating is often dependent on the type of influence the stakeholder wields within the organization as well as the type of impact the change will have on them. Consider each of the communication outcomes listed below.

    Communicating within IT

    • Obtain buy-in
    • Inform about the IT change
    • Create a training plan
    • Inform about department changes
    • Inform about organization changes
    • Inform about a crisis
    • Obtain adoption related to the change
    • Distribute key messages to change agents

    Departmental Meeting Template

    Departmental Meeting Template

    Accessibility Quick Cards

    Accessibility Quick Cards

    Establish and define key messages based on organizational objectives

    What are key messages?

    1. Key messages guide all internal communications to ensure they are consistent, unified, and straightforward.
    2. Distill key messages down from organizational objectives and use them to reinforce the organization's strategic direction. Key messages should inspire employees to act in a way that will help the organization reach its objectives.

    How to establish key messages

    Ground key messages in organizational strategy and culture. These should be the first places you look to determine the organization's key messages:

    • Refer to organizational strategy documents. What needs to be reinforced in internal communications to ensure the organization can achieve its strategy? This is a key message.
    • Look at the organization's values. How do values guide how work should be done? Do employees need to behave in a certain way or keep a certain value top of mind? This is a key message.

    The intent of key messages is to convey important information in a way that is relatable and memorable, to promote reinforcement, and ultimately, to drive action.

    Info-Tech Insight

    Empathizing with the audience is key to anticipating and addressing objections as well as identifying benefits. Customize messaging based on audience attributes such as work model (e.g. hybrid), anticipated objections, what's in it for me?, and specific expectations.

    2.1.1 Clarify the key messages

    30 minutes

    1. Brainstorm the key stakeholders and target audiences you will likely need to communicate with to sustain the accessibility initiative (depending on the size of your group, you might break into pairs or smaller groups and each work on one target audience).
    2. Based on the outcome expected from engaging the target audience in communications, define one to five key messages that should be expressed about accessibility.
    3. The key messages should highlight benefits anticipated, concerns anticipated, details about the change, plan of action, or next steps. The goal here is to ensure the target audience is included in the communication process.
    4. The key messages should be focused on how the target audience receives a consistent message, especially if different communication messengers are involved.
    5. Document the key messages on Tab 3 of the Communications Planner Tool.

    Download the Communications Planner Tool

    Input

    • The change
    • Target audience
    • Communication outcomes

    Output

    • Key messages to support a consistent approach

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • IT leadership team
    • Marketing/communications partner (optional)

    Step 2.2

    Support new behaviors.

    Activities

    2.2.1 Prepare for IT department meeting

    2.2.2 Practice delivery of your presentation

    2.2.3 Hold department meeting

    This step involves the following participants:

    • Entire IT department

    Outcomes of this step

    • IT departmental meeting slides
    • Accessibility quick cards
    • Task list of how each IT team will support the accessibility roadmap

    Key questions to answer with change communication

    To effectively communicate change, answer questions before they're asked, whenever possible. To do this, outline at each stage of the change process what's happening next for the audience, as well as answer other anticipated questions. Pair key questions with core messages.

    Examples of key questions by change stage include:

    The outline for each stage of the change process, showing what happens next.

    2.2.1 Prepare for the IT departmental meeting

    2 hours

    1. Download the IT Department Presentation Template and follow the instructions on each slide to update for your organization.
    2. Insert information on the current accessibility maturity level. If you haven't determined your current and future state maturity level, use the Info-Tech resource from The Accessibility Business Case for IT.
    3. Review the presentation with the information added.
    4. Consider what could be done to make the presentation better:
      1. Concise: Identify opportunities to remove unnecessary information.
      2. Clear: It uses only terms or language the target audience would understand.
      3. Relevant: It matters to the target audience and the problems they face.
      4. Consistent: The message could be repeated across audiences.
    5. Schedule a departmental meeting or add the presentation to an existing departmental meeting.

    Download the Departmental Presentation Template

    Input

    • Organizational accessibility risks
    • Accessibility maturity current state
    • Outputs from manager presentation
    • Key messages

    Output

    • Prepared presentation to introduce accessibility to the entire IT department

    Materials

    • Departmental Presentation Template

    Participants

    • CIO/ head of IT/ CAO/ initiative leader

    Hone presentation skills before meeting with key stakeholders

    Using voice and body

    Think about the message you are trying to convey and how your body can support that delivery. Hands, stance, frame – all have an impact on what might be conveyed.

    If you want your audience to lean in and be eager about your next point, consider using a pause or softer voice and volume.

    Be professional and confident

    State the main points of your presentation confidently. While this should be obvious, it is essential. Your audience should be able to clearly see that you believe the points you are stating.

    Present in a way that is genuine to you and your voice. Whether you have an energetic personality or calm and composed personality, the presentation should be authentic to you.

    Connect with your audience

    Look each member of the audience in the eye at least once during your presentation. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention.

    Avoid reading from your slides. If there is text on a slide, paraphrase it while maintaining eye contact.

    Info-Tech Insight

    You are responsible for the response of your audience. If they aren't engaged, it is on you as the communicator.

    2.2.2 Practice delivery of your presentation and schedule department meeting

    45 minutes

    1. Take ten minutes to think about how to deliver your presentation. Where will you emphasize words, speak louder, softer, lean in, stand tall, make eye contact, etc.?
    2. Set a timer on your phone or watch. Record yourself if possible.
    3. Take a few seconds to center yourself and prepare to deliver your pitch.
    4. Practice delivery of your presentation out loud. Don't forget to use your body language and your voice to deliver.
    5. Listen to the recording. Are the ideas communicated correctly? Are you convinced?
    6. Review and repeat.

    Input

    • Presentation deck from activity 2.2.1
    • Best practices for delivering

    Output

    • An ability to deliver the presentation in a clear and concise manner that creates understanding

    Materials

    • Recorder
    • Timer

    Participants

    • CIO/ head of IT/ initiative leader

    2.2.3 Lead the IT department meeting

    1–2 hours

    1. Gather the IT department in a manner appropriate for your organization and facilitate the meeting prepared in activity 2.2.1.
    2. Within the meeting, capture all key action items and outcomes from the Quick Cards Development and Roadmap Planning.
    3. Following the meeting, review the quick cards that everyone built and share these with all IT participants.
    4. Update your sunrise diagram to include any initiatives that came up in the team meetings to support moving to experiential.

    Input

    • Presentation deck from activity 2.2.1

    Output

    • A shared understanding of accessibility at your organization and everyone's role
    • Area task list (including behavior change needs)
    • Accessibility quick cards

    Materials

    Participants

    • CIO/ head of IT/ initiative leader

    Download the Accessibility Quick Cards template

    Step 2.3

    Continuous reinforcement – keep the conversation going – sustain the change.

    Activities

    2.3.1 Establish a frequency and timeframe for communications

    2.3.2 Obtain feedback and improve

    2.3.3 Sustainment plan

    This step involves the following participants:

    • CIO/ head of IT/ initiative lead
    • IT leadership team

    Outcomes of this step

    • Assigned roles for ongoing program monitoring
    • Communication plan
    • Accessibility maturity monitoring plan
    • Program evaluation

    Communication is ongoing before, during, and after implementing a change initiative

    Just because you've rolled out the plan doesn't mean you can stop talking about it.

    An image of the five steps, with steps four and five highlighted in a green box. The five headings are: Identify and Prioritize; Prepare for initiative; Create a communication plan; Implement change; Sustain the desired outcome

    Don't forget: Cascade messages down through the organization to ensure those who need to deliver messages have time to internalize the change before communicating it to others. Include a mix of personal and organizational messages, but where possible, separate personal and organizational content into different communications.

    2.3.1 Establish a frequency and timeframe

    30 minutes

    1. For each row in Tab 3, determine how frequently that communication needs to take place and when that communication needs to be completed by.
      • Frequency: How often the communication will be delivered to the audience (e.g. one-time, monthly, as needed).
      • Timeframe: When the communication will be delivered to the audience (e.g. a planned period or a specific date).
    2. When selecting the timeframe, consider what dependencies need to take place prior to that communication. For example, IT employees should not be communicated with on anything that has not yet been approved by the CEO. Also consider when other communications might be taking place so that the message is not lost in the noise.
    3. For frequency, the only time that a communication needs to take place once is when presenting up to senior leaders of the organizations. And even then, it will sometimes require more than one conversation. Be mindful of this.

    Input

    • The change
    • Target audience
    • Communication outcome
    • Communication channel

    Output

    • Frequency and timeframe of the communication

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Ensure feedback mechanisms are in place

    Soliciting and acting on feedback involves employees in the decision-making process and demonstrates to them that their contributions matter.

    Make sure you have established feedback mechanisms to collect feedback on both the messages delivered and how they were delivered. Some ways to collect feedback include:

    • Evaluating intranet comments and interactions (e.g. likes, etc.) if this function is enabled.
    • Measuring comprehension and satisfaction through surveys and polls.
    • Looking for themes in the feedback and questions employees bring forward to managers during in-person briefings.

    Feedback Mechanisms:

    • CIO business vision survey
    • Engagement surveys
    • Focus groups
    • Suggestion boxes
    • Team meetings
    • Random sampling
    • Informal feedback
    • Direct feedback
    • Audience body language
    • Repeating the message back

    Gather feedback on plan and iterate

    Who

    The project team gathers feedback from:

    • As many members of impacted groups as possible, as it helps build broad buy-in for the plan.
    • All levels (e.g. frontline employees, managers, directors).

    What

    Gather feedback on:

    • How to implement tactics successfully.
    • The timing of implementation (helps inform the next slide).
    • The resources required (helps inform the next slide).
    • Potential unforeseen impacts, questions, and concerns.

    How

    • Use focus groups to gather feedback.
    • Adjust sustainment plan based on feedback.

    Use Info-Tech's Standard Focus Group Guide

    2.3.2 Obtain feedback and improve

    20 minutes

    1. Evenly distribute the number of rows in the communication plan to all those involved. Consider a metric that would help inform whether the communication outcome was achieved.
    2. For each row, identify a feedback mechanism (slide 75) that could be used to enable the collection and confirm a successful outcome.
    3. Come back as a group and validate the feedback mechanisms selected.
    4. The important aspect here is not just to measure if the desired outcome was achieved. If the desired outcome is not achieved, consider what you might do to change or enable better communication to that target audience.
    5. Every communication can be better. Feedback, whether it be tactical or strategic, will help inform methods to improve future communication activities.

    Input

    • Communication outcome
    • Target audience
    • Communication channel

    Output

    • A mechanism to measure communication feedback and adjust future communications when necessary

    Materials

    • Communications Planner Tool
    • Sticky notes
    • Whiteboard

    Participants

    • Changes based on those who would be relevant to your initiative

    Download the Communications Planner Tool

    Identify owners and assign other roles

    • Eventually there needs to be a hand off to leaders to sustain accessibility. Senior leaders continue to play the role of guide and facilitator, helping the team identify owners and transfer ownership.
    • Guide the team to work with owners to assign roles to other stakeholders. Spread responsibility across multiple people to avoid overload.

    R

    Responsible
    Carries out the work to implement the component (e.g. payroll manager).

    A

    Accountable
    Owner of the component and held accountable for its implementation (e.g. VP of finance).

    C

    Consulted
    Asked for feedback and input to modify sustainment tactics (e.g. sustainment planning team).

    I

    Informed
    Told about progress of implementation (senior leadership team, impacted staff).

    Identify required resources and secure budget

    Sustainment is critical to success of accessibility

    • This step (i.e. sustainment) often gets overlooked because leaders are focused on the implementation. It takes resources and budget to sustain a plan and change as well.
    • Resorting to the old way is more likely to occur when you don't plan to support sustainment with ongoing resources and budget that's required.

    Resources

    Identify resources required for sustainment components using metrics and input from implementation owners, subject matter experts, and frontline managers.

    For example:

    • Inventory
    • Collateral for communications
    • Technology
    • Physical space
    • People resources (FTE)

    Budget

    Estimate the budget required for resources based on past projects that used similar resources, and then estimate the time it will take until the change evolves into "business as usual" (e.g. 6 months, 12 months).

    Monitor accessibility maturity

    If you haven't already performed the Accessibility Maturity Assessment, complete it in the wake of the accessibility initiative to assess improvements and progress toward target future accessibility maturity.
    As your accessibility program starts to scale out over a range of projects, revisit the assessment on a quarterly or bi-annual basis to help focus your improvement efforts across the six accessibility categories.

    • Vendor relations
    • Products and services
    • Policy and process
    • Support and accommodation
    • Communication
    • People and culture

    Info-Tech Insight

    To drive continual improvement of your organizational accessibility and disability inclusion, continue to share progress, wins, challenges, feedback, and other accessibility related concerns with stakeholders. At the end of the day, IT's efforts to become a change leader and support organizational accessibility will come down to stakeholder perceptions based upon employee morale and benefits realized.

    Download the Accessibility Maturity Assessment

    An image of the maturity level bar graph.

    Evaluate and iterate the program on an ongoing basis

    1. Continually monitor the results of project metrics.
      • Track progress toward goals and metrics set at the beginning of the initiative to gauge the success of the program.
      • Analyze metrics at the work-unit level to highlight successes and challenges in accessibility and disability inclusion and the parameters around it for each impacted unit.
    2. Regularly gather feedback on program effectiveness using questions such as:
      • Has the desired culture been effectively communicated and leveraged, or has the culture changed?
      • Collect feedback through regular channels (e.g. manager check-ins) and set up a cadence to survey employees on the program (e.g. three months after rollout and then annually).
    3. Determine if changes to the program structure are needed.
      • Revisit the accessibility maturity framework and the compliance requirements of IT. Understand what is being experienced; it may be necessary to select a different target or adjust the parameters to mitigate the common challenges.
      • Evaluate the effectiveness of current internal processes to determine if the program would benefit from a dedicated resource.

    2.3.3 Sustain the change

    1. Identify who will own what pieces of the program going forward and assign roles to transition the initiative from implementation to the new normal.
    2. Continue to communicate with stakeholders about accessibility and disability inclusion initiatives, controls, and requirements.
    3. Identify required resources and secure any budget that will be needed to support the accessibility program. Think about employee training, consulting needs, assistive technology requirements, human resources (FTE), etc.
    4. Continue to monitor your accessibility maturity. Use the Accessibility Maturity Assessment tool to periodically evaluate progress on goals and targets. Also, use this tool to communicate progress with senior leaders and executives.
    5. Strive for continuous improvement by evaluating and iterating the program on an ongoing basis.

    Input

    • Activity outputs from this blueprint

    Output

    • Ongoing continuous improvement and progress related to accessibility
    • Demonstrable results

    Materials

    • n/a

    Participants

    • CIO/ head of IT/ initiative Lead
    • IT senior leaders
    • IT managers

    Related Info-Tech Research

    The Accessibility Business Case for IT

    • Take away the overwhelm that many feel when they hear "accessibility" and make the steps for your organization approachable.
    • Clearly communicate why accessibility is critical and how it supports the organization's key objectives and initiatives.
    • Understand your current state related to accessibility and identify areas for key initiatives to become part of the IT strategic roadmap.

    Lead Staff through Change

    • Anticipate and respond to staff questions about the change in order to keep messages consistent, organized, and clear.
    • Manage staff based on their specific concerns and change personas to get the best out of your team during the transition through change.
    • Maintain a feedback loop between staff, executives, and other departments in order to maintain the change momentum and reduce angst throughout the process.

    IT Diversity and Inclusion Tactics

    • Although inclusion is key to the success of a diversity and inclusion (D&I) strategy, the complexity of the concept makes it a daunting pursuit.
    • This is further complicated by the fact that creating inclusion is not a one-and-done exercise. Rather, it requires the ongoing commitment of employees and managers to reassess their own behaviors and to drive a cultural shift.

    Implement and Mature Your User Experience Design Practice

    • Create a practice that is focused on human outcomes; it starts and ends with the people you are designing for. This includes:
      • Establishing a practice with a common vision.
      • Enhancing the practice through four design factors.
      • Communicating a roadmap to improve your business through design.

    Works cited

    "2021 State of Digital Accessibility." Level Access, n.d. Accessed 10 Aug. 2022
    "Apple Canada Accessibility Policy & Plan." Apple Canada, 11 March 2019. .
    Casey, Caroline. "Do Your D&I Efforts Include People With Disabilities?" Harvard Business Review, 19 March 2020. Accessed 28 July 2022.
    Digitalisation World. "Organisations failing to meet digital accessibility standards." Angel Business Communications, 19 May 2022. Accessed Oct. 2022.
    "disability." Merriam-Webster.com Dictionary, Merriam-Webster, . Accessed 10 Aug. 2022.
    "Disability." World Health Organization, 2022. Accessed 10 Aug 2022.
    "Google Canada Corporation Accessibility Policy and Multi Year Plan." Google Canada, June 2020. .
    Hypercontext. "The State of High Performing Teams in Tech 2022." Hypercontext. 2022..
    Lay-Flurrie, Jenny. "Accessibility Evolution Model: Creating Clarity in your Accessibility Journey." Microsoft, 2023. <https://blogs.microsoft.com/accessibility/accessibility-evolution-model/>.
    Maguire, Jennifer. "Applause 2022 Global Accessibility Survey Reveals Organizations Prioritize Digital Accessibility but Fall Short of Conformance with WCAG 2.1 Standards." Business Wire, 19 May 2022. . Accessed 2 January 2023.
    "The Business Case for Digital Accessibility." W3C Web Accessibility Initiative (WAI), 9 Nov. 2018. Accessed 4 Aug. 2022.
    "THESCORE's Commitment to Accessibility." theScore, May 2021. .
    "The WebAIM Million." Web AIM, 31 March 2022. Accessed 28 Jul. 2022.
    Washington, Ella F. "The Five Stages of DEI Maturity." Harvard Business Review, November - December 2022. Accessed 7 Nov. 2022.
    Web AIM. "The WebAIM Million." Institute for Disability Research, Policy, and Practice, 31 March 2022. Accessed 28 Jul. 2022.

    Secure Operations in High-Risk Jurisdictions

    • Buy Link or Shortcode: {j2store}369|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Business operations in high-risk areas of the world contend with complex threat environments and risk scenarios that often require a unique response. But traditional approaches to security strategy often miss these jurisdictional risks, leaving organizations vulnerable to threats that range from cybercrime and data breaches to fines and penalties.

    Security leaders need to identify high-risk jurisdictions, inventory critical assets, identify vulnerabilities, assess risks, and identify security controls necessary to mitigate those risks.

    Secure operations and protect critical assets in high-risk regions

    Across risks that include insider threats and commercial surveillance, the two greatest vulnerabilities that organizations face in high-risk parts of the world are travel and compliance. Organizations can make small adjustments to their security program to address these risks:

    1. Support high-risk travel: Put measures and guidelines in place to protect personnel, data, and devices before, during, and after employee travel.
    2. Mitigate compliance risk: Consider data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth.

    Using these two prevalent risk scenarios in high-risk jurisdictions as examples, this research walks you through the steps to analyze the threat landscape, assess security risks, and execute a response to mitigate them.

    Secure Operations in High-Risk Jurisdictions Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Secure Operations in High-Risk Jurisdictions – A step-by-step approach to mitigating jurisdictional security and privacy risks.

    Traditional approaches to security strategy often miss jurisdictional risks. Use this storyboard to make small adjustments to your security program to mitigate security risks in high-risk jurisdictions.

    • Secure Operations in High-Risk Jurisdictions – Phases 1-3

    2. Jurisdictional Risk Register and Heat Map Tool – A tool to inventory, assess, and treat jurisdictional risks.

    Use this tool to track jurisdictional risks, assess the exposure of critical assets, and identify mitigation controls. Use the geographic heatmap to communicate inherent jurisdictional risk with key stakeholders.

    • Jurisdictional Risk Register and Heat Map Tool

    3. Guidelines for Key Jurisdictional Risk Scenarios – Two structured templates to help you develop guidelines for two key jurisdictional risk scenarios: high-risk travel and compliance risk

    Use these two templates to develop help you develop your own guidelines for key jurisdictional risk scenarios. The guidelines address high-risk travel and compliance risk.

    • Digital Safety Guidelines for International Travel
    • Guidelines for Compliance With Local Security and Privacy Laws Template

    Infographic

    Workshop: Secure Operations in High-Risk Jurisdictions

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Context for Risk Assessment

    The Purpose

    Assess business requirements and evaluate security pressures to set the context for the security risk assessment.

    Key Benefits Achieved

    Understand the goals of the organization in high-risk jurisdictions.

    Assess the threats to critical assets in these jurisdictions and capture stakeholder expectations for information security.

    Activities

    1.1 Determine assessment scope.

    1.2 Determine business goals.

    1.3 Determine compliance obligations.

    1.4 Determine risk appetite.

    1.5 Conduct pressure analysis.

    Outputs

    Business requirements

    Security pressure analysis

    2 Analyze Key Risk Scenarios for High-Risk Jurisdictions

    The Purpose

    Build key risk scenarios for high-risk jurisdictions.

    Key Benefits Achieved

    Identify critical assets in high-risk jurisdictions, their vulnerabilities to relevant threats, and the adverse impact should malicious agents exploit them.

    Assess risk exposure of critical assets in high-risk jurisdictions.

    Activities

    2.1 Identify critical assets.

    2.2 Identify threats.

    2.3 Assess risk likelihood.

    2.4 Assess risk impact.

    Outputs

    Key risk scenarios

    Jurisdictional risk exposure

    Jurisdictional Risk Register and Heat Map

    3 Build Risk Treatment Roadmap

    The Purpose

    Prioritize and treat jurisdictional risks to critical assets.

    Key Benefits Achieved

    Build an initiative roadmap to reduce residual risks in high-risk jurisdictions.

    Activities

    3.1 Identify and assess risk response.

    3.2 Assess residual risks.

    3.3 Identify security controls.

    3.4 Build initiative roadmap.

    Outputs

    Action plan to mitigate key risk scenarios

    Further reading

    Secure Operations in High-Risk Jurisdictions

    Assessments often omit jurisdictional risks. Are your assets exposed?

    EXECUTIVE BRIEF

    Analyst Perspective

    Operations in high-risk jurisdictions face unique security scenarios.

    The image contains a picture of Michel Hebert.

    Michel Hébert

    Research Director

    Security and Privacy

    Info-Tech Research Group


    The image contains a picture of Alan Tang.

    Alan Tang

    Principal Research Director

    Security and Privacy

    Info-Tech Research Group


    Traditional approaches to security strategies may miss key risk scenarios that critical assets face in high-risk jurisdictions. These include high-risk travel, heightened insider threats, advanced persistent threats, and complex compliance environments. Most organizations have security strategies and risk management practices in place, but securing global operations requires its own effort. Assess the security risk that global operations pose to critical assets. Consider the unique assets, threats, and vulnerabilities that come with operations in high-risk jurisdictions. Focus on the business activities you support and integrate your insights with existing risk management practices to ensure the controls you propose get the visibility they need. Your goal is to build a plan that mitigates the unique security risks that global operations pose and secures critical assets in high-risk areas. Don’t leave security to chance.

    Executive Summary

    Your Challenge

    • Security leaders who support operations in many countries struggle to mitigate security risks to critical assets. Operations in high-risk jurisdictions contend with complex threat environments and security risk scenarios that often require a unique response.
    • Security leaders need to identify critical assets, assess vulnerabilities, catalog threats, and identify the security controls necessary to mitigate related operational risks.

    Common Obstacles

    • Securing operations in high-risk jurisdictions requires additional due diligence. Each jurisdiction involves a different risk context, which complicates efforts to identify, assess, and mitigate security risks to critical assets.
    • Security leaders need to engage the organization with the right questions and identify high-risk vulnerabilities and security risk scenarios to help stakeholders make an informed decision about how to assess and treat the security risks they face in high-risk jurisdictions.

    Info-Tech’s Approach

    Info-Tech has developed an effective approach to protecting critical assets in high-risk jurisdictions.

    This approach includes tools for:

    • Evaluating the security context of your organization’s high-risk jurisdictions.
    • Identifying security risk scenarios unique to high-risk jurisdictions and assessing the exposure of critical assets.
    • Planning and executing a response.

    Info-Tech Insight

    Organizations with global operations must contend with a more diverse set of assets, threats, and vulnerabilities when they operate in high-risk jurisdictions. Security leaders need to take additional steps to secure operations and protect critical assets.

    Business operations in high-risk jurisdictions face a more complex security landscape

    Information security risks to business operations vary widely by region.

    The 2022 Allianz Risk Barometer surveyed 2,650 business risk specialists in 89 countries to identify the most important risks to operations. The report identified cybercrime, IT failures, outages, data breaches, fines, and penalties as the most important global business risks in 2022, but their results varied widely by region. The standout finding of the 2022 Allianz Risk Barometer is the return of security risks as the most important threat to business operations. Security risks will continue to be acute beyond 2022, especially in Africa, the Middle East, Europe, and the Asia-Pacific region, where they will dwarf risks of supply chain interruptions, natural catastrophe, and climate change.

    Global operations in high-risk jurisdictions contend with more diverse threats. These security risk scenarios are not captured in traditional security strategies.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on higher security-related business risks.

    Figures represent the number of cybersecurity risks business risk specialists selected as a percentage of all business risks (Allianz, 2022). Higher scores indicate jurisdictions with higher security-related business risks. Jurisdictions without data are in grey.

    Different jurisdictions’ commitment to cybersecurity also varies widely, which increases security risks further

    The Global Cybersecurity Index (GCI) provides insight into the commitment of different countries to cybersecurity.

    The index assesses a country’s legal framework to identify basic requirements that public and private stakeholders must uphold and the legal instruments prohibiting harmful actions.

    The 2020 GCI results show overall improvement and strengthening of the cybersecurity agenda globally, but significant regional gaps persist. Of the 194 countries surveyed:

    • 33% had no data protection legislation.
    • 47% had no breach notification measures in place.
    • 50% had no legislation on the theft of personal information.
    • 19% still had no legislation on illegal access.

    Not every jurisdiction has the same commitment to cybersecurity. Protecting critical assets in high-risk jurisdictions requires additional due diligence.

    The image contains a picture of the world map that has certain areas of the map highlighted in various shades of blue based on scores in relation to the Global Security Index.

    The diagram sets out the score and rank for each country that took part in the Global Cybersecurity Index (ITU, 2021)

    Higher scores show jurisdictions with a lower rank on the CGI, which implies greater risk. Jurisdictions without data are in grey.

    Securing critical assets in high-risk jurisdictions requires additional effort

    Traditional approaches to security strategy may miss these key risk scenarios.

    As a result, security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets.

    Guide stakeholders to make informed decisions about how to assess and treat the security risks and secure operations.

    • Engage the organization with the right questions.
    • Identify critical assets and assess vulnerabilities.
    • Catalogue threats and build risk scenarios.
    • Identify the security controls necessary to mitigate risks.

    Work with your organization to analyze the threat landscape, assess security risks unique to high-risk jurisdictions, and execute a response to mitigate them.

    This project blueprint works through this process using the two most prevalent risk scenarios in high-risk jurisdictions: high-risk travel and compliance risk.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance
    The image contains a screenshot of an Info-Tech thought model regarding secure global operations in high-risk jurisdictions.

    Travel risk is the first scenario we use as an example throughout the blueprint

    • This project blueprint outlines a process to identify, assess, and mitigate key risk scenarios in high-risk jurisdictions. We use two common key risk scenarios as examples throughout the deck to illustrate how you create and assess your own scenarios.
    • Supporting high-risk travel is the first scenario we will study in-depth as an example. Business growth, service delivery, and mergers and acquisitions can lead end users to travel to high-risk jurisdictions where staff, devices, and data are at risk.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.

    The project blueprint includes template guidance in Phase 3 to help you build and deploy your own travel guidelines to protect critical assets and support end users before they leave, during their trip, and when they return.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Compliance risk is the second scenario we use as an example

    • Mitigating compliance risk is the second scenario we will study as an example in this blueprint. The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Later sections will show how to think through at least four compliance risks, including:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    The project blueprint includes template guidance in Phase 3 to help you deploy your own compliance governance controls as a risk mitigation measure.

    Secure Operations in High-Risk Jurisdictions: Info-Tech’s methodology

    1. Identify Context

    2. Assess Risks

    3. Execute Response

    Phase Steps

    1. Assess business requirements
    2. Evaluate security pressures
    1. Identify risks
    2. Assess risk exposure
    1. Treat security risks
    2. Build initiative roadmap

    Phase Outcomes

    • Internal security pressures that capture the governance, policies, practices, and risk tolerance of the organization
    • External security pressures that capture the expectations of customers, regulators, legislators, and business partners
    • A heatmap that captures not only the global exposure of your critical assets but also the business processes they support
    • A security risk register to allow for the easy transfer of critical assets’ global security risk data to your organization’s enterprise risk management practice
    • A roadmap of prioritized initiatives to apply relevant controls and secure global assets
    • A set of key risk indicators to monitor and report your progress

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Business Security Requirements

    Identify the context for the global security risk assessment, including risk appetite and risk tolerance.

    Jurisdictional Risk Register and Heatmap

    Identify critical global assets and the threats they face in high-risk jurisdictions and assess exposure.

    Mitigation Plan

    Roadmap of initiatives and security controls to mitigate global risks to critical assets. Tools and templates to address key security risk scenarios.

    Key deliverable:

    Jurisdictional Risk Register and Heatmap

    Use the Jurisdictional Risk Register and Heatmap Tool to capture information security risks to critical assets in high-risk jurisdictions. The tool generates a world chart that illustrates the risks global operations face to help you engage the business and execute a response.

    Blueprint benefits

    Protect critical assets in high-risk jurisdictions

    IT Benefits

    Assess and remediate information security risk to critical assets in high-risk jurisdictions.

    Easily integrate your risk assessment with enterprise risk assessments to improve communication with the business.

    Illustrate key information security risk scenarios to make the case for action in terms the business understands.

    Business Benefits

    Develop mitigation plans to protect staff, devices, and data in high-risk jurisdictions.

    Support business growth in high-risk jurisdictions without compromising critical assets.

    Mitigate compliance risk to protect your organization’s reputation, avoid fines, and ensure business continuity.

    Quantify the impact of securing global operations

    The tool included with this blueprint can help you measure the impact of implementing the research

    • Use the Jurisdictional Risk Register and Heatmap Tool to describe the key risk scenarios you face, assess their likelihood and impact, and estimate the cost of mitigating measures. Working through the project in this way will help you quantify the impact of securing global operations.
    The image contains a screenshot of Info-Tech's Jurisdictional Risk Register and Heatmap Tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Establish Baseline Metrics

    • Review existing information security and risk management metrics and the output of the tools included with the blueprint.
    • Identify metrics to measure the impact of your risk management efforts. Focus specifically on high-risk jurisdictions.
    • Compare your results with those in your overall security and risk management program.

    ID

    Metric

    Why is this metric valuable?

    How do I calculate it?

    1.

    Overall Exposure – High-Risk Jurisdictions

    Illustrates the overall exposure of critical assets in high-risk jurisdictions.

    Use the Jurisdictional Risk Register and Heatmap Tool. Calculate the impact times the probability rating for each risk. Take the average.

    2.

    # Risks Identified – High-Risk Jurisdictions

    Informs risk tolerance assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    3.

    # Risks Treated – High-Risk Jurisdictions

    Informs residual risk assessments.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    4.

    Mitigation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Use the Jurisdictional Risk Register and Heatmap Tool.

    5.

    # Security Incidents – High-Risk Jurisdictions

    Informs incident trend calculations to determine program effectiveness.

    Draw the information from your service desk or IT service management tool.

    6.

    Incident Remediation Cost – High-Risk Jurisdictions

    Informs cost-benefit analysis to determine program effectiveness.

    Estimate based on cost and effort, including direct and indirect cost such as business disruptions, administrative finds, reputational damage, etc.

    7.

    TRENDS: Program Effectiveness – High-Risk Jurisdictions

    # of security incidents over time. Remediation : Mitigation costs over time

    Calculate based on metrics 5 to 7.

    Info-Tech offers various levels of support to best suit your needs.

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1

    Call #1: Scope project requirements, determine assessment scope, and discuss challenges.

    Phase 2

    Call #2: Conduct initial risk assessment and determine risk tolerance.

    Call #3: Evaluate security pressures in high-risk jurisdictions.

    Call #4: Identify risks in high-risk jurisdictions.

    Call #5: Assess risk exposure.

    Phase 3

    Call #6: Treat security risks in high-risk jurisdictions.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization. A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    Workshop Overview

    Contact your account representative for more information. workshops@infotech.com 1-888-670-8889

    Days 1

    Days 2-3

    Day 4

    Day 5

    Identify Context

    Key Risk Scenarios

    Build Roadmap

    Next Steps and Wrap-Up (offsite)

    Activities

    1.1.1 Determine assessment scope.

    1.1.2 Determine business goals.

    1.1.3 Identify compliance obligations.

    1.2.1 Determine risk appetite.

    1.2.2 Conduct pressure analysis.

    2.1.1 Identify assets.

    2.1.2 Identify threats.

    2.2.1 Assess risk likelihood.

    2.2.2 Assess risk impact.

    3.1.1 Identify and assess risk response.

    3.1.2 Assess residual risks.

    3.2.1 Identify security controls.

    3.2.2 Build initiative roadmap.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. Business requirements for security risk assessment
    2. Identification of high-risk jurisdictions
    3. Security threat landscape for high-risk jurisdictions
    1. Inventory of relevant threats, critical assets, and their vulnerabilities
    2. Assessment of adverse effects should threat agents exploit vulnerabilities
    3. Risk register with key risk scenarios and heatmap of high-risk jurisdictions
    1. Action plan to mitigate key risk scenarios
    2. Investment and implementation roadmap
    1. Completed information security risk assessment for two key risk scenarios
    2. Risk mitigation roadmap

    No safe jurisdictions

    Stakeholders sometimes ask information security and privacy leaders to produce a list of safe jurisdictions from which to operate. We need to help them see that there are no safe jurisdictions, only relatively risky ones. As you build your security program, deepen the scope of your risk assessments to include risk scenarios critical assets face in different jurisdictions. These risks do not need to rule out operations, but they may require additional mitigation measures to keep staff, data, and devices safe and reduce potential reputational harms.

    Traditional approaches to security strategy often omit jurisdictional risks.

    Global operations must contend with a more complex security landscape. Secure critical assets in high-risk jurisdictions with a targeted risk assessment.

    The two greatest risks are high-risk travel and compliance risk.

    You can mitigate them with small adjustments to your security program.

    Support High-Risk Travel

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security. Put measures and guidelines in place to protect them before, during, and after travel.

    Mitigate Compliance Risk

    Think through data residency requirements, data breach notification, cross-border data transfer, and third-party risks to support business growth and mitigate compliance risks in high-risk jurisdictions to protect your organization’s reputation and avoid hefty fines or business disruptions.

    Phase 1

    Identify Context

    This phase will walk you through the following activities:

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.
    • Evaluate jurisdictional security pressures to understand threats to critical assets and capture the expectations of external stakeholders, including customers, regulators, legislators, and business partners, and assess risk tolerance.

    This phase involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Step 1.1

    Assess Business Requirements

    Activities

    1.1.1 Determine assessment scope

    1.1.2 Identify enterprise goals in high-risk jurisdictions

    1.1.3 Identify compliance obligations

    This step involves the following participants:

    • Business stakeholders
    • IT leadership
    • Security team
    • Risk and Compliance

    Outcomes of this step

    • Assess business requirements to understand the goals of the organization’s global operations, as well as its risk governance, policies, and practices.

    Focus the risk assessment on high-risk jurisdictions

    Traditional approaches to information security strategy often miss threats to global operations

    • Successful security strategies are typically sensitive to risks to different IT systems and lines of business.
    • However, securing global operations requires additional focus on high-risk jurisdictions, considering what makes them unique.
    • This first phase of the project will help you evaluate the business context of operations in high-risk jurisdictions, including:
      • Enterprise and security goals.
      • Lines of business, physical locations, and IT systems that need additional oversight.
      • Unique compliance obligations.
      • Unique risks and security pressures.
      • Organizational risk tolerance in high-risk jurisdictions.

    Focus your risk assessment on the business activities security supports in high-risk jurisdictions and the unique threats they face to bridge gaps in your security strategy.

    Identify jurisdictions with higher inherent risks

    Your security strategy may not describe jurisdictional risk adequately.

    • Security strategies list lines of business, physical locations, and IT systems the organization needs to secure and those whose security will depend on a third-party. You can find additional guidance on fixing the scope and boundaries of a security strategy in Phase 1 of Build an Information Security Strategy.
    • However, security risks vary widely from one jurisdiction to another according to:
      • Active cyber threats.
      • Legal and regulatory frameworks.
      • Regional security and preparedness capabilities.
    • Your first task is to identify high-risk jurisdictions to target for additional oversight.

    Work closely with your enterprise risk management function.

    Enterprise risk management functions are often tasked with developing risk assessments from composite sources. Work closely with them to complete your own assessment.

    Countries at heightened risk of money laundering and terrorism financing are examples of high-risk jurisdictions. The Financial Action Task Force and the U.S. Treasury publish reports three times a year that identify Non-Cooperative Countries or Territories.

    Develop a robust jurisdictional assessment

    Design an intelligence collection strategy to inform your assessment

    Strategic Intelligence

    White papers, briefings, reports. Audience: C-Suite, board members

    Tactical Intelligence

    Internal reports, vendor reports. Audience: Security leaders

    Operational intelligence

    Indicators of compromise. Audience: IT Operations

    Operational intelligence focuses on machine-readable data used to block attacks, triage and validate alerts, and eliminate threats from the network. It becomes outdated in a matter of hours and is less useful for this exercise.

    Determine travel risks to bolster your assessments

    Not all locations and journeys will require the same security measures.

    • Travel risks vary significantly according to destination, the nature of the trip, and traveler profile.
    • Access to an up-to-date country risk rating system enables your organization and individual staff to quickly determine the overall level of risk in a specific country or location.
    • Based on this risk rating, you can specify what security measures are required prior to travel and what level of travel authorization is appropriate, in line with the organization's security policy or travel security procedures.
    • While some larger organizations can maintain their own country risk ratings, this requires significant capacity, particularly to obtain the necessary information to keep these regularly updated.
    • It may be more effective for your organization to make use of the travel risk ratings provided by an external security information provider, such as a company linked to your travel insurance or travel booking service, if available.
    • Alternatively, various open-source travel risk ratings are available via embassy travel sites or other website providers.

    Without a flexible system to account for the risk exposures of different jurisdictions, staff may perceive measures as a hindrance to operations.

    Develop a tiered risk rating

    The example below outlines potential risk indicators for high-risk travel.

    Rating

    Description

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high, often targeting foreigners. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing natural disasters or epidemics are considered high risk.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to parts of the country. Transportation and communication services are severely degraded or nonexistent. Violence presents a direct threat to staff security.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    1.1.1 Determine assessment scope

    1 – 2 hours

    1. As a group, brainstorm a list of high-risk jurisdictions to target for additional assessment. Write down as many items as possible to include in:
    • Lines of business
    • Physical locations
    • IT systems

    Pay close attention to elements of the assessment that are not in scope.

  • Discuss the response and the rationale for targeting each of them for additional risk assessments. Identify security-related concerns for different lines of business, locations, user groups, IT systems, and data.
  • Record your responses and your comments in the Information Security Requirements Gathering Tool.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Relevant threat intelligence
    • A list of high-risk jurisdictions to focus your risk assessment

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Position your efforts in a business context

    Securing critical assets in high-risk jurisdictions is a business imperative

    • Many companies relegate their information security strategies to their IT department. Aside from the strain the choice places on a department that already performs many different functions, it wrongly implies that mitigating information security risk is simply an IT problem.
    • Managing information security risks is a business problem. It requires that organizations identify their risk appetite, prioritize relevant threats, and define risk mitigation initiatives. Business leaders can only do these activities effectively in a context that recognizes the business and financial benefits of implementing protections.
    • This is notably true of businesses with operations in many different countries. Each jurisdiction has its own set of security risks the organization must account for, as well as unique local laws and regulations that affect business operations.
    • In high-risk jurisdictions, your efforts must consider the unique operational challenges your organization may not face in its home country. Your efforts to secure critical assets will be most successful if you describe key risk scenarios in terms of their impact on business goals.
    • You can find additional guidance on assessing the business context of a security strategy in Phase 1 of Build an Information Security Strategy.

    Do you understand the unique business context of operations in high-risk jurisdictions?

    1.1.2 Identify business goals

    Estimated Time: 1-2 hours

    1. As a group, brainstorm the primary and secondary business goals of the organization. Focus your assessment on operations in high-risk jurisdictions you identified in Exercise 1.1.1. Review:
    • Relevant corporate and IT strategies.
    • The business goal definitions and indicator metrics in tab 2, “Goals Definition,” of the Information Security Requirements Gathering Tool.
  • Limit business goals to no more than two primary goals and three secondary goals. This limitation will help you prioritize security initiatives at the end of the project.
  • For each business goal, identify up to two security alignment goals that will support business goals in high-risk jurisdictions.
  • Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Your goals for the security risk assessment for high-risk jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Record business goals

    Capture the results in the Information Security Requirements Gathering Tool

    1. Record the primary and secondary business goals you identified in tab 3, “Goals Cascade,” of the Information Security Requirements Gathering Tool.
    2. Next, record the two security alignment goals you selected for each business goal based on the tool’s recommendations.
    3. Finally, review the graphic diagram that illustrates your goals on tab 6, “Results,” of the Information Security Requirements Gathering Tool.
    4. Revisit this exercise whenever operations expands to a new jurisdiction to capture how they contribute to the organization’s mission and vision and how the security program can support them.
    The image contains a screenshot of Tab 3, Goals Cascade.

    Tab 3, Goals Cascade

    The image contains a screenshot of Tab 6, Results.

    Tab 6, Results

    Analyze business goals

    Assess how operating in multiple jurisdictions adds nuance to your business goals

    • Security leaders need to understand the direction of the business to propose relevant security initiatives that support business goals in high-risk jurisdictions.
    • Operating in different jurisdictions carries its own degree of risk. The organization is subject not only to the information security risks and legal frameworks of its country of origin but also to those associated with international jurisdictions.
    • You need to understand where your organization operates and how these different jurisdictions contribute to your business goals to support their performance and protect the firm’s reputation.
    • This exercise will make an explicit link between security and privacy concerns in high-risk jurisdictions, what the business cares about, and what security is trying to accomplish.

    If the organization is considering a merger and acquisition project that will expand operations in jurisdictions with different travel risk profiles, the security organization needs to revise the security strategy to ensure the organization can support high-risk travel and mitigate risks to critical assets.

    Identify compliance obligations

    Data compliance obligations loom large in high-risk jurisdictions

    The image contains four hexagons, each with their own words. SOX, PCI DSS, HIPAA, HITECH.

    Security leaders are familiar with most conventional regulatory obligations that govern financial, personal, and healthcare data in North America and Europe.

    The image contains four hexagons, each with their own words. Residency, Cross-Border Transfer, Breach Notification, Third-Party Risk Mgmt.

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency and data localization and to shut down the cross-border transfer of data.

    The next step requires you to consider the compliance obligations the organization needs to meet to support the business as it expands to other jurisdictions through natural growth, mergers, and acquisitions.

    1.1.3 Identify compliance obligations

    Estimated Time: 1-2 hours

    1. As a group, brainstorm compliance obligations in target jurisdictions. Focus your assessment on operations in high-risk jurisdictions.
    2. Include:

    • Laws
    • Governing regulations
    • Industry standards
    • Contractual agreements
  • Record your compliance obligations and comments on tab 4, “Compliance Obligations,” of the Information Security Requirements Gathering Tool.
  • If you need to take full stock of the laws and regulations in place in the jurisdictions where you operate that you are not familiar with, consider seeking local legal counsel to help you navigate this exercise.
  • Input

    Output

    • Legal and compliance frameworks in target jurisdictions
    • Mandatory and voluntary compliance obligations for target jurisdictions

    Materials

    Participants

    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Risk Management
    • Compliance
    • Legal

    Download the Information Security Requirements Gathering Tool

    Step 1.2

    Evaluate Security Pressures

    Activities

    1.2.1 Conduct initial risk assessment

    1.2.2 Conduct pressure analysis

    1.2.3 Determine risk tolerance

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    Identify threats to global assets and capture the security expectations of external stakeholders, including customers, regulators, legislators, and business partners, and determine risk tolerance.

    Evaluate security pressures to set the risk context

    Perform an initial assessment of high-risk jurisdictions to set the context.

    Assess:

    • The threat landscape.
    • The security pressures from key stakeholders.
    • The risk tolerance of your organization.

    You should be able to find the information in your existing security strategy. If you don’t have the information, work through the next three steps of the project blueprint.

    The image contains a diagram to demonstrate evaluating security pressures, as described in the text above.

    Some jurisdictions carry inherent risks

    • Jurisdictional risks stem from legal, regulatory, or political factors that exist in different countries or regions. They can also stem from unexpected legal changes in regions where critical assets have exposure. Understanding jurisdictional risks is critical because they can require additional security controls.
    • Jurisdictional risk tends to be higher in jurisdictions:
      • Where the organization:
        • Conducts high-value or high-volume financial transactions.
        • Supports and manages critical infrastructure.
        • Has high-cost data or data whose compromise could undermine competitive advantage.
        • Has a high percentage of part-time employees and contractors.
        • Experiences a high rate of employee turnover.
      • Where state actors:
        • Have a low commitment to cybersecurity, financial, and privacy legislation and regulation.
        • Support cybercrime organizations within their borders.

    Jurisdictional risk is often reduced to countries where money laundering and terrorist activities are high. In this blueprint, the term refers to the broader set of information security risks that arise when operating in a foreign country or jurisdiction.

    Five key risk scenarios are most prevalent

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Security leaders who support operations in many countries need to take additional steps to mitigate security risks to critical assets. The goal of the next two exercises is to analyze the threat landscape and security pressures unique to high-risk jurisdictions, which will inform the construction of key scenarios in Phase 2. These five scenarios are most prevalent in high-risk jurisdictions. Keep them in mind as you go through the exercises in this section.

    1.2.1 Assess jurisdictional risk

    1-3 hours

    1. As a group, review the questions on tab 2, “Risk Assessment,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk elements with a focus on high-risk jurisdictions:
    3. Review each question in tab 2 of the Information Security Pressure Analysis Tool and select the most appropriate response.

    Input

    Output

    • Existing security strategy
    • List of organizational assets
    • Historical data on information security incidents
    • Completed risk assessment

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    For more information on how to complete the risk assessment questionnaire, see Step 1.2.1 of Build an Information Security Strategy.

    1.2.2 Conduct pressure analysis

    1-3 hours

    1. As a group, review the questions on tab 3, “Pressure Analysis,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following pressure elements with a focus on high-risk jurisdictions:
    • Compliance and oversight
    • Customer expectations
    • Business expectations
    • IT expectations
  • Review each question in the questionnaire and provide the most appropriate response using the drop-down list. It may be helpful to consult with the appropriate departments to obtain their perspectives.
  • For more information on how to complete the pressure analysis questionnaire, see Step 1.3 of Build an Information Security Strategy.

    Input

    Output

    • Information on various pressure elements within the organization
    • Existing security strategy
    • Completed pressure analysis

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Business leaders
    • Compliance

    A low security pressure means that your stakeholders do not assign high importance to information security. You may need to engage stakeholders with the right key risk scenarios to illustrate jurisdictional risk and generate support for new security controls.

    Download the Information Security Pressure Analysis Tool

    Assess risk tolerance

    • Risk tolerance expresses the types and amount of risk the organization is willing to accept in pursuit of its goals.
    • These expectations can help you identify, manage, and report on key risk scenarios in high-risk jurisdictions.
    • For instance, an organization with a low risk tolerance will require a stronger information security program to minimize operational security risks.
    • It’s up to business leaders to determine the risks they are willing to accept. They may need guidance to understand how system-level risks affect the organization’s ability to pursue its goals.

    A formalized risk tolerance statement can help:

    • Support risk-based security decisions that align with business goals.
    • Provide a meaningful rationale for security initiatives.
    • Improve the transparency of investments in the organization’s security program.
    • Provide guidance for monitoring inherent risk and residual risk exposure.

    The role of security professionals is to identify and analyze key risk scenarios that may prevent the organization from reaching its goals.

    1.2.3 Determine risk tolerance

    1-3 hours

    1. As a group, review the questions on tab 4, “Risk Tolerance,” of the Information Security Pressure Analysis Tool.
    2. Gather the required information from subject matter experts on the following risk tolerance elements:
    • Recent IT problems, especially downtime and data recovery issues
    • Historical security incidents
  • Review any relevant documentation, including:
    • Existing security strategy
    • Business impact assessments
    • Service-level agreements

    For more information on how to complete the risk tolerance questionnaire, see Step 1.4 of Build an Information Security Strategy.

    Input

    Output

    • Existing security strategy
    • Data on recent IT problems and incidents
    • Business impact assessments
    • Completed risk tolerance statement

    Materials

    Participants

    • Information Security Pressure Analysis Tool
    • Security team
    • IT leadership
    • Risk Management

    Download the Information Security Pressure Analysis Tool

    Review the output of the results tab

    • The organizational risk assessment provides a high-level assessment of inherent risks in high-risk jurisdictions. Use the results to build and assess key risk scenarios in Phase 2.
    • Use the security pressure analysis to inform stakeholder management efforts. A low security pressure indicates that stakeholders do not yet grasp the impact of information security on organizational goals. You may need to communicate its importance before you discuss additional security controls.
    • Jurisdictions in which organizations have a low risk tolerance will require stronger information security controls to minimize operational risks.
    The image contains a screenshot of the organizational risk assessment. The image contains a screenshot of the security pressure analysis. The image contains a screenshot of the risk tolerance curve.

    Phase 2

    Assess Security Risks to Critical Assets

    This phase will walk you through the following activities:

    • Identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.
    • Assess risk exposure of critical assets in high-risk jurisdictions for each risk scenario through an analysis of its likelihood and impact.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 2.1

    Identify Risks

    Activities

    2.1.1 Identify assets

    2.1.2 Identify threats

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Define risk scenarios that identify critical assets, their vulnerabilities to relevant threats, and the adverse impact a successful threat event would have on the organization.

    This blueprint focuses on mitigating jurisdictional risks

    The image contains a screenshot of the IT Risk Management Framework. The framework includes: Risk Identification, Risk Assessment, Risk Response, and Risk Governance.

    For a deeper dive into building a risk management program, see Info-Tech’s core project blueprints on risk management:

    Build an IT Risk Management Program

    Combine Security Risk Management Components Into One Program

    Draft key risk scenarios to illustrate adverse events

    Risk scenarios help decision-makers understand how adverse events affect business goals.

    • Risk-scenario building is the process of identifying the critical factors that contribute to an adverse event and crafting a narrative that describes the circumstances and consequences if it were to happen.
    • Risk scenarios set up the risk analysis stage of the risk assessment process. They are narratives that describe in detail:
      • The asset at risk.
      • The threat that can act against the asset.
      • Their intent or motivation.
      • The circumstances and threat actor model associated with the threat event.
      • The potential effect on the organization.
      • When or how often the event might occur.

    Risk scenarios are further distilled into a single sentence or risk statement that communicates the essential elements from the scenario.

    Well-crafted risk scenarios have four components

    The second phase of the project will help you craft meaningful risk scenarios

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    An actor capable of harming an asset

    Anything of value that can be affected and results in loss

    Technique an actor uses to affect an asset

    How loss materializes

    Examples: Malicious or untrained employees, cybercriminal groups, malicious state actors

    Examples: Systems, regulated data, intellectual property, people

    Examples: Credential compromise, privilege escalation, data exfiltration

    Examples: Loss of data confidentiality, integrity, or availability; impact on staff health & safety

    Risk scenarios are concise, four to six sentence narratives that describe the core elements of forecasted adverse events. Use them to engage stakeholders with the right questions and guide them to make informed decisions about how to address and treat security risks in high-risk jurisdictions.

    The next slides review five key risk scenarios prevalent in high-risk jurisdictions. Use them as examples to develop your own.

    Travel to high-risk jurisdictions requires special measures to protect staff, devices, and data

    Governmental, academic, and commercial advisors compile lists of jurisdictions that pose greater travel risks annually.

    For instance, in the US, these lists might include countries that are:

    • Subjects of travel warnings by the US Department of State.
    • Identified as high risk by other US government sources such as:
      • The Department of the Treasury Office of Foreign Assets Control (OFAC).
      • The Federal Bureau of Investigation (FBI).
      • The Office of the Director of National Intelligence (ODNI).
    • Compiled from academic and commercial sources, such as Control Risks.

    When securing travel to high-risk jurisdictions, you must consider personnel safety as well as data and device security.

    The image contains a diagram to present high-risk jurisdictions.

    The diagram presents high-risk jurisdictions based on US governmental sources (2021) listed on this slide.

    High-risk travel

    Likelihood: Medium

    Impact: Medium

    Key Risk Scenario #1

    Malicious state actors, cybercriminals, and competitors can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Threat Actor:

    • Malicious state actors
    • Cybercriminals
    • Competitors

    Assets:

    • Staff
    • IT systems
    • Sensitive data

    Effect:

    • Compromised staff health and safety
    • Loss of data
    • Lost of system integrity

    Methods:

    • Identify, steal, or target mobile devices.
    • Compromise network, wireless, or Bluetooth connections.
    • Leverage stolen devices as a means of infecting other networks.
    • Access devices to track user location.
    • Activate microphones on devices to collect information.
    • Intercept electronic communications users send from high-risk jurisdictions.

    The data compliance landscape is a jigsaw puzzle of data protection and data residency requirements

    Since the EU passed the GDPR in 2016, jurisdictions have turned to data regulations to protect citizen data

    Data privacy concerns, nationalism, and the economic value of data are all driving jurisdictions to adopt data residency, breach notification, and cross-border data transfer regulations. As 2021 wound down to a close, nearly all the world’s 30 largest economies had some form of data regulation in place. The regulatory landscape is shifting rapidly, which complicates operations as organizations grow into new markets or engage in merger and acquisition activities.

    Global operations require special attention to data-residency requirements, data breach notification requirements, and cross-border data transfer regulations to mitigate compliance risk.

    The image contains a diagram to demonstrate the data regulations placed in various places around the world.

    Compliance risk

    Likelihood: Medium

    Impact: High

    Key Risk Scenario #2

    Rapid changes in the privacy and security regulatory landscape threaten organizations’ ability to meet their compliance obligations from local legal and regulatory frameworks. Organizations risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Threat Actor:

    • Local, regional, and national state actors

    Asset:

    • Reputation, market share
    • License to operate

    Effect:

    • Administrative fines
    • Loss of reputation, brand trust, and consumer loyalty
    • Loss of market share
    • Suspension of business operations
    • Lawsuits due to collective actions and claims
    • Criminal charges

    Methods:

    • Shifts in the privacy and security regulatory landscape, including requirements for:
      • Data residency.
      • Cross-border data transfer.
      • Data breach notification.
      • Third-party security and privacy risk management.

    The incidence of insider threats varies widely by jurisdiction in unexpected ways

    On average, companies in North America, the Middle East, and Africa had the most insider incidents in 2021, while those in the Asia-Pacific region had the least.

    The Ponemon Institute set out to understand the financial consequences that result from insider threats and gain insight into how well organizations are mitigating these risks.

    In the context of this research, insider threat is defined as:

    • Employee or contractor negligence.
    • Criminal or malicious insider activities.
    • Credential theft (imposter risk).

    On average, the total cost to remediate insider threats in 2021 was US$15.4 million per incident.

    In all regions, employee or contractor negligence occurred most frequently. Organizations in North America and in the Middle East and Africa were most likely to experience insider threat incidents in 2021.

    the image contains a diagram of the world, with various places coloured in different shades of blue.

    The diagram represents the average number of insider incidents reported per organization in 2021. The results are analyzed in four regions (Ponemon Institute, 2022)

    Insider threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #3

    Malicious insiders, negligent employees, and credential thieves can exploit inside access to information systems to commit fraud, steal confidential or commercially valuable information, or sabotage computer systems. Insider threats are difficult to identify, especially when security is geared toward external threats. They are often familiar with the organization’s data and intellectual property as well as the methods in place to protect them. An insider may steal information for personal gain or install malicious software on information systems. They may also be legitimate users who make errors and disregard policies, which places the organization at risk.

    Threat Actor:

    • Malicious insiders
    • Negligent employees
    • Infiltrators

    Asset:

    • Sensitive data
    • Employee credentials
    • IT systems

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss

    Methods:

    • Infiltrators may compromise credentials.
    • Malicious or negligent insiders may use corporate email to steal or share sensitive data, including:
      • Regulated data.
      • Intellectual property.
      • Critical business information.
    • Malicious agents may facilitate data exfiltration, as well as open-port and vulnerability scans.

    The risk of advanced persistent threats is more prevalent in Central and South America and the Asia-Pacific region

    Attacks from advanced persistent threat (APT) actors are more sophisticated than traditional ones.

    • More countries will use legal indictments as part of their cyber strategy. Exposing toolsets of APT groups carried out at the governmental level will drive more states to do the same.
    • Expect APTs to increasingly target network appliances like VPN gateways as organizations continue to sustain hybrid workforces.
    • The line between APTs and state-sanctioned ransomware groups is blurring. Expect cybercriminals to wield better tools, mount more targeted attacks, and use double-extortion tactics.
    • Expect more disruption and collateral damage from direct attacks on critical infrastructure.

    Top 10 Significant Threat Actors:

    • Lazarus
    • DeathStalker
    • CactusPete
    • IAmTheKing
    • TransparentTribe
    • StrongPity
    • Sofacy
    • CoughingDown
    • MuddyWater
    • SixLittleMonkeys

    Top 10 Targets:

    • Government
    • Banks
    • Financial Institutions
    • Diplomatic
    • Telecommunications
    • Educational
    • Defense
    • Energy
    • Military
    • IT Companies
    The image contains a world map coloured in various shades of blue.
    Top 12 countries targeted by APTs (Kaspersky, 2020)

    Track notable APTs to revise your list of high-risk jurisdictions and review the latest tactics and techniques

    Governmental advisors track notable APT actors that pose greater risks.

    The CISA Shields Up site, SANS Storm Center site, and MITRE ATT&CK group site provide helpful and timely information to understand APT risks in different jurisdictions.

    The following threat actors are currently associated with cyberattacks affiliated with the Russian government.

    Activity Group

    Risks

    APT28 (GRU)

    Known as Fancy Bear, this threat group has been tied to espionage since 2004. They compromised the Hillary Clinton campaign, amid other major events.

    APT29 (SVT)

    Tied to espionage since 2008. Reportedly compromised the Democratic National Committee in 2015. Cited in the 2021 SolarWinds compromise.

    Buhtrap/RTM Group

    Group focused on financial targets since 2014. Currently known to target Russian and Ukrainian banks.

    Gamaredon

    Operating in Crimea. Aligned with Russian interests. Has previously targeted Ukrainian government officials and organizations.

    DEV-0586

    Carried out wiper malware attacks on Ukrainian targets in January 2022.

    UNC1151

    Active since 2016. Linked to information operation campaigns and the distribution of anti-NATO material.

    Conti

    Most successful ransomware gang of 2021, with US$188M revenue. Supported Russian invasion of Ukraine, threatening attacks on allied critical infrastructure.

    Sources: MITRE ATT&CK; Security Boulevard, 2022; Reuters, 2022; The Verge, 2022

    Advanced persistent threat

    Likelihood: Low to Medium

    Impact: High

    Key Risk Scenario #4

    Advanced persistent threats are state actors or state-sponsored affiliates with the means to avoid detection by anti-malware software and intrusion detection systems. These highly-skilled and persistent malicious agents have significant resources with which to bypass traditional security controls, establish a foothold in the information technology infrastructure, and exfiltrate data undetected. APTs have the resources to adapt to a defender’s efforts to resist them over time. The loss of system integrity and data confidentiality over time can lead to financial losses, business continuity disruptions, and the destruction of critical infrastructure.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • IT systems
    • Critical infrastructure

    Effects:

    • Loss of system integrity
    • Loss of data confidentiality
    • Financial loss
    • Business continuity disruptions
    • Infrastructure destruction

    Methods:

    • Persistent, consistent attacks using the most advanced threats and tactics to bypass security defenses.
    • The goal of APTs is to maintain access to networks for prolonged periods without being detected.
    • The median dwell time differs widely between regions. FireEye reported the mean dwell time for 2018:
      • Americas: 71 days
      • Europe, Middle East, and Africa: 177 days
      • Asia-Pacific: 204 days
    Sources: Symantec, 2011; FireEye, 2019

    Threat agents have deployed invasive technology for commercial surveillance in at least 76 countries since 2015

    State actors and their affiliates purchased and used invasive spyware from companies in Europe, Israel, and the US.

    • “Customers are predominantly repressive regimes looking for new ways to control the flow of information and stifle dissent. Less than 10% of suspected customers are considered full democracies by the Economist Intelligence Unit.” (Top10VPN, 2021)
    • Companies based in economically developed and largely democratic states are profiting off the technology.
    • The findings demonstrate the need to consider geopolitical realities when assessing high-risk jurisdictions and to take meaningful action to increase layered defenses against invasive malware.
    • Spyware is having an increasingly well-known impact on civil society. For instance, since 2016, over 50,000 individual phone numbers have been identified as potential targets by NSO Group, the Israeli manufacturers of the notorious Pegasus Spyware. The target list contained the phone numbers of politicians, journalists, activists, doctors, and academics across the world.
    • The true number of those affected by spyware is almost impossible to determine given that many fall victim to the technology and do not notice.
    The image contains a map of the world with various countries highlighted in shades of blue.

    Countries where commercial surveillance tools have been deployed (“Global Spyware Market Index,” Top10VPN, 2021)

    The risks and effects of spyware vary greatly

    Spyware can steal mundane information, track a user’s every move, and everything in between.

    Adware

    Software applications that display advertisements while the program is running.

    Keyboard Loggers

    Applications that monitor and record keystrokes. Malicious agents use them to steal credentials and sensitive enterprise data.

    Trojans

    Applications that appear harmless but inflict damage or data loss to a system.

    Mobile Spyware

    Surveillance applications that infect mobile devices via SMS or MMS channels, though the most advanced can infect devices without user input.

    State actors and their affiliates use system monitors to track browsing habits, application usage, and keystrokes and capture information from devices’ GPS location data, microphone, and camera. The most advanced system monitor spyware, such as NSO Group’s Pegasus, can infect devices without user input and record conversations from end-to-end encrypted messaging systems.

    Commercial surveillance

    Likelihood: Low to Medium

    Impact: Medium

    Key Risk Scenario #5

    Malicious agents can deploy malware on end-user devices with commercial tools available off the shelf to secretly monitor the digital activity of users. Attacks exploit widespread vulnerabilities in telecommunications protocols. They occur through email and text phishing campaigns, malware embedded in untested applications, and sophisticated zero-click attacks that deliver payloads without requiring user interactions. Attacks target sensitive as well as mundane information. They can be used to track employee activities, investigate criminal activity, or steal credentials, credit card numbers, or other personally identifiable information.

    Threat Actor:

    • State actors
    • State-sponsored affiliates

    Asset:

    • Sensitive data
    • Staff health and safety
    • IT systems

    Effects:

    • Data breaches
    • Loss of data confidentiality
    • Increased risk to staff health and safety
    • Misuse of private data
    • Financial loss

    Methods:

    • Email and text phishing attacks that delivery malware payloads
    • Sideloading untested applications from a third-party source rather than an official retailer
    • Sophisticated zero-click attacks that deliver payloads without requiring user interaction

    Use the Jurisdictional Risk Register and Heatmap Tool

    The tool included with this blueprint can help you draft risk scenarios and risk statements in this section.

    The risk register will capture a list of critical assets and their vulnerabilities, the threats that endanger them, and the adverse effect your organization may face.

    The image includes two screenshots of the jurisdictional risk register and heatmap tool. The image contains a screenshot of the High-Risk Travel Jurisdiction.

    Download the Jurisdictional Risk Register and Heatmap Tool

    2.1.1 Identify assets

    1 – 2 hours

    1. As a group, consider critical or mission-essential functions in high-risk jurisdictions and the systems on which they depend. Brainstorm a list of the organization’s mission-supporting assets in high-risk jurisdictions. Consider:
    • Staff
    • Critical IT systems
    • Sensitive data
    • Critical operational processes
  • On a whiteboard, brainstorm the potential adverse effect of malicious agents in high-risk jurisdictions compromising critical assets. Consider the impact on:
    • Information systems.
    • Sensitive or regulated data.
    • Staff health and safety.
    • Critical operations and objectives.
    • Organizational finances.
    • Reputation and brand loyalty

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Corporate strategy
    • IT strategy
    • Security strategy
    • Business impact analyses
    • A list of the organization’s mission-supporting assets

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • IT leadership
    • System owner
    • Enterprise Risk Management

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    The image contains an example of the activity mentioned in the text above.

    Model threats to narrow the range of scenarios

    Motives and capabilities to perform attacks on critical assets vary across different threat actors.

    Category

    Actions

    Motivation

    Sophistication

    Nation-states

    Cyberespionage, cyberattacks

    Geopolitical

    High. Dedicated resources and personnel, extensive planning and coordination.

    Proxy organizations

    Espionage, destructive attacks

    Geopolitical, Ideological, Profit

    Moderate. Some planning and support functions and technical expertise.

    Cybercrime

    Theft, fraud, extortion

    Profit

    Moderate. Some planning and support functions and technical expertise.

    Hacktivists

    Disrupt operations, attack brands, release sensitive data

    Ideological

    Low. Rely on widely available tools that require little skill to deploy.

    Insiders

    Destruction or release of sensitive data, theft, exposure through negligence

    Incompetence, Discontent

    Internal access. Acting on their own or in concert with any of the above.

    • Criminals, hacktivists, and insiders vary in sophistication. Some criminal groups demonstrate a high degree of sophistication; however, a large cyber event that damages critical infrastructure does not align with their incentives to make money at minimal risk.
    • Proxy actors conduct offensive cyber operations on behalf of a beneficiary. They may be acting on behalf of a competitor, national government, or group of individuals.
    • Nation-states engage in long-term espionage and offensive cyber operations that support geopolitical and strategic policy objectives.

    2.1.2 Identify threats

    1 – 2 hours

    1. Review the outputs from activity 1.1.1 and activity 2.1.1.
    2. Identify threat agents that could undermine the security of critical assets in high-risk jurisdictions. Include internal and external actors.
    3. Assess their motives, means, and opportunities.
    • Which critical assets are most attractive? Why?
    • What paths and vulnerabilities can threat agents exploit to reach critical assets without going through a control?
    • How could they defeat existing controls? Draw on the MITRE framework to inform your analysis.
    • Once agents defeat a control, what further attack can they launch?

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    Inputs for risk scenario identification

    Input

    Output

    • Jurisdictional assessment from activity 1.1.1
    • Critical assets from activity 2.1.1
    • Potential vulnerabilities from:
      • Security control gap analysis
      • Security risk register
    • Threat intelligence
    • MITRE framework
    • A list of critical assets, threat agents, vulnerabilities, and potential attack vectors.

    Materials

    Participants

    • Laptop
    • Projector
    • Whiteboard
    • Security team
    • Infrastructure & Operations team
    • Enterprise Risk Management

    2.1.2 Identify threats (continued)

    1 – 2 hours

    1. On a whiteboard, brainstorm how threat agents will exploit vulnerabilities in critical assets to reach their goal. Redefine attack vectors to capture what could result from a successful initial attack.

    For example:

    • State actors and cybercriminals may steal or compromise end-user devices during travel to high-risk jurisdictions using malware they embed in airport charging stations, internet café networks, or hotel business centers.
    • Compromised devices may infect corporate networks and threaten sensitive data once they reconnect to them.

    Threat

    Exploits an

    Asset

    Using a

    Method

    Creating an

    Effect

    The image contains a screenshot of activity 2.1.2 as described in the text above.

    Bring together the critical risk elements into a single risk scenario

    Summarize the scenario further into a single risk statement

    Risk Scenario: High-Risk Travel

    State actors and cybercriminals can threaten staff, devices, and data during travel to high-risk jurisdictions. Device theft or compromise may occur while traveling through airports, accessing hotel computer and phone networks, or in internet cafés or other public areas. Threat actors can exploit data from compromised or stolen devices to undermine the organization’s strategic, economic, or competitive advantage. They can also infect compromised devices with malware that delivers malicious payloads once they reconnect with home networks.

    Risk Statement

    Cybercriminals compromise end-user devices during travel to high-risk jurisdictions, jeopardizing staff safety and leading to loss of sensitive data.

    Risk Scenario: Compliance Risk

    Rapid changes in the privacy and security regulatory landscape threaten an organization’s ability to meet its compliance obligations from local legal and regulatory frameworks. Organizations that fail to do so risk reputational damage, administrative fines, criminal charges, and loss of market share. In extreme cases, organizations may lose their license to operate in high-risk jurisdictions. Shifts in the regulatory landscape can involve additional requirements for data residency, cross-border data transfer, data breach notification, and third-party risk management.

    Risk Statement

    Rapid changes in the privacy and security regulations landscape threaten our ability to remain compliant, leading to reputational and financial loss.

    Fill out the Jurisdictional Risk Register and Heatmap Tool

    The tool is populated with data from two key risk scenarios: high-risk travel and compliance risk.

    The image includes two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    1. Label the risk in Tab 3, Column B.
    2. Record your risk scenario in Tab 3, Column C.
    3. Record your risk statement in Tab 3, Column D.
    4. Identify the applicable jurisdictions in Tab 3, Column E.
    5. You can further categorize the scenario as:
      • an enterprise risk (Column G).
      • an IT risk (Column H).

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 2.2

    Assess Risk Exposure

    Activities

    2.2.1 Identify existing controls

    2.2.2 Assess likelihood and impact

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Assess risk exposure for each risk scenario through an analysis of its likelihood and impact.

    Brush up on risk assessment essentials

    The next step will help you prioritize IT risks based on severity.

    Likelihood of Occurrence X Likelihood of Impact = Risk Severity

    Likelihood of occurrence: How likely the risk is to occur.

    Likelihood of impact: The likely impact of a risk event.

    Risk severity: The significance of the risk.

    Evaluate risk severity against the risk tolerance thresholds and the cost of risk response.

    Identify existing controls before you proceed

    Existing controls will reduce the inherent likelihood and impact of the risk scenario you face.

    Existing controls were put in place to avoid, mitigate, or transfer key risks your organization faced in the past. Without considering existing controls, you run the risk of overestimating the likelihood and impact of the risk scenarios your organization faces in high-risk jurisdictions.

    For instance, the ability to remote-wipe corporate-owned devices will reduce the potential impact of a device lost or compromised during travel to high-risk jurisdictions.

    As you complete the risk assessment for each scenario, document existing controls that reduce their inherent likelihood and impact.

    2.2.1 Document existing controls

    6-10 hours

    1. Document the Risk Category and Existing Controls in the Jurisdictional Risk Register and Heatmap Tool.
      • Tactical controls apply to individual risks only. For instance, the ability to remote-wipe devices mitigates the impact of a device lost in a high-risk jurisdiction.
      • Strategic controls apply to multiple risks. For instance, deploying MFA for critical applications mitigates the likelihood that malicious actors can compromise a lost device and impedes their access in devices they do compromise.

    Input

    Output

    • Risk scenarios
    • Existing controls for risk scenarios

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Assess the risk scenarios you identified in Phase 1

    The risk register is the central repository for risks in high-risk jurisdictions.

    • Use the second tab of the Jurisdictional Risk Register and Heatmap Tool to create likelihood, impact, and risk tolerance assessment scales to evaluate every risk event effectively.
    • Severity-level assessment is a “first pass” of your risk scenarios that will reveal your organization’s most severe risks in high-risk jurisdictions.
    • You can incorporate expected cost calculations into your evaluation to assess scenarios in greater detail.
    • Expected cost represents how much you would expect to pay in an average year for each risk event. Expected cost calculations can help compare IT risks to non-IT risks that may not use the same scales and communicate system-level risk to the business in a language they will understand.

    Expected cost calculations may not be practical. Determining robust likelihood and impact values to produce cost estimates can be challenging and time consuming. Use severity-level assessments as a first pass to make the case for risk mitigation measures and take your lead from stakeholders.

    The image contains two screenshots of the Jurisdictional Risk Register and Heatmap Tool.

    Use the Jurisdictional Risk Register and Heatmap Tool to capture and analyze your data.

    2.2.2 Assess likelihood and impact

    6-10 hours

    1. Assign each risk scenario a likelihood of occurrence and a likely impact level that represents the impact of the scenario on the whole organization considering existing controls. Record your results in Tab 3, column R and S, respectively.
    2. You can further dissect likelihood and impact into component parameters but focus first on total likelihood and impact to keep the task manageable.
    3. As you input the first few likelihood and impact values, compare them to one another to ensure consistency and accuracy. For instance, is a device lost in a high-risk jurisdiction truly more impactful than a device compromised with commercial surveillance software?
    4. The tool will calculate the probability of risk exposure based on the likelihood and consequence associated with the scenario. The results are published in Tab 3, Column T.

    Input

    Output

    • Risk scenarios
    • Assessed the likelihood of occurrence and impact for all identified risk events

    Materials

    Participants

    • Jurisdictional Risk Register and Heatmap Tool
    • Laptop
    • Projector
    • Security team
    • IT leadership
    • Business stakeholders
    • Enterprise Risk Management

    Download the Jurisdictional Risk Register and Heatmap Tool.

    Refine your risk assessment to justify your estimates

    Document the rationale behind each value and the level of consensus in group discussions.

    Stakeholders will likely ask you to explain some of the numbers you assigned to likelihood and impact assessments. Pointing to an assessment methodology will give your estimates greater credibility.

    • Assign one individual to take notes during the assessment exercise.
    • Have them document the main rationale behind each value and the level of consensus.

    The goal is to develop robust intersubjective estimates of the likelihood and impact of a risk scenario.

    We assigned a 50% likelihood rating to a risk scenario. Were we correct?

    Assess the truth of the following statements to test likelihood assessments. In this case, do these two statements seem true?

    • The risk event will likely occur once in the next two years, all things being equal.
    • In two nearly identical organizations, one out of two will experience the risk event this year.
    The image includes a screenshot of the High-Risk Travel Jurisdictions.

    Phase 3

    Execute Response

    This phase will walk you through the following activities:

    • Prioritize and treat global risks to critical assets based on their value and exposure.
    • Build an initiative roadmap that identifies and applies relevant controls to protect critical assets. Identify key risk indicators to monitor progress.

    This phase involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Step 3.1

    Treat Security Risks

    Activities

    3.1.1 Identify and assess risk response

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Analyze and select risk responses

    The next step will help you treat the risk scenarios you built in Phase 2.

    Identify

    Identify risk responses.

    Predict

    Predict the effectiveness of the risk response, if implemented, by estimating the residual likelihood and impact of the risk.

    Calculate

    The tool will calculate the residual severity of the risk after applying the risk response.

    The first part of the phase outlines project activities. The second part elaborates on high-risk travel and compliance risk, the two key risk scenarios we are following throughout the project. Use the Jurisdictional Risk Register and Heatmap Tool to capture your work.

    Analyze likelihood and impact to identify response

    The image contains a diagram of he risk response analysis. Risk Transfer and Risk Avoidance has the most likelihood, and Risk Acceptance and Risk Mitigation have the most impact. Risk Avoidance has the most likelihood and most impact in regards to risk response.

    3.1.1 Identify and assess risk response

    Complete the following steps for each risk scenario.

    1. Identify a risk response action that will help reduce the likelihood of occurrence or the impact if the scenario were to occur. Indicate the type of risk response (avoidance, mitigation, transfer, acceptance, or no risk exists).
    2. Assign each risk response action a residual likelihood level and a residual impact level. This is the same step you performed in Activity 2.2.2, but you are now are estimating the likelihood and impact of the risk event after you implemented the risk response action successfully. The Jurisdictional Risk Register and Heatmap Tool will generate a residual risk severity level for each risk event.
    3. Identify the potential Risk Action Owner (Project Manager) if the response is selected and turned into an IT project, and document this in the Jurisdictional Risk Register and Heatmap Tool .
    4. For each risk event, document risk response actions, residual likelihood and impact levels, and residual risk severity level.

    Input

    Output

    • Risk scenarios from Phase 2
    • Risk scenario mitigation plan

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Download the Jurisdictional Risk Register and Heatmap Tool

    Step 3.2

    Mitigate Travel Risk

    Activities

    3.2.1 Develop a travel policy

    3.2.2 Develop travel procedures

    3.2.3 Design high-risk travel guidelines

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Identify controls to mitigate jurisdictional risk

    This section provides guidance on the most prevalent risk scenarios identified in Phase 2 and provides a more in-depth examination of the two most prevalent ones, high-risk travel and compliance risk. Determine the appropriate response to each risk scenario to keep global risks to critical assets aligned with the organization’s risk tolerance.

    Key Risk Scenarios

    • High-Risk Travel
    • Compliance Risk
    • Insider Threat
    • Advanced Persistent Threat
    • Commercial Surveillance

    Travel risk is a common concern in organizations with global operations

    • The security of staff, devices, and data is one of the biggest challenges facing organizations with a global footprint. Working and traveling in unpredictable environments will aways carry a degree of risk, but organizations can do much to develop a safer and more secure working environment.
    • Compromised or stolen devices can provide threat actors with access to data that could compromise the organization’s strategic, economic, or competitive advantage or expose the organization to regulatory risk.
    • For many organizations, security risk assessments, security plans, travel security procedures, security training, and incident reporting systems are a key part of their operating language.
    • The following section provides a simple structure to help organizations demystify travel in high-risk jurisdictions.

    The image contains a diagram to present high-risk jurisdictions.

    Before you leave

    • Identify high-risk countries.
    • Enable controls.
    • Limit what you pack.

    During your trip

    • Assume you are monitored.
    • Limit access to systems.
    • Prevent theft.

    When you return

    • Change your password.
    • Restore your devices.

    Case study

    Higher Education: Camosun College

    Interview: Evan Garland

    Frame additional security controls as a value-added service.

    Situation

    The director of the international department at Camosun College reached out to IT security for additional support. Department staff often traveled to hostile environments. They were concerned malicious agents would either steal end-user devices or compromise them and access sensitive data. The director asked IT security for options that would better protect traveling staff, their devices, and the information they contain.

    Challenges

    First, controls would need to admit both work and personal use of corporate devices. Staff relied exclusively on work devices for travel to mitigate the risk of personal device theft. Personal use of corporate devices during travel was common. Second, controls needed to strike the right balance between friction and effortless access. Traveling staff had only intermittent access to IT support. Restrictive controls could prevent them from accessing their devices and data altogether.

    Solution

    IT consulted staff to discuss light-touch solutions that would secure devices without introducing too much complexity or compromising functionality. They then planned security controls that involved user interaction and others that did not and identified training requirements.

    Results

    Controls with user interaction

    Controls without user interaction

    • Multifactor authentication for college systems and collaboration platforms
    • Password manager for both work and personal use for staff for stronger passwords and practices
    • Security awareness training to help traveling staff identify potential threats while traveling through airports or accessing public Wi-Fi.
    • Drive encryption and always-on VPN to protect data at rest and in transit
    • Increased setting for phishing and spam filtering for traveling staff email
    • Enhanced anti-malware/endpoint detection and response (EDR) solution for traveling laptops

    Build a program to mitigate travel risks

    There is no one-size-fits-all solution.

    The most effective solution will take advantage of existing risk management policies, processes, and procedures at your organization.

    • Develop a framework. Outline the organization’s approach to high-risk travel, including the policies, procedures, and mechanisms put in place to ensure safe travel to high-risk jurisdictions.
    • Draft a policy. Outline the organization’s risk attitude and key security principles and define roles and responsibilities. Include security responsibilities and obligations in job descriptions of staff members and senior managers.
    • Provide flexible options. Inherent travel risk will vary from one jurisdiction to another. You will likely not find an approach that works for every case. Establish locally relevant measures and plans in different security contexts and risk environments.
    • Look for quick wins. Identify measures or requirements that you can establish quickly but that can have a positive effect on the security of staff, data, and devices.
    • Monitor and review. Undertake periodic reviews of the organization’s security approach and management framework, as well as their implementation, to ensure the framework remains effective.

    3.2.1 Develop a travel policy

    1. Work with your business leaders to build a travel policy for high-risk jurisdictions. The policy should be a short and accessible document structured around four key sections:
      • A statement on the importance of staff security and safety, the scope of the policy, and who it applies to (staff, consultants, contractors, volunteers, visitors, accompanying dependants, etc.).
      • A principles section explaining the organization’s security culture, risk attitude, and the key principles that shape the organization’s approach to staff security and safety.
      • A responsibilities section setting out the organization’s security risk management structure and the roles and actions allocated to specific positions.
      • A minimal security requirements section establishing the specific security requirements that must be in place in all locations and specific locations.
    2. Common security principles include:
    • Shared responsibility – Managing risks to staff is a shared organizational responsibility.
    • Acknowledgment of risk – Managing security will not remove all risks. Staff need to appreciate, as part of their informed consent, that they are still exposed to risk.
    • Primacy of life – Staff safety is of the highest importance. Staff should never place themselves at excessive risk to meet program objectives or protect property.
    • Proportionate risk – Risks must be assessed to ensure they are proportionate to the benefits organizational activities provide and the ability to manage those risks.
    • Right to withdraw – Staff have the right to withdraw from or refuse to take up work in a particular area due to security concerns.
    • No right to remain – The organization has the right to suspend activities that it considers too dangerous.
  • Cross-reference the organization’s other governing policies that outline requirements related to security risk management, such as the health and safety policy, access control policy, and acceptable use of security assets.
  • Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • Data inventory and data flows
    • Travel policy for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Develop security plans for high-risk travel

    Security plans advise staff on how to manage the risk identified in assessments.

    Security plans are key country documents that outline the security measures and procedures in place and the responsibilities and resources required to implement them. Security plans should be established in high-risk jurisdictions where your organization has a regular, significant presence. Security plans must remain relevant and accessible documents that address the specific risks that exist in that location, and, if appropriate, are specific about where the measures apply and who they apply to. Plans should be updated regularly, especially following significant incidents or changes in the operating environment or activities.

    Key Components

    Critical information – One-page summary of pertinent information for easy access and quick reference (e.g. curfew times, no-go areas, important contacts).

    Overview – Purpose and scope of the document, responsibilities for security plan, organization’s risk attitude, date of completion and review date, and a summary of the security strategy and policy.

    Current Context – Summary of current operating context and overall security situation; main risks to staff, assets, and operations; and existing threats and risk rating.

    Procedures – Simple security procedures that staff should adhere to in order to prevent incidents and how to respond should problems arise. Standard operating procedures (SOPs) should address key risks identified in the assessment.

    Security levels – The organization's security levels/phases, with situational indicators that reflect increasing risks to staff in that context and location and specific actions/measures required in response to increasing insecurity.

    Incident reporting – The procedures and responsibilities for reporting security-related incidents; for example, the type of incidents to be reported, the reporting structure, and the format for incident reporting.

    Determine travel risk

    Tailor your risk response to the security risk assessment you conducted in earlier stages of this project.

    Ratings are formulated by assessing several types of risk, including conflict, political/civil unrest, terrorism, crime, and health and infrastructure risks.

    Rating

    Description (Examples)

    Recommended Action

    Low

    Generally secure with adequate physical security. Low violent crime rates. Some civil unrest during significant events. Acts of terrorism rare. Risks associated with natural disasters limited and health threats mainly preventable.

    Basic personal security, travel, and health precautions required.

    Moderate

    Periodic civil unrest. Antigovernment, insurgent, or extremist groups active with sporadic acts of terrorism. Staff at risk from common and violent crime. Transport and communications services are unreliable and safety records are poor. Jurisdiction prone to natural disasters or disease epidemics.

    Increased vigilance and routine security procedures required.

    High

    Regular periods of civil unrest, which may target foreigners. Antigovernment, insurgent, or extremist groups very active and threaten political or economic stability. Violent crime rates high and targeting of foreigners is common. Infrastructure and emergency services poor. May be regular disruption to transportation or communications services. Certain areas off-limits to foreigners. Jurisdictions experiencing a natural disaster or a disease epidemic are considered high risk.

    High level of vigilance and effective, context-specific security precautions required.

    Extreme

    Undergoing active conflict or persistent civil unrest. Risk of being caught up in a violent incident or attack is very high. Civil authorities may have lost control of significant portions of the country. Lines between criminality and political and insurgent violence are blurred. Foreigners are likely to be denied access to significant parts of the country. Transportation and communication services are severely degraded or non-existent. Violence presents a direct threat to staff security.

    Stringent security precautions essential and may not be sufficient to prevent serious incidents.

    Program activities may be suspended and staff withdrawn at very short notice.

    3.2.2 Develop travel procedures

    1. Work with your business leaders to build travel procedures for high-risk jurisdictions. The procedures should be tailored to the risk assessment and address the risk scenarios identified in Phase 2.
    2. Use the categories outlined in the next two slides to structure the procedure. Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip.
    3. Consider the implementation of special measures to limit the impact of a potential security event, including:
      • Information end-user device loaner programs.
      • Temporary travel service email accounts.
    4. Specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.
    5. Discuss the rationale for each procedure. Ensure the components align with the policy statements outlined in the high-risk travel policy developed in the previous step.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • Travel procedures for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Draft procedures to mitigate travel risks

    Address all types of travel, detail security measures, and outline what the organization expects of travelers before, during, and after their trip

    Introduction

    Clarifies who the procedures apply to. Highlights any differences in travel security requirements or support provided to staff, consultants, partners, and official visitors.

    Travel risk ratings

    Explains the travel or country risk rating system, how staff access the information, the different categories and indicators, and their implications.

    Roles and responsibilities

    Clarifies the responsibilities of travelers, their line managers or contact points, and senior management regarding travel security and how this changes for destinations with higher risk ratings.

    Travel authorization

    Stipulates who in the organization authorizes travel, the various compliance measures required, and how this changes for destinations with higher risk ratings.

    Travel risk assessment

    Explains when travel risk assessments are required, the template that should be used, and who approves the completed assessments.

    Travel security procedures should specify what happens when staff add personal travel to their work trip to cover issues such as insurance, check-in, actual travel times, etc.

    Pre-travel briefings

    Outlines the information that must be provided to travelers prior to departure, the type of briefing required and who provides it, and how these requirements change as risk ratings increase.

    Security training

    Explain security training required prior to travel. This may vary depending on the country’s risk rating. Includes information on training waiver system, including justifications and authorization.

    Traveler profile forms

    Travelers should complete a profile form, which includes personal details, emergency contacts, medical details, social media footprint, and proof-of-life questions (in contexts where there are abduction risks).

    Check-in protocol

    Specifies who travelers must maintain contact with while traveling and how often, as well as the escalation process in case of loss of contact. The frequency of check-ins should reflect the increase in the risk rating for the destination.

    Emergency procedures

    Outlines the organization's emergency procedures for security and medical emergencies.

    3.2.3 Design high-risk travel guidelines

    • Supplement the high-risk travel policies and procedures with guidelines to help international travelers stay safe.
    • The document is intended for an end-user audience and should reflect your organization’s policies and procedures for the use of information and information systems during international travel.
    • Use the Digital Safety Guidelines for International Travel template in concert with this blueprint to provide guidance on what end users can do to stay safe before they leave, during their trip, and when they return.
    • Consider integrating the guidelines into specialized security awareness training sessions that target end users who travel to high-risk jurisdictions.
    • The guidelines should supplement and align with existing technical controls.

    Input

    Output

    • List of high-risk jurisdictions
    • Risk scenarios from Phase 2
    • High-risk travel policy
    • High-risk travel procedure
    • Travel guidelines for high-risk jurisdictions

    Materials

    Participants

    • Whiteboard/flip charts
    • Jurisdictional Risk Register and Heatmap Tool
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Digital Safety Guidelines for International Travel template

    Step 3.3

    Mitigate Compliance Risk

    Activities

    3.3.1 Identify data localization obligations

    3.3.2 Integrate obligations into IT system design

    3.3.3 Document data processing activities

    3.3.4 Choose the right mechanism

    3.3.5 Implement the appropriate controls

    3.3.6 Identify data breach notification obligations

    3.3.7 Integrate data breach notification into incident response

    3.3.8 Identify vendor security and data protection requirements

    3.3.9 Build due diligence questionnaire

    3.3.10 Build appropriate data processing agreement

    This step involves the following participants:

    • Security team
    • Risk and Compliance
    • IT leadership (optional)

    Outcomes of this step

    • Prioritize and treat global risks to critical assets based on their value and exposure.

    Compliance risk is a prevalent risk in organizations with a global footprint

    • The legal and regulatory landscape is evolving rapidly to keep step with the pace of technological change. Security and privacy leaders are expected to mitigate the risk of noncompliance as the organization expands to new jurisdictions.
    • Organizations with a global footprint must stay abreast of local regulations and provide risk management guidance to business leaders to support global operations.
    • This sections describes four compliance risks in this context:
      • Cross-border data transfer
      • Third-party risk management
      • Data breach notification
      • Data residency

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Data Residency

    Gap Controls

    • Identify and document the data localization obligations for the jurisdictions that the organization is operating in.
    • Design and implement IT systems that satisfy the data localization requirements.
    • Comply with data localization obligations within each jurisdiction.

    Heatmap of Global Data Residency Regulations

    The image contains a screenshot of a picture of a world map with various shades of blue to demonstrate the heatmap of global data residency regulations.
    Source: InCountry, 2021

    Examples of Data Residency Requirements

    Country

    Data Type

    Local Storage Requirements

    Australia

    Personal data – heath record

    My Health Records Act 2012

    China

    Personal information — critical information infrastructure operators

    Cybersecurity law

    Government cloud data

    Opinions of the Office of the Central Leading Group for Cyberspace Affairs on Strengthening Cybersecurity Administration of Cloud Computing Services for Communist Party and Government Agencies

    India

    Government email data

    The Public Records Act of 1993

    Indonesia

    Data held by electronic system operator for the public service

    Regulation 82 concerning “Electronic System and Transaction Operation”

    Germany

    Government cloud service data

    Criteria for the procurement and use of cloud services by the federal German administration

    Russia

    Personal data

    The amendments of Data Protection Act No. 152 FZ

    Vietnam

    Data held by internet service providers

    The Decree on Management, Provision, and Use of Internet Services and Information Content Online (Decree 72)

    US

    Government cloud service data

    Defense Federal Acquisition Regulation Supplement: Network Penetration Reporting and Contracting for Cloud Services (DFARS Case 2013-D018)

    3.3.1 Identify data localization obligations

    1-2 hours

    1. Work with your business leaders to identify and document the jurisdictions where your organization is operating in or providing services and products to consumers within.
    2. Work with your legal team to identify and document all relevant data localization obligations for the data your organization generates, collects, and processes in order to operate your business.
    3. Record your data localization obligations in the table below.

    Jurisdiction

    Relevant Regulations

    Local Storage Requirements

    Date Type

    Input

    Output

    • List of jurisdictions your organization is operating in
    • Relevant security and data protection regulations
    • Data inventory and data flows
    • Completed list of data localization obligations

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.2 Integrate obligations into your IT system design

    1-2 hours

    1. Work with your IT department to design the IT architecture and systems to satisfy the data localization requirements.
    2. The table below provides a checklist for integrating privacy considerations into your IT systems.

    Item

    Consideration

    Answer

    Supporting Document

    1

    Have you identified business services that process data that will be subject to localization requirements?

    2

    Have you identified IT systems associated with the business services mentioned above?

    3

    Have you established a data inventory (i.e. data types, business purposes) for the IT systems mentioned above?

    4

    Have you established a data flow diagram for the data identified above?

    5

    Have you identified the types of data that should be stored locally?

    6

    Have you confirmed whether a copy of the data locally stored will satisfy the obligations?

    7

    Have you confirmed whether an IT redesign is needed or whether modifications (e.g. adding a server) to the IT systems would satisfy the obligations?

    8

    Have you confirmed whether access from another jurisdiction is allowed?

    9

    Have you identified how long the data should be stored?

    Input

    Output

    • Data localization obligations
    • Business services that process data that will be subject to localization requirements
    • IT systems associated with business services
    • Data inventory and data flows
    • Completed checklist of localization obligations for IT system design

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: Medium to High

    Impact: High

    Cross-Border Transfer

    Gap Controls

    • Know where you transfer your data.
    • Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data.
    • Adopt and implement a proper cross-border data transfer mechanism in accordance with applicable privacy laws and regulations.
    • Re-evaluate at appropriate intervals.

    Which cross-border transfer mechanism should I choose?

    Transfer Mechanism

    Advantages

    Disadvantages

    Standard Contractual Clauses (SCC)

    • Easy to implement
    • No DPA (data processing agreement) approval
    • Not suitable for complex data transfers
    • Do not meet business agility
    • Needs legal solution

    Binding Corporate Rules (BCRs)

    • Meets business agility needs
    • Raises trust in the organization
    • Doubles as solution for art. 24/25 of the GDPR
    • Sets high compliance maturity level
    • Takes time to draft/implement
    • Requires DPA approval (scrutiny)
    • Requires culture of compliance
    • Approved by one "lead" authority and two other "co-lead“ authorities
    • Takes usually between six and nine months for the approval process only

    Code of Conduct

    • Raises trust in the sector
    • Self-regulation instead of law
    • No code of conduct approved yet
    • Takes time to draft/implement
    • Requires DPA approval and culture of compliance
    • Needs of organization may not be met

    Certification

    • Raises trust in the organization
    • No certification schemes available yet
    • Risk of compliance at minimum necessary
    • Requires audits

    Consent

    • Legal certainty
    • Transparent
    • Administrative burden
    • Some data subjects are incapable of consenting all or nothing

    3.3.3 Document data processing activities

    1-2 hours

    1. Identify and document the following information:
      • Name of business process
      • Purposes of processing
      • Lawful basis
      • Categories of data subjects and personal data
      • Data subject categories
      • Which system the data resides in
      • Recipient categories
      • Third country/international organization
      • Documents for appropriate safeguards for international transfer (adequacy, SCCs, BCRs, etc.)
      • Description of mitigating measures

    Input

    Output

    • Name of business process
    • Categories of personal data
    • Which system the data resides
    • Third country/international organization
    • Documents for appropriate safeguards for international transfer
    • Completed list of data processing activities

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.4 Choose the right mechanism

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different requirements for the cross-border transfer of personal data. For example, the EU’s GDPR and China’s Personal Information Protection Law require proper cross-border transfer mechanisms before the data transfers. Your organization should decide which cross-border transfer mechanism is the best fit for your cross-border data transfer scenarios.
    2. Use the following table to identify and document the pros and cons of each data transfer mechanism and the final decision.

    Data Transfer Mechanism

    Pros

    Cons

    Final Decision

    SCC

    BCR

    Code of Conduct

    Certification

    Consent

    Input

    Output

    • List of relevant data transfer mechanisms
    • Assessment of the pros and cons of each mechanism
    • Final decision regarding which data transfer mechanism is the best fit for your organization

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Privacy team
    • Security team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.5 Implement the appropriate controls

    1-3 hours

    • One of the most common mechanisms is standard contractual clauses (SCCs).
    • Use Info-Tech’s Standard Contractual Clauses Template to facilitate your cross-border transfer activities.
    • Identify and check whether the following core components are covered in your SCC and record the results in the table below.
    # Core Components Status Note
    1 Purpose and scope
    2 Effect and invariability of the Clauses
    3 Description of the transfer(s)
    4 Data protection safeguards
    5 Purpose limitation
    6 Transparency
    7 Accuracy and data minimization
    8 Duration of processing and erasure or return of data
    9 Storage limitation
    10 Security of processing
    11 Sensitive data
    12 Onward transfers
    13 Processing under the authority of the data importer
    14 Documentation and compliance
    15 Use of subprocessors
    16 Data subject rights
    17 Redress
    18 Liability
    19 Local laws and practices affecting compliance with the Clauses
    20 Noncompliance with the Clauses and termination
    21 Description of data processing activities, such as list of parties, description of transfer, etc.
    22 Technical and organizational measures
    InputOutput
    • Description of the transfer(s)
    • Duration of processing and erasure or return of data
    • Onward transfers
    • Use of subprocessors
    • Etc.
    • Draft of the standard contractual clauses (SCC)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Data Breach

    Gap Controls

    • Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    • Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    • Integrate breach notification obligations into security incident response process.

    Examples of Data Breach Notification Obligations

    Location

    Regulation/ Standard

    Reporting Obligation

    EU

    GDPR

    72 hours

    China

    PIPL

    Immediately

    US

    HIPAA

    No later than 60 days

    Canada

    PIPEDA

    As soon as feasible

    Global

    PCI DSS

    • Visa – immediately after breach discovered
    • Mastercard – within 24 hours of discovering breach
    • American Express – immediately after breach discovered

    Summary of US State Data Breach Notification Statutes

    The image contains a graph to show the summary of the US State Data Breach Notification Statutes.

    Source: Davis Wright Tremaine

    3.3.6 Identify data breach notification obligations

    1-2 hours

    1. Identify jurisdictions that your organization is operating in and that impose different obligations for data breach reporting.
    2. Document the notification obligations for various business scenarios, such as controller to DPA, controller to data subject, and processor to controller.
    3. Record your data breach obligations in the table below.
    Region Regulation/Standard Reporting Obligation

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of data breach reporting obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.7 Integrate data breach notification into incident response

    1-2 hours

    • Integrate breach notification obligations into the security incident response process. Understand the security incident management framework.
    • All incident runbooks follow the same process: detection, analysis, containment, eradication, recovery, and post-incident activity.
    • The table below provides a basic checklist for you to consider when implementing your data breach and incident handling process.
    # Phase Considerations Status Notes
    1 Prepare Ensure the appropriate resources are available to best handle an incident.
    2 Detect Leverage monitoring controls to actively detect threats.
    3 Analyze Distill real events from false positives.
    4 Contain Isolate the threat before it can cause additional damage.
    5 Eradicate Eliminate the threat from your operating environment.
    6 Recover Restore impacted systems to a normal state of operations.
    7 Report Report data breaches to relevant regulators and data subjects if required.
    8 Post-Incident Activities Conduct a lessons-learned post-mortem analysis.
    InputOutput
    • Security and data protection incident response steps
    • Key considerations for integrating data breach notifications into incident response
    • Data breach notifications integrated into the incident response process
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Security team
    • Privacy team
    • Legal team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Compliance with local obligations

    Likelihood: High

    Impact: Medium to High

    Third-Party Risk

    Gap Controls

    • Build an end-to-end third-party security and privacy risk management process.
    • Perform internal due diligence prior to selecting a service provider.
    • Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.

    End-to-End Third-Party Security and Privacy Risk Management

    1. Pre-Contract
    • Due diligence check
  • Signing of Contract
    • Data processing agreement
  • Post-Contract
    • Continuous monitoring
    • Regular check or audit
  • Termination of Contract
    • Data deletion
    • Access deprovisioning

    Examples of Vendor Security Management Requirements

    Region

    Law/Standard

    Section

    EU

    General Data Protection Regulation (GDPR)

    Article 28 (1)

    Article 46 (1)

    US

    Health Insurance Portability and Accountability Act (HIPAA)

    §164.308(b)(1)

    US

    New York Department of Financial Services Cybersecurity Requirements

    500.11(a)

    Global

    ISO 27002:2013

    15.1.1

    15.1.2

    15.1.3

    15.2.1

    15.2.2

    US

    NIST 800-53

    SA-12

    SA-12 (2)

    US

    NIST Cybersecurity Framework

    ID-SC-1

    ID-SC-2

    ID-SC-3

    ID-SC-4

    Canada

    OSFI Cybersecurity Guidelines

    4.25

    4.26

    3.3.8 Identify vendor security and data protection requirements

    1-2 hours

    • Effective vendor security risk management is an end-to-end process that includes assessment, risk mitigation, and periodic reassessments.
    • An efficient and effective assessment process can only be achieved when all stakeholders are participating.
    • Identify and document your vendor security and data protection requirements in the table below.
    Region Law/Standard Section Requirements

    Input

    Output

    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Documentation of vendor security and data protection obligations in applicable jurisdictions

    Materials

    Participants

    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.9 Build due diligence questionnaire

    1-2 hours

    Perform internal due diligence prior to selecting a service provider.

    1. Build and right-size your vendor security questionnaire by leveraging Info-Tech’s Vendor Security Questionnaire template.
    2. Document your vendor security questionnaire in the table below.
    # Question Vendor Request Vendor Comments
    1 Document Requests
    2 Asset Management
    3 Governance
    4 Supply Chain Risk Management
    5 Identify Management, Authentication, and Access Control
    InputOutput
    • List of regions and jurisdictions your business is operating in
    • List of relevant regulations and standards
    • Business security and data protection requirements and expectations
    • Draft of due diligence questionnaire
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    3.3.10 Build appropriate data processing agreement

    1-2 hours

    1. Stipulate the security and privacy protection obligations of the third party in a legally binding document such as contract or data processing agreement, etc.
    2. Leverage Info-Tech’s Data Processing Agreement Template to put the language into your legally binding document.
    3. Use the table below to check whether core components of a typical DPA are covered in your document.
    # Core Components Status Note
    1 Processing of personal data
    2 Scope of application and responsibilities
    3 Processor's obligations
    4

    Controller's obligations

    5 Data subject requests
    6 Right to audit and inspection
    7 Subprocessing
    8 Data breach management
    9 Security controls
    10 Transfer of personal data
    11 Duty of confidentiality
    12 Compliance with applicable laws
    13 Service termination
    14 Liability and damages
    InputOutput
    • Processing of personal data
    • Processor’s obligations
    • Controller’s obligations
    • Subprocessing
    • Etc.
    • Draft of data processing agreement (DPA)
    MaterialsParticipants
    • Guidelines for Compliance With Local Security and Privacy Laws Template
    • Legal team
    • Privacy team
    • Security team
    • IT leadership
    • Risk Management

    Download the Guidelines for Compliance With Local Security and Privacy Laws Template

    Summary of Accomplishment

    Problem Solved

    By following Info-Tech’s methodology for securing global operations, you have:

    • Evaluated the security context of your organization’s global operations.
    • Identified security risks scenarios unique to high-risk jurisdictions and assessed the exposure of critical assets.
    • Planned and executed a response.

    You have gone through a deeper analysis of two key risk scenarios that affect global operations:

    • Travel to high-risk jurisdictions.
    • Compliance risk.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.

    workshop@infotech.com

    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    The image contains a picture of Michel Hebert.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team. Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    The image contains a screenshot of High-Risk Travel Jurisdictions.

    Identify High-Risk Jurisdictions

    Develop requirements to identify high-risk jurisdictions.

    The image contains a screenshot of Build Risk Scenarios.

    Build Risk Scenarios

    Build risk scenarios to capture assets, vulnerabilities, threats, and the potential effect of a compromise.

    External Research Contributors

    Ken Muir

    CISO

    LMC Security

    Premchand Kurup

    CEO

    Paramount Computer Systems

    Preeti Dhawan

    Manager, Security Governance

    Payments Canada

    Scott Wiggins

    Information Risk and Governance

    CDPHP

    Fritz Y. Jean Louis

    CISO

    Globe and Mail

    Eric Gervais

    CIO

    Ovivo Water

    David Morrish

    CEO

    MBS Techservices

    Evan Garland

    Manager, IT Security

    Camosun College

    Jacopo Fumagalli

    CISO

    Axpo

    Dennis Leon

    Governance and Security Manager

    CPA Canada

    Tero Lehtinen

    CIO

    Planmeca Oy

    Related Info-Tech Research

    Build an IT Risk Management Program

    • Build a program to identify, evaluate, assess, and treat IT risks.
    • Monitor and communicate risks effectively to support business decision making.

    Combine Security Risk Management Components Into One Program

    • Develop a program focused on assessing and managing information system risks.
    • Build a governance structure that integrates security risks within the organization’s broader approach to risk management.

    Build an Information Security Strategy

    • Build a holistic, risk-aware strategy that aligns to business goals.
    • Develop a roadmap of prioritized initiatives to implement the strategy over 18 to 36 months.

    Bibliography

    2022 Cost of Insider Threats Global Report.” Ponemon Institute, NOVIPRO, 9 Feb. 2022. Accessed 25 May 22.

    “Allianz Risk Barometer 2022.” Allianz Global Corporate & Specialty, Jan. 2022. Accessed 25 May 22.

    Bickley, Shaun. “Security Risk Management: a basic guide for smaller NGOs”. European Interagency Security Forum (EISF), 2017. Web.

    “Biden Administration Warns against spyware targeting dissidents.” New York Times, 7 Jan 22. Accessed 20 Jan 2022.

    Boehm, Jim, et al. “The risk-based approach to cybersecurity.” McKinsey & Company, October 2019. Web.

    “Cost of a Data Breach Report 2021.” IBM Security, July 2021. Web.

    “Cyber Risk in Asia-Pacific: The Case for Greater Transparency.” Marsh & McLennan Companies, 2017. Web.

    “Cyber Risk Index.” NordVPN, 2020. Accessed 25 May 22

    Dawson, Maurice. “Applying a holistic cybersecurity framework for global IT organizations.” Business Information Review, vol. 35, no. 2, 2018, pp. 60-67.

    “Framework for improving critical infrastructure cybersecurity.” National Institute of Standards and Technology, 16 Apr 2018. Web.

    “Global Cybersecurity Index 2020.” International Telecommunication Union (ITU), 2021. Accessed 25 May 22.

    “Global Risk Survey 2022.” Control Risks, 2022. Accessed 25 May 22.

    “International Travel Guidance for Government Mobile Devices.” Federal Mobility Group (FMG), Aug. 2021. Accessed 18 Nov 2021.

    Kaffenberger, Lincoln, and Emanuel Kopp. “Cyber Risk Scenarios, the Financial System, and Systemic Risk Assessment.” Carnegie Endowment for International Peace, September 2019. Accessed 11 Jan 2022.

    Koehler, Thomas R. Understanding Cyber Risk. Routledge, 2018.

    Owens, Brian. “Cybersecurity for the travelling scientist.” Nature, vol. 548, 3 Aug 2017. Accessed 19 Jan. 2022.

    Parsons, Fintan J., et al. “Cybersecurity risks and recommendations for international travellers.” Journal of Travel Medicine, vol. 1, no. 4, 2021. Accessed 19 Jan 2022.

    Quinn, Stephen, et al. “Identifying and estimating cybersecurity risk for enterprise risk management.” National Institute of Standards and Technology (NIST), Interagency or Internal Report (IR) 8286A, Nov. 2021.

    Quinn, Stephen, et al. “Prioritizing cybersecurity risk for enterprise risk management.” NIST, IR 8286B, Sept. 2021.

    “Remaining cyber safe while travelling security recommendations.” Government of Canada, 27 April 2022. Accessed 31 Jan 2022.

    Stine, Kevin, et al. “Integrating cybersecurity and enterprise risk management.” NIST, IR 8286, Oct. 2020.

    Tammineedi, Rama. “Integrating KRIs and KPIs for effective technology risk management.” ISACA Journal, vol. 4, 1 July 2018.

    Tikk, Eneken, and Mika Kerttunen, editors. Routledge Handbook of International Cybersecurity. Routledge, 2020.

    Voo, Julia, et al. “National Cyber Power Index 2020.” Belfer Center for Science and International Affairs, Harvard Kennedy School, Sept. 2020. Web.

    Zhang, Fang. “Navigating cybersecurity risks in international trade.” Harvard Business Review, Dec 2021. Accessed 31 Jan 22.

    Appendix

    Insider Threat

    Key Risk Scenario

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a picture of the Gap Controls. The controls include: Policy and Awareness, Identification, Monitoring and Visibility, which leads to Cooperation.

    • Identification: Effective and efficient management of insider threats begins with a threat and risk assessment to establish which assets and which employees to consider, especially in jurisdictions associated with sensitive or critical data. You need to pay extra attention to employees who are working in satellite offices in jurisdictions with loose security and privacy laws.
    • Monitoring and Visibility: Organizations should monitor critical assets and groups with privileged access to defend against malicious behavior. Implement an insider threat management platform that provides your organization with the visibility and context into data movement, especially cross-border transfers that might cause security and privacy breaches.
    • Policy and Awareness Training: Insider threats will persist without appropriate action and culture change. Training and consistent communication of best practices will mitigate vulnerabilities to accidental or negligent attacks. Customized training materials using local languages and role-based case studies might be needed for employees in high-risk jurisdictions.
    • Cooperation: An effective insider threat management program should be built with cross-team functions such as Security, IT, Compliance and Legal, etc.

    For more holistic approach, you can leverage our Reduce and Manage Your Organization’s Insider Threat Risk blueprint.

    Info-Tech Insight

    You can’t just throw tools at a human problem. While organizations should monitor critical assets and groups with privileged access to defend against malicious behavior, good management and supervision can help detect attacks and prevent them from happening in the first place.

    Insider threats are not industry specific, but malicious insiders are

    Industry

    Actors

    Risks

    Tactics

    Motives

    State and Local Government

    • Full-time employees
    • Current employees
    • Privileged access to personally identifiable information, financial assets, and physical property
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Recognition
    • Benefiting foreign entity

    Information Technology

    • Equal mix of former and current employees
    • Privileged access to networks or systems as well as data
    • Highly technical attacks
    • Received or transferred fraudulent funds
    • Revenge
    • Financial gain

    Healthcare

    • Majority were full-time and current employees
    • Privileged access to customer data with personally identifiable information, financial assets
    • Abuse of privileged access
    • Received or transferred fraudulent funds
    • Financial gain
    • Entitlement

    Finance and Insurance

    • Majority were full-time and current employees
    • Authorized users
    • Electronic financial assets
    • Privileged access to customer data
    • Created or used fraudulent accounts
    • Fraudulent purchases
    • Identity theft
    • Financial gain
    • Gambling addiction
    • Family pressures
    • Multiple motivations

    Source: Carnegie Mellon University Software Engineering Institute, 2019

    Advanced Persistent Threat

    Key Risk Scenario #4

    Likelihood: Medium to High

    Impact: High

    Gap Controls

    The image contains a screenshot of the Gap Controls listed: Prevent, Detect, Analyze, Respond.

    Prevent: Defense in depth is the best approach to protect against unknown and unpredictable attacks. Effective anti-malware, diligent patching and vulnerability management, and strong human-centric security are essential.

    Detect: There are two types of companies – those who have been breached and know it, and those who have been breached and don’t know it. Ensure that monitoring, logging, and event detection tools are in place and appropriate to your organizational needs.

    Analyze: Raw data without interpretation cannot improve security and is a waste of time, money, and effort. Establish a tiered operational process that not only enriches data but also provides visibility into your threat landscape.

    Respond: Organizations can’t rely on ad hoc response anymore – don’t wait until a state of panic. Formalize your response processes in a detailed incident runbook to reduce incident remediation time and effort.

    Best practices moving forward

    Defense in Depth

    Lock down your organization. Among other tactics, control administrative privileges, leverage threat intelligence, use IP whitelisting, adopt endpoint protection and two-factor authentication, and formalize incident response measures.

    Block Indicators

    Information alone is not actionable. A successful threat intelligence program contextualizes threat data, aligns intelligence with business objectives, and then builds processes to satisfy those objectives. Actively block indicators and act upon gathered intelligence.

    Drive Adoption

    Create organizational situational awareness around security initiatives to drive adoption of foundational security measures: network hardening, threat intelligence, red-teaming exercises, and zero-day mitigation, policies, and procedures.

    Supply Chain Security

    Security extends beyond your organization. Ensure your organization has a comprehensive view of your organizational threat landscape and a clear understanding of the security posture of any managed service providers in your supply chain.

    Awareness and Training

    Conduct security awareness and training. Teach end users how to recognize current cyberattacks before they fall victim – this is a mandatory first line of defense.

    Additional Resources

    Follow only official sources of information to help you assess risk

    The image contains an image highlighting a few additional resources.

    As misinformation is a major attack vector for malicious actors, follow only reliable sources for cyberalerts and actionable intelligence. Aggregate information from these reliable sources.

    Federal Cyber Agency Alerts

    Informational Resources

    Info-Tech Insight

    The CISA Shields Up site provides the latest cyber risk updates on the Russia-Ukraine conflict and should provide the most value in staying informed.

    Improve IT Governance to Drive Business Results

    • Buy Link or Shortcode: {j2store}190|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $194,553 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: IT Governance, Risk & Compliance
    • Parent Category Link: /it-governance-risk-and-compliance
    • IT governance is the number-one predictor of value generated by IT, yet many organizations struggle to organize their governance effectively.
    • Current IT governance does not address the changing goals, risks, or context of the organization, so IT spend is not easily linked to value.
    • The right people are not making the right decisions about IT.

    Our Advice

    Critical Insight

    • Organizations do not have a governance framework in place that optimally aligns IT with the business objectives and direction.
    • Implementing IT governance requires the involvement of key business stakeholders who do not see IT’s value in corporate governance and strategy.
    • The current governance processes are poorly designed, making the time to decisions too long and driving non-compliance.

    Impact and Result

    • Use Info-Tech’s four-step process to optimize your IT governance framework.
    • Our client-tested methodology supports the enablement of IT-business alignment, decreases decision-making cycle times, and increases IT’s transparency and effectiveness in decisions around benefits realization, risks, and resources.
    • Successful completion of the IT governance redesign will result in the following outcomes:
      1. Align IT with the business context.
      2. Assess the current governance framework.
      3. Redesign the governance framework.
      4. Implement governance redesign.

    Improve IT Governance to Drive Business Results Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should redesign IT governance, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Align IT with the business context

    Align IT’s direction with the business using the Statement of Business Context.

    • Redesign IT Governance to Drive Optimal Business Results – Phase 1: Align IT With the Business Context
    • Make the Case for an IT Governance Redesign
    • Stakeholder Power Map Template
    • IT Governance Stakeholder Communication Planning Tool
    • PESTLE Analysis Template
    • Business SWOT Analysis Template
    • Statement of Business Context Template

    2. Assess the current governance framework

    Evaluate the strengths and weaknesses of current governance using the Current State Assessment.

    • Redesign IT Governance to Drive Optimal Business Results – Phase 2: Assess the Current Governance Framework
    • Current State Assessment of IT Governance

    3. Redesign the governance framework

    Build a redesign of the governance framework using the Future State Design template.

    • Redesign IT Governance to Drive Optimal Business Results – Phase 3: Redesign the Governance Framework
    • Future State Design for IT Governance
    • IT Governance Terms of Reference

    4. Implement governance redesign

    Create an implementation plan to jump-start the communication of the redesign and set it up for success.

    • Redesign IT Governance to Drive Optimal Business Results – Phase 4: Implement Governance Redesign
    • Redesign IT Governance to Drive Optimal Business Results Executive Presentation Template
    • IT Governance Implementation Plan
    [infographic]

    Workshop: Improve IT Governance to Drive Business Results

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify the Need for Governance

    The Purpose

    Identify the need for governance in your organization and engage the leadership team in the redesign process.

    Key Benefits Achieved

    Establish an engagement standard for the leadership of your organization in the IT governance redesign.

    Activities

    1.1 Identify stakeholders.

    1.2 Make the case for improved IT governance.

    1.3 Customize communication plan.

    Outputs

    Stakeholder Power Map

    Make the Case Presentation

    Communication Plan

    2 Align IT With the Business Context

    The Purpose

    Create a mutual understanding with the business leaders of the current state of the organization and the state of business it is moving towards.

    Key Benefits Achieved

    The understanding of the business context will provide an aligned foundation on which to redesign the IT governance framework.

    Activities

    2.1 Review documents.

    2.2 Analyze frameworks.

    2.3 Conduct brainstorming.

    2.4 Finalize the Statement of Business Context.

    Outputs

    PESTLE Analysis

    SWOT Analysis

    Statement of Business Context

    3 Assess the Current Governance Framework

    The Purpose

    Establish a baseline of the current governance framework.

    Key Benefits Achieved

    Develop guidelines based off results from the current state that will guide the future state design.

    Activities

    3.1 Create committee profiles.

    3.2 Build governance structure map.

    3.3 Establish governance guidelines.

    Outputs

    Current State Assessment

    4 Redesign the Governance Framework

    The Purpose

    Redesign the governance structure and the committees that operate within it.

    Key Benefits Achieved

    Build a future state of governance where the relationships and processes that are built drive optimal business results.

    Activities

    4.1 Build governance structure map.

    4.2 Create committee profiles.

    Outputs

    Future State Design

    IT Governance Terms of Reference

    5 Implement Governance Redesign

    The Purpose

    Build a roadmap for implementing the governance redesign.

    Key Benefits Achieved

    Create a transparent and relationship-oriented implementation strategy that will pave the way for a successful redesign implementation.

    Activities

    5.1 Identify next steps for the redesign.

    5.2 Establish communication plan.

    5.3 Lead executive presentation.

    Outputs

    Implementation Plan

    Executive Presentation

    Further reading

    Improve IT Governance to Drive Business Results

    Avoid bureaucracy and achieve alignment with a minimalist approach.

    ANALYST PERSPECTIVE

    Governance optimization is achieved where decision making, authority, and context meet.

    "Governance is something that is done externally to IT and well as internally by IT, with the intention of providing oversight to direct the organization to meet goals and keep things on target.

    Optimizing IT governance is the most effective way to consistently direct IT spend to areas that provide the most value in producing or supporting business outcomes, yet it is rarely done well.

    IT governance is more than just identifying where decisions are made and who has the authority to make them – it must also provide the context and criteria under which decisions are made in order to truly provide business value" (Valence Howden, Director, CIO Practice Info-Tech Research Group)

    Our understanding of the problem

    This Research is Designed For:

    • CIOs
    • CTOs
    • IT Directors

    This Research Will Help You:

    • Achieve and maintain executive and business support for optimizing IT governance.
    • Optimize your governance structure.
    • Build high-level governance processes.
    • Build governance committee charters and set accountability for decision making.
    • Plan the transition to the optimized governance structure and processes.

    This Research Will Also Assist:

    • Executive Leadership
    • IT Managers
    • IT Customers
    • Project Managers

    This Research Will Help Them:

    • Improve alignment between business decisions and IT initiatives.
    • Establish a mechanism to validate, redirect, and reprioritize IT initiatives.
    • Realize greater value from more effective decision making.
    • Receive a better overall quality of service.

    Executive Summary

    Situation

    • IT governance is the #1 predictor of value generated by IT, yet many organizations struggle to organize their governance effectively.*
    • Current IT governance does not address the changing goals, risks, or context of the organization so IT spend is not easily linked to value.
    • The right people are not making the right decisions about IT.

    Complication

    • Organizations do not have a governance framework in place that optimally aligns IT with the business objectives and direction.
    • Implementing IT governance requires the involvement of key business stakeholders who do not see IT’s value in governance and strategy.
    • The current governance processes are poorly designed, creating long decision-making cycles and driving non-compliance with regulation.

    Resolution

    • Use Info-Tech’s four-step process for optimizing your IT governance framework. Our client-tested methodology supports the enablement of IT-business alignment, decreases decision-making cycle times, and increases IT’s transparency and effectiveness in making decisions around benefits realization, risks, and resources.
    • Successful completion of the IT governance redesign will result in the following outcomes:
      1. Align IT with the business context.
      2. Assess the current governance framework.
      3. Redesign the governance framework.
      4. Implement governance redesign.

    Info-Tech Insight

    • Establish IT-business fusion. In governance, alignment is not enough. Merge IT and the business through governance to ensure business success.
    • With great governance comes great responsibility. Involve relevant business leaders, who will be impacted by IT outcomes, to take on governing responsibility of IT.
    • Let IT manage and the business govern. IT governance should be a component of enterprise governance, allowing IT leaders to focus on managing.

    IT governance is...

    An enabling framework for decision-making context and accountabilities for related processes.

    A means of ensuring business-IT collaboration, leading to increased consistency and transparency in decision making and prioritization of initiatives.

    A critical component of ensuring delivery of business value from IT spend and driving high satisfaction with IT.

    IT governance is not...

    An annoying, finger-waving roadblock in the way of getting things done.

    Limited to making decisions about technology.

    Designed tacitly; it is purposeful, with business objectives in mind.

    A one-time project; you must review and revalidate the efficiency.

    Avoid common misconceptions of IT governance

    Don’t blur the lines between governance and management; each has a unique role to play. Confusing these results in wasted time and confusion around ownership.

    Governance

    A cycle of 'Governance Processes' and 'Management Processes'. On the left side of the cycle 'Governance Processes' begins with 'Evaluate', then 'Direct', then 'Monitor'. This leads to 'Management Processes' on the right side with 'Plan', 'Build', 'Run', and 'Monitor', which then feeds back into 'Evaluate'.

    Management

    IT governance sets direction through prioritization and decision making, and monitors overall IT performance.

    Governance aligns with the mission and vision of the organization to guide IT.

    Management is responsible for executing on, operating, and monitoring activities as determined by IT governance.

    Management makes decisions for implementing based on governance direction.

    The IT Governance Framework

    An IT governance framework is a system that will design structures, processes, authority definitions, and membership assignments that lead IT toward optimal results for the business.

    Governance is performed in three ways:
    1. Evaluate

      Governance ensures that business goals are achieved by evaluating stakeholder needs, criteria, metrics, portfolio, risk, and definition of value.
    2. Direct

      Governance sets the direction of IT by delegating priorities and determining the decisions that will guide the IT organization.
    3. Monitor

      Governance establishes a framework to monitor performance, compliance to regulation, and progress on expected outcomes.

    "Everyone needs good IT, but no one wants to talk about it. Most CFOs would rather spend time with their in-laws than in an IT steering-committee meeting. But companies with good governance consistently outperform companies with bad. Which group do you want to be in?" (Martha Heller, President, Heller Search Associates)

    Create impactful IT governance by embedding it within enterprise governance

    The business should engage in IT governance and IT should influence the direction of the business.

    Enterprise Governance

    IT Governance

    Authority for enterprise governance falls to the board and executive management.

    Responsibilities Include:
    • Provide strategic direction for the organization.
    • Ensure objectives are met.
    • Set the risk standards or profile.
    • Delegate resources responsibly.
    –› Engage in –›

    ‹– Influence ‹–

    Governance of IT is a component of enterprise governance.

    Responsibilities Include:
    • Build structure, authority, process, and membership designations in a governance framework.
    • Ensure the IT organization is aligned with business goals.
    • Influence the direction of the business to ensure business success.

    Identify signals of sub-optimal IT governance within any of these domains

    If you notice any of these signals, governance redesign is right for you!

    Inability to Realize Benefits

    1. IT is unable to articulate the value of its initiatives or spend.
    2. IT is regularly delegated unplanned projects.
    3. The is no standard approach to prioritization.
    4. Projects do not meet target metrics.

    Resource Misallocation

    1. Resources are wasted due to duplication or overlap in IT initiatives.
    2. IT projects fail at an unacceptable rate, leading to wasted resources.
    3. IT’s costs continue to increase without reciprocal performance increase.

    Misdiagnosed Risks

    1. Risk appetite is incorrectly identified or not identified at all.
    2. Disagreement on the approach to risk in the organization.
    3. Increasing rate of IT incidents related to risk.
    4. IT is failing to meet regulatory requirements.

    Dissatisfied Stakeholders

    1. There are no ways to measure stakeholder satisfaction with IT.
    2. Business strategies and IT strategies are misaligned.
    3. IT’s relationship with key stakeholders is unstable and there is a lack of mutual trust.

    A majority of organizations experience significant alignment gaps

    The majority of organizations and their key stakeholders experience highly visible gaps in the alignment of IT investments and organizational goals.

    There are two bars with percentages of their length marked out for different CXO responses. The possible responses are from '1, Critical Gap' to '7, No Gap'. The top bar says '57% of CXOs identify a major gap in IT's ability to support business goals', and shows 13% answered '1, Critical Gap', 22% answered '2', and 22% answered '3'. The bottom bar says '84% of CXOs often perceive that IT is investing in areas that do not support the business' and shows 38% answered '1, Critical Gap', 33% answered '2', and 13% answered '3'.

    88% of CIOs believe that their governance is not effective. (Info-Tech Diagnostics)

    Leverage governance as the catalyst for connecting IT and the business

    49% of firms are misaligned on current performance expectations for IT.

    • 49% Misaligned
    • 51% Aligned

    67% of firms are misaligned on the target role for IT.

    • 34% Highly Misaligned
    • 33% Somewhat Misaligned
    • 33% Aligned

    A well-designed IT governance framework will hep you to:

    1. Make sure IT keeps up with the evolving business context.
    2. Align IT with the mission and the vision of the organization.
    3. Optimize the speed and quality of decision making.
    4. Meet regulatory and compliance needs in the external environment.
    5. (Info-Tech Diagnostics)

    Align with business goals through governance to attain business-IT fusion

    Create a state of business-IT fusion, in which the two become one.

    Without business-IT fusion, IT will go in a different direction, leading to a divergence of purpose and outcomes. IT can transform into a fused partner of the business by ensuring that they govern toward the same goal.

    Firefighter
    • Delivers lower value
    • Duplication of effort
    • Unclear risk profile
    • High risk exposure
    Three sets of arrows, each pointing upward and arranged in an ascending stair pattern. The first, lowest set of arrows has a large blue arrow with a small green arrow veering off to the side, unaligned. The second, middle set of arrows has a large blue arrow with a medium green arrow overlaid on its center, somewhat aligned. The third, highest set of arrows has half of a large blue arrow, and the other half is a large green arrow, aligned. Business Partner
    • Increased speed of decision making
    • Aligned with business priorities
    • Optimized utility of people, financial, and time resources
    • Monitors and mitigates risk and compliance issues

    Redesign IT governance in accordance with COBIT and proven good practice

    Info-Tech’s approach to governance redesign is rooted in COBIT, the world-class and open-source IT governance standard.

    COBIT begins with governance, EDM – Evaluate, Direct, and Monitor.

    We build upon these standards with industry best practices and add a practical approach based on member feedback.

    This blueprint will help you optimize your governance framework.

    The upper image is a pyramid with 'Info-Tech Insights, Analysts, Experts, Clients' on top, 'IT Governance Best Practices' in the middle, and 'COBIT 5' on the bottom, indicating that Info-Tech's Governance guidance is based in COBIT 5. 'This project will focus on EDM01, Set/Maintain Governance Framework.'

    Use Info-Tech’s approach to implementing an IT governance redesign

    The four phases of Info-Tech’s governance redesign methodology will help you drive greater value for the business.

    1. Align IT With the Business Context
      Align IT’s direction with the business using the Statement of Business Context Template.
    2. Assess the Current Governance Framework
      Evaluate the strengths and weaknesses of current governance using the Current State Assessment of IT Governance.
    3. Redesign the Governance Framework
      Build a redesign of the governance framework using the Future State Design for IT Governance tool.
    4. Implement Governance Redesign
      Create an IT Governance Implementation Plan to jumpstart the communication of the redesign and set it up for success.
    5. Continuously assess your governance framework to ensure alignment.

    Leverage Info-Tech’s insights for an optimal redesign process

    Common Pitfalls

    Info-Tech Solutions

    Phase 1

    There must be an active understanding of the current and future state of the business for governance to address the changing needs of the business. –›
    1. Make the case for a governance redesign.
    2. Create a custom communication plan to facilitate support.
    3. Establish a collectively agreed upon statement of business context.

    Phase 2

    Take a proactive approach to revising your governance framework. Understand why you are making decisions before actually making them. –›
    1. Conduct the IT governance current state assessment.
    2. Create governance guidelines for redesign.

    Phase 3

    Keep the current and future goals in sight to build an optimized governance framework that maintains the minimum bar of oversight required. –›
    1. Redesign the future state of IT governance in your organization.

    Phase 4

    Don’t overlook the politics and culture of your organization in redesigning your governance framework. –›
    1. Rationalize steps in an implementation plan.
    2. Outline a communication strategy to navigate culture and politics.
    3. Construct an executive presentation to facilitate transparency for the governing framework.

    Leverage both COBIT and Info-Tech-defined metrics to evaluate the success of your redesign

    These metrics will help you determine the extent to which your governance is supporting your business goals, and whether the governance in place promotes business-IT fusion.

    Benefits Realization

    1. Percent of IT-enabled investments where benefit realization is monitored through the full economic life. (COBIT-defined metric)
    2. Percent of enterprise strategic goals and requirements supported by IT strategic goals. (COBIT-defined metric)
    3. Percent of IT services where expected benefits are realized or exceeded. (COBIT-defined metric)

    Resources

    1. Satisfaction level of business and IT executives with IT-related costs and capabilities. (COBIT-defined metric)
    2. Average time to turn strategic IT objectives into an agreed-upon and approved initiative. (COBIT-defined metric)
    3. Number of deviations from resource utilization plan.

    Risks

    1. Number of security incidents causing financial loss, business disruption, or public embarrassment. (COBIT-defined metric)
    2. Number of issues related to non-compliance with policies. (COBIT-defined metric)
    3. Percentage of enterprise risk assessments that include IT-related risks. (COBIT-defined metric)
    4. Frequency with which the risk profile is updated. (COBIT-defined metric)

    Stakeholders

    1. Change in score of alignment with the scope of the planned portfolio of programs and services (using CIO-CXO Alignment Diagnostic).
    2. Percent of executive management roles with clearly defined accountabilities for IT decisions. (COBIT-defined metric)
    3. Percent of business stakeholders satisfied that IT service delivery meets agreed-upon service levels. (COBIT-defined metric)
    4. Percent of key business stakeholders involved in IT governance.

    Capture monetary value by establishing and monitoring key metrics

    While benefits of governance are often qualitative, the power of effective governance can be demonstrated through quantitative financial gains.

    Scenario 1 – Realizing Expected Gains

    Scenario 2 – Mitigating Unexpected Losses

    Metric

    Track the percentage of initiatives that provided expected ROI year over year. The optimization of the governance framework should generate an increase in this metric. Monitor this metric for continuous improvement opportunities. Track the financial losses related to non-compliance with policy or regulation. An optimized governance framework should better protect the organization against policy breach and mitigate the possibility and impact of “rogue” actions.

    Formula

    ROI of all initiatives / number of initiatives in year 2 – ROI of all initiatives / number of initiatives in year 1

    The expected result should be positive.

    Cost of non-compliance in year 2 – cost of non-compliance in year 1

    The expected result should be negative.

    Redesign IT governance to achieve optimal business outcomes

    CASE STUDY

    Industry: Healthcare
    Source: Info-Tech

    Situation

    The IT governance had been structured based on regulations and had not changed much since it was put in place. However, a move to become an integration and service focused organization had moved the organization into the world of web services, Agile development, and service-oriented architecture.

    Complication

    The existing process was well defined and entrenched, but did not enable rapid decision making and Agile service delivery. This was due to the number of committees where initiatives were reviewed, made worse by their lack of approval authority. This led to issues moving initiatives forward in the timeframes required to meet clinician needs and committed governmental deadlines.

    In addition, the revised organizational mandate had created confusion regarding the primary purpose and function of the organization and impacted the ability to prioritize spend on a limited budget.

    To complicate matters further, there was political sensitivity tied to the membership and authority of different governing committees.

    Result:

    The CEO decided that a project would be initiated by the Enterprise Architecture Group, but managed by an external consultant to optimize and restructure the governance within the organization.

    The purpose of using the external consultant was to help remove internal politics from the discussion. This allowed the organization to establish a shared view of the organization’s revised mission and IT’s role in its execution.

    The exercise led to the removal of one governing committee and the merger of two others, modification to committee authority and membership, and a refined decision-making context that was agreed to by all parties.

    The redesigned governance process led to a 30% reduction in cycle time from intake to decision, and a 15% improvement in alignment of IT spend with strategic priorities.

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Redesign IT Governance – project overview

    Align IT With the Business Context

    Assess the Current State

    Redesign Governance

    Implement Redesign

    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Identify Stakeholders
    1.2 Make the Case
    1.3 Present to Executives
    1.4 Customize Comm. Plan
    1.5 Review Documents
    1.6 Analyze Frameworks
    1.7 Conduct Brainstorming
    1.8 Finalize the SoBC
    2.1 Create Committee Profiles

    2.2 Build a Governance Structure Map

    2.3 Establish Governance Guidelines

    3.1 Build Governance Structure Map

    3.2 Create Committee Profiles

    3.3 Leverage Process Specific Governance Blueprints

    4.1 Identify Next Steps for the Redesign

    4.2 Establish Communication Plan

    4.3 Lead Executive Presentation

    Guided Implementations

    • Move towards gaining buy-in from the business if necessary. Then identify the major components of the SoBC.
    • Review SoBC and discuss a strategy to engage key stakeholders in the redesign.
    • Explore the process of identifying the four major elements of governance. Build guidelines for the future state.
    • Review the current state of governance and discuss the implications and guidelines.
    • Identify the changes that will need to be made.
    • Review redesigned structure and authority.
    • Review redesigned process and membership.
    • Discuss and review the implementation plan.
    • Prepare the presentation for the executives. Provide support on any final questions.
    Associated Activity icon

    Onsite Workshop

    Module 1:
    Align IT with the business context
    Module 2:
    Assess the current governance framework
    Module 3:
    Redesign the governance framework
    Module 4:
    Implement governance redesign
    Phase 1 Results:
    • Align IT’s direction with the business.
    Phase 2 Results:
    • Evaluate the strengths and weaknesses of current governance and build guidelines.
    Phase 3 Results:
    • Establish a redesign of the governance framework.
    Phase 4 Results:
    • Create an implementation plan for the communication of the redesign.

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Workshop Day 5

    Task – Identify the Need for Governance Task – Align IT with the Business Context Task – Assess the Current State Task – Redesign Governance Framework Task – Implement Governance Redesign

    Activities

    • 1.1 Identify Stakeholders
    • 1.2 Make the Case
    • 1.3 Present to Executives
    • 1.4 Customize Communication Plan
    • 2.1 Review Documents
    • 2.2 Analyze Frameworks
    • 2.3 Conduct Brainstorming
    • 2.4 Finalize the Statement of Business Context
    • 3.1 Create Committee Profiles
    • 3.2 Build Governance Structure Map
    • 3.3 Establish Governance Guidelines
    • 4.1 Build Governance Structure Map
    • 4.2 Create Committee Profiles
    • 4.3 Leverage Process Specific Governance Blueprints
    • 5.1 Identify Next Steps for the Redesign
    • 5.2 Establish Communication Plan
    • 5.3 Lead Executive Presentation

    Deliverables

    1. Make the Case Presentation
    2. Stakeholder Power Map Template
    3. Communication Plan
    1. PESTLE Analysis
    2. SWOT Analysis
    3. Statement of Business Context
    1. Current State Assessment
    1. Future State Design Tool
    2. IT Governance Terms of Reference
    1. Implementation Plan
    2. Executive Presentation

    Improve IT Governance to Drive Business Results

    PHASE 1

    Align IT With the Business Context

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Align IT With the Business Context

    Proposed Time to Completion: 2-4 weeks
    Step 1.1: Identify the Need for Governance Step 1.2: Create the Statement of Business Context
    Start with an analyst kick-off call:
    • Understand the core concepts of IT governance.
    • Create a strategy for key stakeholder support.
    • Identify key communication milestones.
    Review findings with analyst:
    • Identify and discuss the process of engaging senior leadership.
    • Review findings from business analysis.
    • Review diagnostic and interview outcomes.
    Then complete these activities…
    • Identify stakeholders.
    • Make the case to executives.
    • Build a communication plan.
    Then complete these activities…
    • Review business documents.
    • Review the PESTLE and SWOT analyses.
    • Analyze outcomes of CIO-CEO Alignment Diagnostic.
    • Complete the Statement of Business Context.
    With these tools & templates:
    • Make the Case for an IT Governance Redesign
    • Stakeholder Power Map Template
    • IT Governance Stakeholder Communication Planning Tool
    With these tools & templates:
    • PESTLE Analysis Template
    • Business SWOT Analysis Template
    • CIO-CEO Alignment Diagnostic
    • Statement of Business Context Template

    Phase 1: Align IT With the Business Context

    1 2 3 4
    Align IT With the Business Context Assess the Current Governance Framework Redesign the Governance Framework Implement Governance Redesign

    Activities:

    • 1.1 Identify Stakeholders
    • 1.2 Customize Make the Case Presentation
    • 1.3 Present to Executives
    • 1.4 Customize Communication Plan
    • 1.5 Review Business Documents
    • 1.6 Analyze Business Frameworks
    • 1.7 Conduct Brainstorming Efforts
    • 1.8 Finalize the SoBC

    Outcomes:

    • Make the case for a governance redesign.
    • Create a custom communication plan to facilitate support for the redesign process.
    • Establish a collectively agreed upon statement of business context.

    Set up business-driven governance by gaining an understanding of the business context

    Fuse IT with the business by establishing a common context of what the business is trying to achieve. Align IT with the business by developing an understanding of the business state, creating a platform to build a well-aligned governance framework.

    "IT governance philosophies can no longer be a ‘black box’ … IT governance can no longer be ignored by senior executives." (Iskandar and Mohd Salleh, University of Malaya, International Journal of Digital Society)

    Info-Tech Insight

    Get consensus on the changing state of business. There must be an active understanding of the current and future state of the business for governance to address the changing needs of the business.

    The source for the governance redesign directive will dictate the route for attaining leadership buy-in

    "Without an awareness of IT governance, there is no chance that it will be followed … The higher the percentage of managers who can describe your governance, the higher the governance performance." (Jeanne Ross, Director, MIT Center for Information Systems Research)

    The path you will choose for your governance buy-in tactics will be based on the original directive to redesign governance.

    Enterprise Directive.
    In the case that the redesign is an enterprise directive, jump directly to building a communication plan.

    IT Directive.
    In the case that the redesign is an IT directive, make the case to get the business on board.

    Use the Make the Case presentation template to get buy-in from the business

    Supporting Tool icon 1A Convince senior management to redesign governance

    INSTRUCTIONS

    1. Identify Stakeholders
      Determine which business stakeholders will be impacted or involved in the redesign process.
    2. Customize the Presentation
      Identify specific pain points regarding IT-business alignment.
    3. Present to Executives
      Present the make the case presentation.

    Info-Tech Best Practice

    Use the Make the Case customizable deliverable to lead a boardroom-quality presentation proving the specific need for senior executive involvement in the governance redesign.

    Determine which business stakeholders will be impacted or involved in the redesign process

    Associated Activity icon 1.1 Identify the stakeholders for the IT governance redesign

    It is vital to identify key business and IT stakeholders before the IT governance redesign has begun. Consider whose input and influence will be necessary in order to align with the business context and redesign the governance framework accordingly.

    Business

    • Shareholders
    • Board
    • Chief Executive Officer
    • –› Example: the CEO wants to know how IT will support the achievement of strategic corporate objectives.
    • Chief Financial Officer
    • Chief Operating Officer
    • Business Executives
    • Business Process Owners
    • Strategy Executive Committee
    • Chief Risk Officer
    • Chief Information Security Officer
    • Architecture Board
    • Enterprise Risk Committee
    • Head of Human Resources
    • Compliance
    • Audit

    IT

    • Chief Information Officer
    • –› Example: the CIO would like validation from the business with regards to prioritization criteria.
    • Head Architect
    • Head of Development
    • Head of IT Operations
    • Head of IT Administration
    • Service Manager
    • Information Security Manager
    • Business Continuity Manager
    • Privacy Officer

    External

    • Government Agency
    • –› Example: some governments mandate that organizations develop and implement an IT governance framework.
    • Audit Firm

    Build a power map to prioritize stakeholders

    Associated Activity icon 1.1 2-4 hours

    Stakeholders may have competing concerns – that is, concerns that cannot be addressed with one solution. The governance redesigner must prioritize their time to address the concerns of the stakeholders who have the most power and who are most impacted by the IT governance redesign.

    Draw a stakeholder power map to visualize the importance of various stakeholders and their concerns, and to help prioritize your time with those stakeholders.

    • Power: How much influence does the stakeholder have? Enough to drive the project forward or into the ground?
    • Involvement: How interested is the stakeholder? How much involvement does the stakeholder have in the project already?
    • Impact: To what degree will the stakeholder be impacted? Will this significantly change the job?
    • Support: Is the stakeholder a supporter of the project? Neutral? A resistor?
    A power map of stakeholders with two axes and four quadrants. The vertical axis is 'Low Power' on the bottom and 'High Power' on top. The horizontal axis is 'Low Involvement' on the left and 'High Involvement' on the right. The top left quadrant is labeled 'Keep satisfied' and contains 'CFO', a Strongly Impacted Resistor, and 'COO', a Weakly Impacted Resistor. The top right quadrant is labeled 'Key Players' and contains 'CIO' and 'CEO', both Strongly Impacted Supporters. The bottom left quadrant is labeled 'Minimal effort' and contains 'Marketing Head', a Weakly Impacted Neutral, and 'Production Head', a Moderately Impacted Neutral. The bottom right quadrant is labeled 'Keep informed' and contains 'Director of Ops', a Strongly Impacted Supporter, and 'Chief Architect', a Strongly Impacted Neutral.

    Download Info-Tech’s Stakeholder Power Map Template to help you visualize your key stakeholders.

    Build a power map to prioritize stakeholders

    Associated Activity icon 1.1

    It is important to identify who will be impacted and who has power, and the level of involvement they have in the governance redesign. If they have power, will be highly impacted, and are not involved in governance, you have already lost – because they will resist later. You need to get them involved early.

    • Focus on key players – relevant stakeholders who have high power, are highly impacted, and should have a high level of involvement.
    • Engage the stakeholders that are impacted most and have the power to impede the success of redesigning IT governance.
      • For example, if a CFO, who has the power to block project funding, is heavily impacted and not involved, the IT governance redesign success will be put at risk.
    • Some stakeholders may have influence over others so you should focus your efforts on the influencer rather than the influenced.
      • For example, if an uncooperative COO is highly influenced by the Director of Operations, it is recommended to engage the latter.

    The same power map of stakeholders with two axes and four quadrants, but with focus points and notes. The vertical axis is 'Low Power' on the bottom and 'High Power' on top. The horizontal axis is 'Low Involvement' on the left and 'High Involvement' on the right. The top left quadrant is labeled 'Keep satisfied' and contains 'CFO', a Strongly Impacted Resistor, and 'COO', a Weakly Impacted Resistor, as well as a dotted line moving 'CFO' to the top right quadrant with the note 'A) needs to be engaged'. The top right quadrant is labeled 'Key Players' and contains 'CIO' and 'CEO', both Strongly Impacted Supporters, as well as the new required position of 'CFO'. The bottom left quadrant is labeled 'Minimal effort' and contains 'Marketing Head', a Weakly Impacted Neutral, and 'Production Head', a Moderately Impacted Neutral. The bottom right quadrant is labeled 'Keep informed' and contains 'Director of Ops', a Strongly Impacted Supporter, and 'Chief Architect', a Strongly Impacted Neutral, as well as a line from 'Director of Ops' to 'COO' in the top left quadrant with a note that reads 'B) Influences'.

    Identify specific pain points regarding business-IT alignment

    Associated Activity icon 1.2 2-4 hours

    INPUT: Signal Questions, CIO-CXO Alignment Diagnostic

    OUTPUT: List of Categorized Pain Points

    Materials: Make the Case for an IT Governance Redesign

    Participants: Identified Key Business Stakeholders

    1. Consider Signals for Redesign
      Refer to the Executive Brief for questions to identify pain points related to governance.
      • Benefits Realization
      • Resources
      • Risks
      • Stakeholders
    2. Conduct CIO-CEO Alignment Diagnostic
      Assess the current state of alignment between the CIO and the major stakeholders of the organization.

    See the CEO-CIO Alignment Program for more information.

    Conduct the CEO-CIO Alignment Diagnostic

    Why CEO-CIO Alignment?

    The CEO-CIO Alignment Program helps you understand the gaps between what the CEO wants for IT and what the CIO wants for IT. The program will also evaluate the current state of IT, from a strategic and tactical perspective, based on the CEO’s opinion.

    The CEO-CIO Alignment Program helps to:

    • Evaluate how the executive leadership currently feels about the IT organization’s performance along the following dimensions:
      • IT budgeting and staffing
      • IT strategic planning
      • Degree of project success
      • IT-business alignment
    • Answer the question, “What does the CEO want from IT?”
    • Understand the CEO’s perception of and vision for IT in the business.
    • Define the current and target roles for IT. Understanding IT’s current and target roles, in the eyes of the CEO, is crucial to creating IT governance. By focusing the IT governance on achieving the target role, you will ensure that the senior leadership will support the implementation of the IT governance.

    To conduct the CEO-CIO Alignment Program, follow the steps outlined below.

    1. Select the senior business leader to participate in the program. While Info-Tech suggests that the CEO participate, you might have other senior stakeholders who should be involved.
    2. Send the survey link to your senior business stakeholder and ensure the survey’s completion.
    3. Complete your portion of the survey.
    4. Hold a meeting to discuss the results and document your findings.

    See the CEO-CIO Alignment Program for more information.

    Present the “Make the Case” for IT governance redesign

    Associated Activity icon 1.3 30 minutes

    1. Review Finalized Stakeholder List
      Consolidate a list of the most important and impactful stakeholders who need further convincing to participate in the governance redesign and implementation.
    2. Present the Deck
      Include the information gathered throughout the discovery into the presentation deck and hold a meeting to review the findings.

    Business

    • Shareholders
    • Board
    • Chief Executive Officer
    • Chief Financial Officer
    • Chief Operating Officer
    • Business Executives
    • Strategy Executive Committee
    • Chief Risk Officer
    • Architecture Board
    • Enterprise Risk Committee
    • Head of Human Resources
    • Compliance

    IT

    • Chief Information Officer

    External

    • Government Agency
    • Audit Firm

    Use the Make the Case for an IT Governance Redesign template for more information.

    Create a custom communication plan to facilitate support for the redesign process

    Supporting Tool icon 1B Create a plan to engage the key stakeholders

    INSTRUCTIONS

    1. Identify Stakeholders
      Determine which business stakeholders will be involved (refer to Activity 1.1).
    2. Customize Communication Plan
      Follow up with individual communication plans.

    Info-Tech Best Practice

    Create personal communication plans to provide individualized engagement, instead of assuming that everyone will respond to the same communication style.

    Download the IT Governance Stakeholder Communication Planning Tool for more information.

    Create a communication plan to engage key stakeholders

    Associated Activity icon 1.4 1 hour
    1. Input Stakeholders
      Determine which business stakeholders will be involved (refer to Activity 1.1). Then, insert their position on the power map, the rationale to inform them, the timing of communications, and what inputs they will be needed to provide.

      Stakeholder role

      Power map position

      Why inform them

      When to inform them

      What we need from them

      Chief Executive Officer
      Chief Financial Officer
      Chief Operating Officer
    2. Identify Communication Strategy
      Outline the most effective communication plan for that stakeholder. Identify how to best communicate to the stakeholders to make sure they are appropriately engaged in the redesign process.

      Vehicle

      Audience

      Purpose

      Frequency

      Owner

      Distribution

      Level of detail

      Status Report IT Managers Project progress and deliverable status Weekly CIO, John Smith Email Details for milestones, deliverables, budget, schedule, issues, next steps
      Status Report Marketing Manager Project progress Monthly CIO, John Smith Email High-level detail for major milestone update and impact to the marketing unit

    Establish a collectively agreed upon statement of business context (SoBC)

    Supporting Tool icon 1C Document the mutual understanding of the business context

    INSTRUCTIONS

    1. Review Business Documents
      Review business documents from broad areas of the business to assess the business context.
    2. Analyze Business Frameworks
      Analyze business frameworks to articulate the current and projected future business context.
    3. Brainstorm With Key Stakeholders
      Conduct stakeholder brainstorming efforts to gain insights from key business stakeholders.
    4. Finalize the SoBC
      Document and sign the SoBC with identified stakeholders.

    Info-Tech Best Practice

    Use the Statement of Business Context customizable deliverable as a point of reference that will guide the direction of the governance redesign.

    Use the Statement of Business Context to identify the critical information needed to guide governance

    Components of the SoBC

    1. Mission
      • Who are you as an organization?
      • Who are your internal and external customers?
      • What are your core business functions?

      Example (Higher Education)
      Nurture global leaders and provide avenues for intellectual exploration.
    2. Vision
      • Is your vision statement future-facing?
      • Is your vision statement concise?
      • Is your vision statement achievable?
      • Does your vision statement involve change?

      Example
      Be a catalyst for creating the future leaders of tomorrow through dynamic and immersive educational experiences. The university will be recognized for being a prestigious innovative research hub and educational institution.
    Sample of Info-Tech's Statement of Business Context Template with the Mission and Vision Statements.

    Use the Statement of Business Context to identify the critical information needed to guide governance (cont.)

    More Components of the SoBC

    1. Strategic Objectives
      • What are the strategic initiatives of the organization?
      • Do you have a roadmap to accomplish your mission?
      • What are the primary goals of senior leaders for the organization?

      Example
      1. Meeting government regulation
      2. Revenue generation
      3. Top research quality
      4. High teaching quality
    Sample of Info-Tech's Statement of Business Context Template with Strategic Objectives.
    1. State of Business
      • Consider what the current state and future state are.
      • How does the operating model used define the state?
      • How do industry trends shape the business?
      • What internal changes impact the business model?

      Example
      Our organization aims to make quick decisions and navigate the fast-paced industry with agility, uniting the development and operational sides of the business.
    Sample of Info-Tech's Statement of Business Context Template with State of the Business.

    Leverage core concepts to determine the direction of the organization’s state of the business

    1. Mission
    2. Vision
    3. Strategic Objectives
    –›
    1. State of Business

    2. Work through if your organization’s state is small vs. large, public vs. private, and lean vs. DevOps vs. traditional.

    Small

    IT team is 30 people or less.

    Large

    IT team is more than 30 people.

    Public

    Wholly or partly funded by the government.

    Private

    No government funding is provided.
    Lean: The business aims to eliminate any waste of resources (time, effort, or money) by removing steps in the business process that do not create value. Devops/Agile: Our organization aims to make quick decisions and navigate the fast-paced industry with agility. Uniting the development and operational sides of the business. Hierarchical: Departments in the organization are siloed by function. The organization is top-down and hierarchical, and takes more time with decision making.

    ‹– Multi-State (any combination) –›

    Review business documents to assess business context

    Associated Activity icon 1.5 2-4 hours

    INPUT: Strategic Documents, Financial Documents

    OUTPUT: Mission, Vision, Strategic Objectives

    Materials: Corporate Documents

    Participants: IT Governance Redesign Owner

    Start assessing the state of the business context by leveraging easily accessible information. Many organization have strategic plans, documents, and presentations that already include a large portion of the information for the SoBC – use these sources first.

    Instructions

    1. Strategic Documents
      Leverage your organization’s strategic documents to gain understanding of the business context.

    2. Documents to Review:
    • Corporate strategy document.
    • Business unit strategy documents.
    • Annual general reports.
  • Financial Documents
    Leverage your organization’s financial documents to gain understanding of the business context.

  • Documents to Review:
    • Look for large capital expenditures.
    • Review operating costs.
    • Business cases submitted.

    Review strategic planning documents

    Overview

    Some organizations (and business units) create an authoritative strategy document. These documents contain the organization’s corporate aspirations and outline initiatives, reorganizations, and shifts in strategy. Additionally, some documents contain strategic analysis (Porter’s Five Forces, etc.).

    Action

    • Read through any of the following:
      • Corporate strategy document
      • Business unit strategy documents
      • Annual general reports
    • Watch out for key future-looking words:
      • We will be…
      • We are planning to…

    Overt Statements

    • Corporate objectives and initiatives are often explicitly stated in these documents. Look for statements that begin with phrases such as “Our corporate objectives are…”
    • Remember that different organizations use different terminology – if you cannot find the word “goal” or “objective” then look for “pillar,” “imperative,” “theme,” etc.
    • Ask a business partner to assist if you need some help.

    Covert, Outdated, and Non-Existent Statements

    • Some corporate objectives and initiatives will be mentioned in passing and will require clarification, for example:
      “As we continue to penetrate new markets, we will be diversifying our manufacturing geography to simplify distribution.”
    • Some corporate strategies may be outdated and therefore of limited use for understanding the state of business – validate the statement to ensure it is up to date.
    • Some organizations lack a strategic plan altogether. Use stakeholder interviews to identify imperatives and validate conflicting statements before moving on.

    Review financial documentation

    Overview

    Departmental budgets highlight the new projects that will launch in the next fiscal year. The overwhelming majority of these projects will have IT implications. Additionally, identifying where the department is spending money will allow you to identify business unit initiatives and operational change.

    Action

    • Scan budgets:
      • Look for large capital expenditures
      • Review operating costs
      • Review business cases submitted
    • Look for abnormalities or changes:
      • What does an increase in spending mean?
      • Does IT need to change as a result?

    Capital Budgets

    • Capital expenditures are driven by projects, which map to corporate goals and initiatives.
    • Look for large capital expenditures and cross-reference the outflows with any project plans that have been collected.
    • If an expenditure cannot be explained by project plans, request additional information.

    Operating Budgets

    • Major changes to operating costs typically reflect changes to a business unit. Some of these changes affect IT capabilities and can be classified as corporate initiatives.
    • Changes that should be classified as corporate initiatives are expansion or contraction of a labor force, outsourcing initiatives, and significant process changes.
    • Changes that should not be classified as corporate initiatives are changes in third-party fees, consulting engagements, and changes caused by inflation or growth.

    Analyze business frameworks to articulate context

    Associated Activity icon 1.6 2-4 hours

    INPUT: Industry Research, Organizational Research, Analysis Templates

    OUTPUT: PESTLE and SWOT Analysis

    Materials: Computer or Whiteboards and Markers

    Participants: IT Governance Redesign Owner

    If corporate documents denoting the key components of the SoBC are not easily available, or do not provide all information required, refer to business analysis frameworks to discover internal and external trends that impact the mission, vision, strategic objectives, and state of the business.

    1. Conduct a PESTLE Analysis
      The PESTLE analysis will support the organization in identifying external factors that impact the business. Keep watch for trends and changes in the industry.
    2. Political

      Economic

      Social

      Technological

      Legal

      Environmental

    3. Conduct a SWOT Analysis
      The SWOT analysis will be more specific to the organization and the industry in which it operates. Identify the unique strengths, weaknesses, opportunities, and threats for your organization.
    4. Strengths

      Weaknesses

      Opportunities

      Threats

    Conduct a PESTLE analysis

    Associated Activity icon 1.6 Conduct a PESTLE analysis
    • Break participants into teams and divide the categories amongst them:
      • Political trends
      • Economic trends
      • Social trends
      • Technological trends
      • Legal trends
      • Environmental trends
    • Have each group identify relevant trends under their respective categories. You must relate each trend back to the business by considering:
      • How does this affect my business?
      • Why do we care?
    • Use the prompt questions on the next slide to help the brainstorming process.
    • Have each team present its list and have remaining teams give feedback and additional suggestions.

    Political. Examine political factors such as taxes, environmental regulations, and zoning restrictions.

    Economic Examine economic factors such as interest rates, inflation rate, exchange rates, the financial and stock markets, and the job market.

    Social. Examine social factors such as gender, race, age, income, disabilities, educational attainment, employment status, and religion.

    Technological. Examine technological factors such as servers, computers, networks, software, database technologies, wireless capabilities, and availability of software as a service.

    Legal. Examine legal factors such as trade laws, labor laws, environmental laws, and privacy laws.

    Environmental. Examine environmental factors such as green initiatives, ethical issues, weather patterns, and pollution.

    Download Info-Tech’s PESTLE Analysis Template to help get started.

    Review these questions to help you conduct a PESTLE analysis

    For each prompt below, always try to answer the question: how does this affect my business?

    Political

    • Will a change in government (at any level) affect your organization?
    • Do inter-government or trade relations affect you?
    • Are there shareholder needs or demands that must be considered?

    Economical

    • How are your costs changing (moving off-shore, fluctuations in markets, etc.)?
    • Do currency fluctuations have an effect on your business?
    • Can you attract and pay for top-quality talent (e.g. desirable location, reasonable cost of living, changes to insurance requirements)?

    Social

    • What are the demographics of your customers or employees?
    • What are the attitudes of your customers or staff (do they require social media, collaboration, transparency of costs, etc.)?
    • What is the general lifecycle of an employee (i.e. is there high turnover)?
    • Is there a market of qualified staff?
    • Is your business seasonal?

    Technological

    • Do you require constant technology upgrades (faster network, new hardware, etc.)?
    • What is the appetite for innovation within your industry or business?
    • Are there demands for increasing data storage, quality, BI, etc.?
    • Are you looking at cloud technologies?
    • What is the stance on “bring your own device”?
    • Are you required to do a significant amount of development work in-house?

    Legal

    • Are there changes to trade laws?
    • Are there changes to regulatory requirements, e.g. data storage policies or privacy policies?
    • Are there union factors that must be considered?

    Environmental

    • Is there a push towards being environmentally friendly?
    • Does the weather have any effect on your business (hurricanes, flooding, etc.)?

    Conduct a SWOT analysis on the business

    Associated Activity icon 1.6 Conduct a business SWOT analysis

    Break the group into two teams.

    Assign team A internal strengths and weaknesses.

    Assign team B external opportunities and threats.

    • Have the teams brainstorm items that fit in their assigned grids. Use the prompt questions on the next slide to help you with your SWOT analysis.
    • Pick someone from each group to fill in the grids on the whiteboard.
    • Conduct a group discussion about the items on the list. Identify implications for IT and opportunities to innovate as you did for the other business and external drivers.
    Helpful
    to achieve the objective
    Harmful
    to achieve the objective
    Internal Origin
    attributes of the organization
    Strength Weaknesses
    External Origin
    attributes of the environment
    Opportunities Threats

    Download Info-Tech’s Business SWOT Analysis Template to help get started.

    Review these questions to help you conduct your SWOT analysis on the business

    Strengths (Internal)

    • What competitive advantage does your organization have?
    • What do you do better than anyone else?
    • What makes you unique (human resources, product offering, experience, etc.)?
    • Do you have location advantages?
    • Do you have price, cost, or quality advantages?
    • Does your organizational culture offer an advantage (hiring the best people, etc.)?

    Weaknesses (Internal)

    • What areas of your business require improvement?
    • Are there gaps in capabilities?
    • Do you have financial vulnerabilities?
    • Are there leadership gaps (succession, poor management, etc.)?
    • Are there reputational issues?
    • Are there factors that are making you lose sales?

    Opportunities (External)

    • Are there market developments or new markets?
    • Industry or lifestyle trends, e.g. move to mobile?
    • Are there geographical changes in the market?
    • Are there new partnerships or M&A opportunities?
    • Are there seasonal factors that can be used to the advantage of the business?
    • Are there demographic changes that can be used to the advantage of the business?

    Threats (External)

    • Are there obstacles that the organization must face?
    • Are there issues with respect to sourcing of staff or technologies?
    • Are there changes in market demand?
    • Are your competitors making changes that you are not making?
    • Are there economic issues that could affect your business?

    Conduct brainstorming efforts to gain insights from key business stakeholders

    Associated Activity icon 1.7 2-4 hours

    INPUT: SoBC Template

    OUTPUT: Completed SoBC

    Materials: Computer, Phone, or Other Mechanism of Connection

    Participants: CEO, CFO, COO, CMO, CHRO, and Business Unit Owners

    There are two ways to gather primary knowledge on the key components of the SoBC:

    1. Stakeholder Interviews
      Approach each individual to have a conversation about the key components of the SoBC. Go through the SoBC and fill it in together.
    2. Stakeholder Survey
      In the case that you are in a very large organization, create a stakeholder survey. Input the key components of the SoBC into an online survey maker and send it off the key stakeholders.

    Use the SoBC as the guide to both the interview and the survey. Be clear about the purpose of understanding the business context when connecting with key business stakeholders to participate in the brainstorming. This is a perfect opportunity to establish or develop a relationship with the stakeholders who will need to buy into the redesigned governance framework since it will involve and impact them significantly.

    Go directly to the information source – the key stakeholders

    Overview

    Talking to key stakeholders will allow you to get a holistic view of the business strategy. You will be able to ask follow-up questions to get a better understanding of abstract or complex concepts. Interviews also allow you to have targeted discussions with specific stakeholders who have in-depth subject-matter knowledge.

    Action

    • Talk to key stakeholders:
      • Structure focused, i.e. CEO or CFO
      • Customer focused, i.e. CMO or Head of Sales
      • Operational focused, i.e. COO
      • Lower-level employees or managers
    • Listen for key pains that IT could alleviate.

    Overcome the Unstructured Nature of Interviews

    • Interviewees will often explicitly state objectives and initiatives.
    • However, interviews are less formal and less structured than objective-oriented strategy documents. Objectives are often stated using informal language.
      “We’re talking rev gen here. That’s the name of the game. If we can get a foothold in India, there’s huge upside potential.” (VP Marketing)
    • Further analysis might translate this into a corporate imperative: increase revenue by growing our market share in India to 8% by January of next year.
    • If an imperative is unclear, ask the stakeholder for more detail.
    • Understand how key stakeholders evaluate, direct, and monitor their own areas of the business; this will give you insight as to their style.

    Receive final sign-off to proceed with developing the IT governance redesign

    Associated Activity icon 1.8 30 minutes

    Document any project assumptions or constraints. Before proceeding with the IT governance activities, validate the statement of business context with senior stakeholders. When consensus has been reached, have them sign the final page of the document.

    How to ensure sign-off:

    • Schedule a meeting with the senior stakeholders and conduct a review of the document. This meeting presents a great opportunity to deliver your interpretation of management expectations and make any modifications.
    • Obtaining stakeholder approval in person ensures there is no miscommunication or misunderstandings around the tasks that need to be accomplished to develop a successful IT governance.
    • This is an iterative process; if senior stakeholders have concerns over certain aspects of the document, revise and review again.
    • Final sign-off should only take place when mutual understanding has been reached.

    Download the SoBC Template and complete for final approval.

    Info-Tech Tip

    In most circumstances, you should have the SoBC validated with the following stakeholders:

    • CIO
    • CEO
    • CFO
    • Business Unit Leaders

    Understand the business context to set the foundation for governance redesign

    CASE STUDY

    Industry: Healthcare
    Source: Info-Tech

    Challenge

    The new business direction to become an integrator shifted focus to faster software iteration and on enabling integration and translation technologies, while moving away from creating complete, top-to-bottom IT solutions to be leveraged by clinicians and patients.

    Internal to the IT organization, this created a different in perspective on what was important to prioritize: foundational elements, web services, development, or data compliance issues. There was no longer agreement on which initiatives should move forward.

    Solution

    A series of mandatory meetings were held with key decision makers and SMEs within the organization in order to re-orient everyone on the overall purpose, goals, and outcomes of the organization.

    All attendees were asked to identify what they saw as the mission and vision of the organization.

    Finally, clinicians and patient representatives were brought in to describe how they were going to use the services the organization was providing and how it would enable better patient outcomes.

    Results

    Identifying the purpose of the work the IT organization was doing and how the services were going to be used realigned the different perspectives in the context of the healthcare outcomes they enabled.

    This activity provided a unifying view of the purpose and the state of the business. Understanding the business context prepared the organization to move forward with the governance redesign.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    Sample of activity 1.1 'Determine which business stakeholders will be impacted or involved in the redesign process'. Identify Relevant Stakeholders

    Build a list of relevant stakeholders and identify their position on the stakeholder power map.

    1.4

    Sample of activity 1.4 'Create a communication plan to engage key stakeholders'. Communication Plan

    Build customized communication plans to engage the key stakeholders in IT governance redesign.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop

    Book a workshop with our Info-Tech analysts:

    1.7

    Sample of activity 1.7 'Review business documents to assess business context'. Gather Business Information

    Review business documents, leverage business analysis tools, and brainstorm with key executives to document the Statement of Business Context.

    1.8

    Sample of activity 1.8 'Receive final sign-off to proceed with developing the IT Governance redesign'. Finalize the Statement of Business Context

    Get final approval and acceptance on the Statement of Business Context that will guide your redesign.

    Improve IT Governance to Drive Business Results

    PHASE 2

    Assess the Current Governance Framework

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Assess the Current Governance Framework

    Proposed Time to Completion: 2 weeks
    Step 2.1: Outline the Current State AssessmentStep 2.2: Review the Current State Assessment
    Start with an analyst kick-off call:
    • Connect the current business state identified in Phase 1 with the current state of governance.
    • Identify the key elements of current governance.
    • Begin building the structure and committee profiles.
    Review findings with analyst:
    • Review the current governing bodies that were identified.
    • Review the current structure that was identified.
    • Determine the strengths, weaknesses, and guidelines from the implications in the current state assessment.
    Then complete these activities…
    • Identify stakeholders.
    • Make the case to executives.
    • Build a communication plan.
    Then complete these activities…
    • Create committee profiles.
    • Build governance structure map.
    With these tools & templates:
    • Current State Assessment of IT Governance
    With these tools & templates:
    • Current State Assessment of IT Governance

    Phase 2: Assess the Current Governance Framework

    1 2 3 4
    Align IT With the Business Context Assess the Current Governance Framework Redesign the Governance Framework Implement Governance Redesign

    Activities:

    • 2.1 Create Committee Profiles
    • 2.2 Build a Governance Structure Map
    • 2.3 Establish Governance Guidelines

    Outcomes:

    • Use the Current State Assessment of IT Governance to determine governance guidelines.

    Info-Tech Insight

    Don’t be passive; take action! Take an active approach to revising your governance framework. Understand why you are making decisions before actually making them.

    Explore the current governance that exists within your organization

    Your current governance framework will give you a strong understanding of the way the key stakeholders in your business currently view IT governance.

    "Much of the focus of governance today has been on the questions:
    • Are we doing [things] the right way?
    • And are we getting them done well?"
    –› "We need to shift to…
    • Are we doing the right things?
    • Are we getting the benefits?
    • What are the outcomes?
    • What do we want to achieve?
    • How do we make intelligent decisions about what will help us achieve those outcomes?"
    (John Thorp, Author of The Information Paradox)

    Leverage this understanding of IT governance to determine where governance is occurring and how it transpires.

    Conduct a current state assessment

    Supporting Tool icon 2A Assess the current governance framework

    Use this tool to critically assess each governing body to determine the areas of improvement that are necessary in order to achieve optimal business results.

    1. Identify All Governing Bodies
      Some bodies govern intentionally, and some govern through habit and practice. Outline all bodies that take on an element of governance.
    2. Create a Governance Structure Map
      Configure the structural relationships for the governing bodies using the structure map.
    3. Reveal Strengths and Weaknesses
      Identify the strengths and weaknesses of the governance structure, authority definitions, processes, and membership.
    4. Establish Governance Guidelines
      Based on the SoBC, express clear and applicable guidelines to improve on the weaknesses while retaining the strengths of your governance framework.

    Download the Current State Assessment of IT Governance to work toward these outcomes

    Conduct a current state assessment to identify governance guidelines

    Supporting Tool icon 2A Assess the current governance framework

    How to use the Current State Assessment of IT Governance deliverable: Follow the steps below to create a cohesive understanding of the current state of IT governance and the challenges that the current system poses.

    Part A – Committee Profiles

    1. Identify Governing Bodies
    2. Leverage Committee Templates
    3. Create Committee Profiles
      Use the Committee Profile Template

    Part B – Structure Map

    1. Assess Inputs and Outputs to Express Structural Relationships
    2. Create Structure Map
      Use the Governance Structure Map

    Part C – Governance Guidelines

    1. Choose Operating Model Template
    2. Identify Strengths and Weaknesses
    3. Establish Governance Guidelines
      Use the Governance Guideline Template

    What makes up the “governance framework”?

    There are four major elements of the governance framework:

    1. Structure
      Structural relationships are shown by mapping the connections between committees.
    2. Authority
      Each committee will have a purpose and area of decision making that it is accountable for.
    3. Process
      The process includes the inputs, outputs, and activities required for the committee to function.
    4. Membership The individuals or roles who sit on each committee. Take into account members’ knowledge, capability, and political influence.

    Create governing board or committee profiles

    Supporting Tool icon 2A.1 Assess the current governance framework

    Part A – Committee Profiles

    1. Identify Governing Bodies

      Establish where governance happens and who is governing. For different organizations, the governance framework will contain a variety of governing bodies or people. Use a list format to identify governing bodies that exist in your organization.
    2. Leverage Committee Templates

      Use the templates provided. Create a profile for each governing body that currently operates in your IT governance framework as listed in step 1.
    3. Create Committee Profiles

      Identify what they are governing and how they are governing.
      Using the profiles created in step 2, identify each body’s membership roles, purpose, decision areas, inputs, and outputs. Refer to the example text in the template to guide you, but feel free to adjust the text to reflect the reality of your governing body. Screenshot of the 'Committee Template - Executive Management Committee'.
      Consider the following domains of governance:
      (refer to Executive Brief)
      • Benefits realization
      • Risks
      • Resources
      Refer to our examples for some common governing bodies.

    Consistently define the components of governance in the committee profiles

    Membership

    Membership Roles
    Insert information here that reflects who the individuals are that sit on that governing body and what their role is. Include other important information about the individuals’ knowledge, skills, or capabilities that are relevant.

    Authority

    Purpose
    Define why the committee was established in the first place.

    Decision Areas
    Explain the specific areas of decision making this group is responsible for overseeing.

    Process

    Inputs
    Consider the information and materials that are needed to make decisions.

    Outputs
    Describe the outcomes of the committee. Think about decisions that were made through the governance process.

    Screenshot of the components of governance section from the 'Committee Template'.

    Map out relationships on the Governance Map

    Supporting Tool icon 2A.2 Assess the current governance framework

    Part B – Structure Map

    Structure
    1. Assess Inputs and Outputs

      Governing Bodies

      Inputs

      Outputs

      Committee #1
      Committee #2
      Committee #3
      CFO
      IT Director
      CIO
      To understand relationships between governing bodies, list the inputs and outputs for each unique committee that rely on other committees in the table provided.
    2. Create Structure Map
      Sample of the 'Current State Structure Map'. Using the outline provided, create your own governance structure map to represent the way the governing bodies interact and feed into each other. This is crucial to ensure that the governing structure is streamlined. It will ensure that communication occurs efficiently and that there are no barriers to making decisions swiftly.

    Outline the governance structure in the governance structure map

    Associated Activity icon 2.2 30 minutes
    The 'Current State Structure Map' from the last slide, but with added description. There are three tiers of groups. At the bottom is 'Run', described as 'The lowest level of governance will be an oversight of more specific initiatives and capabilities within IT.' 'Design and Build', described as 'The second tier of groups will oversee prioritization of a certain area of governance as well as second-tier decisions that feed into strategic decisions.' At the top is 'Strategy', described as 'These groups will focus on decisions that directly connect to the strategic direction of the organization.' The specific groups laid out in the map are 'Risk and Compliance Committee' which straddle the line between 'Run' and 'Design and Build', 'Portfolio Review Board' and 'IT Steering Committee (ITSC)' both of which straddle the line between 'Design and Build' and 'Strategy', 'Executive Management Committee (EMC)' which is in 'Strategy', and 'Other' in all tiers.

    Identify strengths and weaknesses of the governance framework

    Supporting Tool icon 2A.3 Assess the current governance framework

    Part C – Governance Guidelines

    1. Choose Business State Template Choose the template that represents the identified future state of business in the Statement of Business Context. Mini sample of the 'State of Business' table from the 'Statement of Business Context'.
    2. Identify Strengths and Weaknesses Input the major strengths and weaknesses of your governance that were highlighted in the brainstorming activity. Mini sample of a Strengths and Weaknesses table.
    3. Establish Governance Guidelines Draw your own implications from the strength and weaknesses that will drive the design of your governance in its future state. These guidelines should be concise and easy to implement. Mini sample of an expanded Strengths and Weaknesses table including a row for 'Implication/Guideline'. Note: Refer to the example guidelines in the Current State Assessment of IT Governance after you have considered your own specific guidelines. The examples are supplementary for your convenience.

    Distinguish your business state from the others to ensure implications act as accurate guidelines

    Business State Options

    1

    Small

    IT team is 30 people or less.

    Large

    IT team is more than 30 people.

    2

    Public

    Wholly or partly funded by the government.

    Private

    No government funding is provided.

    3

    Lean: The business aims to eliminate any waste of resources (time, effort, or money) by removing steps in the business process that do not create value.Devops: Our organization aims to make quick decisions and navigate the fast-paced industry with agility. Uniting the development and operational sides of the business. Hierarchical: Departments in the organization are siloed by function. The organization is top-down and hierarchical, and takes more time with decision making.

    ‹– Multi-State (any combination) –›

    Multi-State Example A: If you are small organization that is publicly funded and you are shifting towards a lean methodology, combine the implications of all those groups in a way that fits your organization.

    Multi-State Example B: Your organization is shifting from a more traditional state of operating to combining the development and operations groups. Use hierarchical implications to govern one group and DevOps implications for the other.

    Identify strengths and weaknesses of the governance framework

    Associated Activity icon 2.3 2 hours

    INSTRUCTIONS

    1. Input Strengths of Governance
      Include useful components of the current framework; that may include elements that are operating well, fit the future state, or are required due to regulations or statutes.
    2. Determine Weaknesses and Challenges
      Discuss the pain points of the current governance framework by looking through the lenses of structure, authority, process, or membership.

    Consider:

    • Where is governance not meeting expectations?
    • Are we doing the right things?
    • Are we getting the benefits?
    • What are the outcomes?
    • What do we want to achieve?
    • How do we make intelligent decisions about what will help us achieve those outcomes?
    *Example

    Structure

    Authority

    Process

    Membership

    Strength

    • We must maintain a legal compliance committee due to the high level of legislation in the industry
    • The ITSC gathers and prioritizes investment options, saving time for the EMC
    • The EMC only make decisions on investments that are greater than $200,000
    • The legal board has a narrow focus, allowing it to maintain its necessary purpose efficiently
    • The information flow from ITSC to the EMC allows the EMC to spend their time effectively
    • The CIO sits on the EMC and the ITSC
    • The EMC is made up of senior leadership who have stakes in all areas of the business

    Weakness

    • Wrong number (too many/little groups)
    • Relationship is misaligned (input/output problems)
    • The tier it sits on the map is misguided
    • Duplication of the same tier of decisions in different groups
    • Approval for one specific topic occurs in more than one group
    • Lack of clarity in which group makes which decisions
    • Intake – where the information is coming from is the wrong source/inaccurate
    • Time to decision (too slow)
    • Poor results of governance (redoing projects, low value)
    • There is lack of knowledge in committee membership
    • Misplaced seniority (too Jr./Sr.)
    • Lack of representation in group (breadth across the business or depth of specific area)

    Derive governance implications from strengths and weaknesses

    Associated Activity icon 2.3 2-4 hours

    INSTRUCTIONS

    1. Copy and paste your strengths and weaknesses from part B into the template that reflects your business state.
    2. Draw your own implications from the strengths and weaknesses that will drive the design of your governance in its future state. These guidelines should be concise and practical.
    *Example

    Structure

    Authority

    Process

    Membership

    Strength

    Weakness

    Implication / Guideline

    • Make sure that the decision-making authority for most areas are at the lower tier
    • Governing bodies should be lower in the organization
    • One overarching governing body – directing priorities
    • High authority at a lower point of the organization
    • Highest tier is responsible for major budget shifts
    • High-level tier - reporting and feed in from lower level groups
    • Prioritization and sequencing occur at the mid-tier
    • Lowest governing tiers will have direct links to the customer to allow for interaction
    • Project or initiative owner as the leader of the body

    Note: Use the examples of guidelines provided in the Current State Assessment of IT Governance to help formulate your own.

    Conduct a current state assessment to identify guidelines for the future state of governance

    CASE STUDY

    Industry: Healthcare
    Source: Anonymous

    Challenge

    Over time, the organization had to create a large amount of governing committees and subcommittees in order to comply with governance frameworks applied to them and to meet regulatory compliance requirements.

    The current structure was no longer optimal to meet the newly identified mandate of the organization. However, the organization did not want to start from scratch and scrap the elements that worked, such as the dates and times that had been embedded into the organization.

    Solution

    A current state assessment was planned and executed in order to review what was currently being done and identify what could be retained and what should be added, changed, or removed to improve the governance outcomes.

    The scope involved examining how current and near-term governance needs were, or were not, met through the existing structure, bodies, and their processes.

    The organization investigated governance approaches of organizations with similar governance needs and with similar constraints to model their own.

    Results

    The outputs of this exercise included:

    • A list of effective practices and committee guidelines that could be leveraged with little to no change in the future state.
    • A list of opportunities to streamline the structure and processes.

    These guidelines were used to drive recommendations for improvements to the governance structures and processes in the organization.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    Sample of activity 2.1 'Outline the governance structure in the governance structure map'. Create Current State Structure and Profiles

    Take the time to clearly articulate the current governance framework of your organization. Outline the structure and build the committee profiles for the governing bodies in your organization.

    2.3

    Sample of activity 2.3 'Identify strengths and weaknesses of the governance framework'. Determine Strengths, Weaknesses, and Guidelines

    Evaluate the strengths of your governance framework, the weaknesses that it exhibits, and the guidelines that will help maintain the strengths and alleviate the pains.

    Improve IT Governance to Drive Business Results

    PHASE 3

    Redesign the Governance Framework

    Phase 3 Guided Implementation

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Redesign the Governance Framework

    Proposed Time to Completion: 4 weeks
    Step 3.1: Understand the Redesign Process Step 3.2: Review Governance Structure Step 3.3: Review Governance Committees
    Start with an analyst kick-off call:
    • Review the guidelines from the current state assessment.
    • Begin modifying the governance structure, authorities, processes, and memberships.
    Review findings with analyst:
    • Determine the impact of the guidelines on the structural layout of the framework.
    • Determine the impact of the guidelines on the authority element of the framework.
    Finalize phase deliverable:
    • Determine the impact of the guidelines on the processes within the framework.
    • Determine the impact of the guidelines on the membership element of the framework.
    Then complete these activities…
    • Break down guidelines to make sure they are actionable and realistic.
    • Identify what to add, modify, or remove.
    • Review additional sources of information.
    Then complete these activities…
    • Build and review the governance structure map.
    • Identify additions, changes, or reductions in governing bodies and their areas of authority.
    Then complete these activities…
    • Use the template provided to build committee profiles for each identified committee.
    • Identify the membership, purpose, decision areas, inputs, and outputs of each.
    • Build committee charters if needed.
    With these tools & templates:
    • Current State Assessment
    • Future State Design for IT Governance
    With these tools & templates:
    • Future State Design for IT Governance
    With these tools & templates:
    • Future State Design for IT Governance
    • IT Governance Terms of Reference

    Phase 3: Redesign the Governance Framework

    1 2 3 4
    Align IT With the Business Context Assess the Current Governance Framework Redesign the Governance Framework Implement Governance Redesign

    Activities:

    • 3.1 Build a Governance Structure Map
    • 3.2 Create Committee Profiles
    • 3.3 Leverage Process-Specific Governance Blueprints

    Outcomes:

    • Use the Future State Design for IT Governance template to build the optimal governance framework for your organization.

    Info-Tech Insight

    Keep the current and future goals in sight to build an optimized governance framework that maintains the minimum bar of oversight required.

    Anticipate the outcomes of the Future State Design for IT Governance tool

    Supporting Tool icon 3A Redesign the governance frameworks

    Use this tool to guide your organization toward transformative outcomes gleaned from an optimized governance framework.

    1. Implement Structural Guidelines
      Determine what governing bodies to add, change, or remove from your governance structure.
    2. Create a Governance Structure Map
      Configure the structural relationships for the redesigned governing bodies using the structure map.
    3. Build Effective Committees
      Use the IT Governance Terms of Reference to build profiles for each newly created committee and to alter any existing committees.
    4. Determine Follow-up Governance Support
      Access external material on governance from other Info-Tech blueprints that will help with specific governance areas.

    Download the Future State Design for IT Governance template to work toward these outcomes.

    Use the Future State Design for IT Governance tool to create a custom governance framework for your organization

    Supporting Tool icon 3A Redesign the governance frameworks

    How to use the Future State Design for IT Governance deliverable: Follow the steps below to redesign the future state of IT governance. Use the guidelines to respond to challenges identified in the current governance framework based on the current state assessment.

    Part A – Structure Map

    Part B – Committee Profiles

    1a. Input Structural Guidelines 1b. Input Authority Guidelines 1a. Input Process Guidelines 1b. Input Member Guidelines
    2. Guiding Questions
    Do governing bodies operate at a tier that matches the guidelines?

    Do governing bodies focus on the decisions that align with the guidelines?
    2. Guiding Questions
    Do the process inputs and outputs reflect the structure and authority guidelines?

    Do governing bodies engage the right people who have the roles, capacity, and knowledge to govern?
    3. Add / Change (Tier/Authority) / Remove
    Governing Bodies – Structure
    3. Adapt / Refine
    Governing Bodies – Profiles
    4. Use the Structure Map to Show Redesign Use the IT Governance Terms of Reference for Redesign

    Connect key learnings to initiate governance redesign

    The future state design will reflect the state of business that was identified in Phase 1 along with the guidelines defined in Phase 2 to build a governance framework that promotes business-IT fusion.

    Statement of Business Context –› Current State Assessment

    Identified Future Business State

    Structure
    Authority

    Leverage the structure and authority guidelines to build the governance structure.

    Defined Governance Guidelines

    Process
    Membership

    Leverage the process and membership guidelines to build the governance committees.

    Future State Design

    Use structure and authority guidelines to build a new governance structure map

    Supporting Tool icon 3A.1 Redesign the governance frameworks

    Part A – Structure Map

    Structure
    Authority
    1a. Structural Guidelines1b. Authority Guidelines
    Input the guidelines from the current state assessment to guide the redesign.

    2. Leverage Guiding Questions

    Use the guiding questions provided to assess the needed changes.
    Guiding Questions


    Do governing bodies operate at a tier that matches the guidelines?


    Do governing bodies focus on the decisions that align with the guidelines?
    Build the “where/why” of governance. Consider at what tier each committee will reside and what area of governance will be part of its domain. Modify the current structure; do not start from scratch.

    3. Add / Change (Tier/Authority) / Remove

    Determine changes to structure or authority that will be occurring for each of the current governing bodies. Work within the current structure as much as possible.A mini sample of an 'Add/Change/Remove' table for governing bodies.

    4. Use the Structure Map to Show Redesign

    Create your own governance structure map to represent the way the governing bodies interact and feed into each other. A mini sample of the 'Current State Structure Map' from before.

    Maintain as much of the existing framework as possible in the redesign

    Associated Activity icon 3.1 2-4 hours

    Future State Design

    • Structure
    • Authority

    Info-Tech Best Practice

    Keep the number of added or removed committees as low as possible, while still optimizing. The less change to the structure, the easier it will be to implement.

    Refer to the example to help guide your committee redesign.

      Determine:
    1. Do the guidelines impact committees you already have? Will you have to modify the tier or the authority of those committees?
    2. Do the guidelines require you to build a new committee to meet needs?
    3. Do the guidelines require you to remove a committee that isn’t necessary?

    All Governing Bodies

    Add

    Change

    Remove

    ITSC Structure

    Authority
    Delegate the authority of portfolio investment decisions over $200K to this body
    Portfolio Review Board This committee no longer needs to exist since its authority of portfolio investment decisions over $200K has been redelegated
    Risk and Compliance Committee Create a new governing body to address increasing risk and compliance issues that face the organization

    Outline the new governance structure in the governance structure map in the Future State Design for IT Governance tool

    Associated Activity icon 3.1 The 'Current State Structure Map' from before, but with some abbreviated terms. There are three tiers of groups. At the bottom is 'Run', described as 'The lowest level of governance will be an oversight of more specific initiatives and capabilities within IT.' 'Design and Build', described as 'The second tier of groups will oversee prioritization of a certain area of governance as well as second-tier decisions that feed into strategic decisions.' At the top is 'Strategy', described as 'These groups will focus on decisions that directly connect to the strategic direction of the organization.' The specific groups laid out in the map are 'Risk and Compliance Committee' which straddle the line between 'Run' and 'Design and Build', 'Portfolio Review Board' and 'ITSC' both of which straddle the line between 'Design and Build' and 'Strategy', 'EMC' which is in 'Strategy', and 'Other' in all tiers.

    Use process and membership guidelines along with the IT Governance Terms of Reference to build committees

    Supporting Tool icon 3A.2 Redesign the governance frameworks

    Part B – Committee Profiles

    Process
    Membership
    1a. Process Guidelines 1b. Authority Guidelines
    Input the guidelines from the current state assessment to guide the redesign.

    2. Leverage Guiding Questions

    Use the guiding questions provided to assess the needed changes.
    Guiding Questions
    Do the process inputs and outputs reflect the structure and authority guidelines?

    Do governing bodies engage the right people who have the roles, capacity, and knowledge to govern?
    Build the “what/how” of governance. Build out the process and procedures that each committee will use.

    3. Adapt / Refine Governing Body Profiles

    Using your customized guidelines, create a profile for each committee.

    We have provided templates for some common committees. To make these committee profiles reflective of your organization, use the information you have gathered in your Current State Assessment of IT Governance guidelines.

    For a more detailed approach to building out specific charters for each committee refer to the IT Governance Terms of Reference.

    A mini sample of the 'Committee Template - Executive Management Committee'.

    A mini sample of the 'IT Governance Terms of Reference'.

    Use the IT Governance Terms of Reference to establish operational procedures for governing bodies

    Associated Activity icon 3.2 3-6 hours

    Future State Design

    • Process
    • Membership

    Info-Tech Best Practice

    The people on the committee matter. Governance committee membership does not have to correspond with the organizational structure, but it should correspond with the purpose and decision areas of the governance structure.

    Refer to the example to help guide your committee redesign.

      Determine:
    1. Do the guidelines alter the members needed to achieve the outcomes?
    2. Do the guidelines change the purpose and decision areas of the committee?
    3. How do the new structure’s guidelines impact the inputs and outputs of the governing body?

    Screenshot of the 'Committee Template - Executive Management Committee'.

    Add depth to the committee profiles using the IT Governance Terms of Reference

    Supporting Tool icon 3A.3 Redesign the governance frameworks

    Refer to the sections outlined below to build a committee charter for your governance committees. Four examples are provided in the tool and can be edited for your convenience. They are: Executive Management Committee, IT Steering Committee, Portfolio Review Board, and Risk and Compliance Committee.

    1. Purpose
    2. Goals
    3. Responsibilities
    4. Committee Members
    5. RACI
    6. Procedures
    7. Agenda

    Be sure to embed the domains of governance in the charters so that committees focus on the appropriate elements of benefits realization, risk optimization, and resource optimization.

    Download the IT Governance Terms of Reference for more in-depth committee charters.

    Three pillars of planning effective governance meetings

    The effectiveness of the governance is reliant on the ability to work within operational dependencies that will exist in the governance framework. Consider these questions to guide the duration, frequency, and sequencing of your governing body meetings.

    Frequency

    • What is the quantity of decisions that must be made?
    • Is a rapid or urgent response typically required?

    Duration

    • How long should your meeting run based on your meeting frequency and the volume of work to be accomplished?

    Sequencing

    • Are there other decisions that rely on the outcomes of this meeting?
    • Are there any decisions that must be made first for others to occur?
    A venn diagram of the three pillars of planning effective governance meetings, 'Frequency', 'Duration', and 'Sequencing'.

    Leverage process-specific governance blueprints

    Associated Activity icon 3.3

    If there are specific areas of IT governance that you require further support on, refer to Info-Tech’s library of DIY blueprints, Guided Implementations, and workshops for further support. We cover IT governance in the following areas:

    Enterprise Architecture Governance

    Service Portfolio Governance

    Security Governance

    Titlecard of 'Create a Right-Sized Enterprise Architecture Governance Framework' blueprint. Titlecard of 'Lead Strategic Decision Making With Service Portfolio Management' blueprint. Titlecard of 'Build a Security Governance and Management Plan' blueprint.

    Consider the challenges and solutions when identifying a multi-state reality for your business state

    A multi-state business will face unique challenges in navigating the redesign process with the goal of combining all related business states in governance.

    1. Divergent Governance Models
      Separate the governance groups that need to function differently, and bring them back together at the highest level.
    2. Reflecting the Organizational Structure
      Unlike single-state governance, multi-state organizations should model the governance framework in reflection of the organizational structure.
    3. Combining Implications
      Prioritize which implications are the most important and make sure they work first, then see what else fits (e.g. start with regulation, then insert lean guidelines).

    The multi-state business will not fit into one “box” – consider implications from the overlapping business states.

    As business needs change, ensure that you establish triggers to reassess the design of your governance framework.

    Leverage the outcomes of the Current State Assessment and Statement of Business Context to build the future state

    CASE STUDY

    Industry: Healthcare
    Source: Info-Tech

    Challenge

    Identifying the committees and processes that should be in place in the target state required a lot of different inputs.

    A number of high-profile senior management team members were still resistant to the overall idea of applying governance to their initiatives since they were clinician driven.

    The approach and target state, including the implementation plan, had to be approved and built out.

    Solution

    The information pulled together from the current state assessment, including best practices and jurisdictional scans, were tied together with the updated mandate and future state, and a list of recommended improvements were documented.

    The improvements were presented to the optimization committee and the governance committee members to ensure agreement on the approach and confirm the timeline for agreed improvements.

    Results

    A future state mapping of the new committee structure was created, as well as the revised membership requirements, responsibilities, and terms of reference.

    The approved recommendations were prioritized and turned into an implementation plan, with each improvement being assigned an owner who would be responsible for driving the effort to completion.

    Integration points in other processes, like SDLC, where change would be required were highlighted and included in the implementation plan.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    Sample of activity 3.1 'Maintain as much of the existing framework as possible in the redesign'. Redesign the Governance Structure

    Identify committees that need to be added, ones that must be changed, and the no-longer-needed governing bodies in an optimized and streamlined structure. Draw it out in the governance structure map.

    3.2

    Sample of activity 3.2 'Utilize the IT Governance Terms of Reference to establish operational procedures for governing bodies'. Redesign the Governing Bodies

    Use the IT Governance Terms of Reference and the Committee Template to build a committee profile for each governing body identified. Use these activities to build out and establish the processes of the modified governing groups.

    Improve IT Governance to Drive Business Results

    PHASE 4

    Implement Governance Redesign

    Phase 4 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Implement Governance Redesign

    Proposed Time to Completion: 2-3 weeks
    Step 4.1: Identify Steps for Implementation Step 4.2: Finalized Implementation Plan
    Start with an analyst kick-off call:
    • Identify major steps required to implement the governance redesign.
    • Outline the components and milestones of the implementation plan.
    • Review materials needed for the executive presentation.
    Review findings with analyst:
    • Review the major milestones identified in the implementation plan.
    • Discuss potential challenges and stakeholder objections.
    • Strategize for the executive presentation.
    Then complete these activities…
    • Then complete these activities…
    • Identify next steps for the redesign.
    • Establish a communication plan.
    Then complete these activities…
    • Review the implementation plan.
    • Assess any challenging milestones and build implementation strategies.
    • Finalize the executive presentation.
    With these tools & templates:
    • IT Governance Implementation Plan
    • Redesign IT Governance to Drive Optimal Business Results Executive Presentation Template
    With these tools & templates:
    • IT Governance Implementation Plan
    • Redesign IT Governance to Drive Optimal Business Results Executive Presentation Template

    Phase 4: Implement Governance Redesign

    1 2 3 4
    Align IT With the Business Context Assess the Current Governance Framework Redesign the Governance Framework Implement Governance Redesign

    Activities:

    • 4.1 Identify Next Steps for the Redesign
    • 4.2 Establish a Communication Plan
    • 4.3 Lead the Executive Presentation

    Outcomes:

    • Rationalize steps in the Implementation Plan tool.
    • Construct an executive presentation to facilitate transparency for the governing framework.

    Anticipate and overcome implementation obstacles for the redesign

    Often high-level organizational changes create challenges. We will help you break down the barriers to optimal IT governance by addressing key obstacles.

    Key Obstacles

    Solutions

    Identifying Steps The prioritization must be driven by the common view of what is important for the organization to succeed. Prioritize the IT governance next steps according to the value they are anticipated to provide to the business.
    Communicating the Redesign The redesign of IT governance will bring impactful changes to diverse stakeholders across the organization. This phase will help you plan communication strategies for the different stakeholders.

    Info-Tech Insight

    Don’t overlook the politics and culture of your organization while redesigning your governance framework.

    Create an implementation roadmap to organize a plan for the redesign

    Supporting Tool icon 4A Create an implementation and communication plan

    INSTRUCTIONS

    1. Identify Tasks
      Decide on the order of tasks for your implementation plan. Consider the dependencies of actions and plan the sequence accordingly.
    2. Determine Communication Method
      Identify the most appropriate and impactful method of communicating at each milestone identified in step 1.

    Download the IT Governance Implementation Plan to organize your customized implementation and communication plan.

    Screenshot of a table in the 'IT Governance Implementation Plan'.

    Outline next steps for governance redesign

    Associated Activity icon 4.1

    INPUT: Tasks Identified in the Future State Design

    OUTPUT: Identified Tasks for Implementation as Well as the Audience

    Materials: N/A

    Participants: IT Governance Redesign Owner

    INSTRUCTIONS

    Keep these questions in mind as you analyze and assess what steps to take first in the redesign implementation.

    1. What needs to happen?
      Use the identified changes from the redesign as your guiding list of tasks that need to occur. If they are larger tasks, break them down into smaller parts to make the milestones more achievable.
    2. What are the dependencies?
      Throughout the implementation of the redesign, certain tasks will need to occur to enable other tasks to be performed. Make sure to clearly identify what dependencies exist in the implementation process and clearly identify the order of the tasks.
    3. Who do the changes impact?
      Consider the groups and individuals that will be impacted by changes to the governance framework. This includes key business stakeholders, IT leaders, members of governing boards, and anyone who provides an input or requires an output from one of the committees.

    Use a big-bang approach to implement the IT governance redesign

    While there are other methods to implementing change, the big-bang approach is the most effective for governance redesign and will maintain the momentum of the change as well as the support needed to make it successful.

    Phased

    Parallel

    Big Bang

    Implementation of redesign occurs in steps over a significant period of time.

    Three arrows, each beginning where the previous one ends, separated.

    Components of the redesign are brought into the governance framework, while maintaining some of the old components.

    Three arrows, each beginning slightly after the previous one begins, overlapping.

    Implementation of redesign occurs all at once. This requires significant preparation.

    One large arrow, spanning the length of the other grouped arrows, circled to emphasize.
    • Some committees will be operating under a new structure while others are not, which will undermine the changes being made.
    • This method proliferates a lack of transparency and trust.
    • Releasing IT governance in parallel leads to members sitting on too many boards and spending too much time on governance.
    • There will be a lack of clarity on a committee’s authority.
    • This approach will lead to consistency and transparency in the new process.
    • The change will be clear and fully embedded in the organization with stronger boundaries and well-defined expectations.

    Determine the most effective and impactful communication mediums for relevant stakeholders

    Associated Activity icon 4.2 1 hour

    INSTRUCTIONS

    1. Consider the Individual or Group
      Consider the group and individuals identified in step 4.1. Determine the most appropriate mechanism for communicating with that person or group. Keep in mind: If they are local, how much influence they have and if they are already engaged in the redesign process.
    2. Consider the Message
      The type of message that you are communicating will vary in impact and importance depending on the task. Make sure that the communication medium reflects your message. Keep in mind: If the you are communicating an important or more personal issue, the medium should be more personal as well.

    Screenshot of the same table in the 'IT Governance Implementation Plan'.

    Communicate the changes that result from the redesign

    Plan the message first, then deliver it to your stakeholders through the most appropriate medium to avoid message avoidance or confusion.

    Communication Medium

    Face-to-Face Communication

    Face-to-face communication helps to ensure that the audience is receiving and understanding a clear message, and allows them to voice their concerns and clarify any confusion or questions.

    • Use one-on-one meetings for key stakeholders and large organizational meetings to introduce large changes in the redesign.
    Emails

    Use email to communicate information to broad audiences. In addition, use email as the mass feedback mechanism.

    • Use email to follow up on meetings, or to invite people to next ones, but not as the sole medium of communication.
    Internal Website or Drive

    Use an internal website or drive as an information repository.

    • Store meeting minutes, policies, procedures, terms of reference, and feedback online to ensure transparency.

    Message Delivery

    1. Plan Your Message
      Emphasize what the audience really needs to know and how the change will impact them.
    2. Test Your Message
      If possible, test your communications with a small audience (2-3 people) first to get feedback and adjust messages before delivering them more broadly.
    3. Deliver and Repeat Your Message
      “Tell them what you’re going to tell them, then tell them, then tell them what you told them.”
    4. Gather Feedback and Evaluate Communications
      Evaluate the effectiveness of the communications (through surveys, stakeholder interviews, or metrics) to ensure the message was delivered and received successfully and communication goals were met.

    Construct an executive presentation to facilitate transparency for the governing framework

    Supporting Tool icon 4B Present the redesign to the key business stakeholders

    INSTRUCTIONS

    1. Identify Stakeholders
      Determine which business stakeholders have been the most involved in the redesign process.
    2. Customize Presentation
      Use the deliverables that you have built throughout this redesign to communicate the changes to the structure, authority, processes, and memberships in the governance framework.
    3. Present to Executives
      Present the executive presentation to the key business stakeholders who have been involved in the redesign process.

    Info-Tech best Practice

    Use the Executive Presentation customizable deliverable to lead a boardroom-quality presentation outlining the process and outcomes of the IT governance redesign.

    Present the executive presentation

    Associated Activity icon 4.3 1 hour

    INSTRUCTIONS

    1. Input SoBC Outcomes
      Input the outcomes of the SoBC. Specify the state of the business you have identified through the process of Phase 1.
    2. Input Current State Framework and Guidelines
      Input the outcomes of the current state assessment. Explain the process you used to identify the current governance framework and how you determined the strengths, weaknesses, and guidelines.
    3. Input Redesigned Governance Framework
      Input the governance redesign outcomes. Explain the process you used to modify and reconstruct the governance framework to drive optimal business results. Show the new structure and committee profiles.

    Use the Redesign IT Governance to Drive Optimal Business Results Executive Presentation Template for more information.

    Implement the governance redesign to optimize governance and, in turn, business results

    CASE STUDY

    Industry: Healthcare
    Source: Info-Tech

    Challenge

    Members of the project management group and in the larger SDLC process identified a lack of clarity on how to best govern active projects and initiatives that were moving through the governance process during the changes to the governance framework.

    These projects had already begun under the old frameworks and applying the redesigned governance framework would lead to work duplication and wasted time.

    Solution

    The organization decided that instead of applying the redesign to all initiatives across the organization, it would only be applied to new initiatives and ones that were still working within the first part of the “gating” process, where revised intake information could still be provided.

    Active initiatives that fell into the grandfathered category were identified and could proceed based on the old process. Yet, those that did not receive this status were provided carry-over lead time to revise their documentation during the changes.

    Results

    The implementation plan and timeframes were approved and an official change-over date identified.

    A communication plan was provided, including the grandfathered approach to be used with in-flight initiatives.

    A review cycle was also established for three months after launch to ensure the process was working as expected and would be repeated annually.

    The revised process improved the cycle time by 30% and improved the ability of the organization to govern high-speed requests and decisions.

    Summary of accomplishment

    Insights

    • IT governance requires business leadership.
      Instead of IT managing and governing IT, engage business leaders to take responsibility for governing IT.
    • With great governance comes great responsibility.
      Involve relevant business leaders, who will be impacted by IT outcomes, to share governing authority of IT.
    • Establish IT-business fusion.
      In governance, alignment is not enough. Merge IT and the business through governance to ensure business success.

    Knowledge Gained

    • There must be an active understanding of the current and future state of the business for governance to address the changing needs of the business.
    • Take a proactive approach to revising your governance framework. Understand why you are making decisions before actually making them.
    • Keep the current and future goals in sight to build an optimized governance framework that maintains the minimum bar of oversight required.

    Processes Optimized

    • EDM01 – Establishing a Governance Framework
    • Understanding the four elements of governance:
      • Structure
      • Authority
      • Process
      • Members
    • Embedding the benefits realization criteria, risk optimization, and resource optimization in governance.

    Deliverables Completed

    • Statement of Business Context
    • Current State Assessment of IT Governance
    • Future State Design for IT Governance
    • IT Governance Implementation Plan

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    Sample of activity 4.1 'Outline next steps for governance redesign'. Build and Deploy the Implementation Plan

    Construct a list of tasks and consider the individuals or groups that those tasks will impact when implementing the governance redesign. Ensure consistent and transparent communication for successful outcomes.

    4.3

    Sample of activity 4.3 'Present the Executive Presentation'. Build the Executive Presentation

    Insert the state of business, current state, and future state design outcomes into a presentation to inform the key business stakeholders on the process and outcomes of the governance redesign.

    Research contributors and experts

    Deborah Eyzaguirre, IT Business Relationship Manager, UNT System

    Herbert Kraft, MIS Manager, Prairie Knights Casino

    Roslyn Kaman, CFO, Miles Nadal JCC

    Nicole Haggerty, Associate Professor of Information Systems, Ivey Business School

    Chris Austin, CTO, Ivey Business School

    Adriana Callerio, IT Director Performance Management, Molina Healthcare Inc.

    Joe Evers, Consulting Principal, JcEvers Consulting Corp

    Huw Morgan, IT Research Executive

    Joy Thiele, Special Projects Manager, Dunns Creek Baptist Church

    Rick Daoust, CIO, Cambrian College

    Related Info-Tech Research

    Bibliography

    A.T. Kearney. “The 7 Habits of Highly Effective Governance.” A.T. Kearney, 2008. Web. Nov. 2016.

    Bertolini, Phil. “The Transformational Effect of IT Governance.” Government Finance Review, Dec. 2012. Web. Nov. 2016.

    CGI. “IT Governance and Managed Services – Creative a win-win relationship” CGI Group Inc., 2015. Web. Dec. 2016.

    De Haes, Steven, and Wim Van Grembergen. “An Exploratory Study into the Design of an IT Governance Minimum Baseline through Delphi Research.” Communications of the Association for Information Systems: Vol. 22 , Article 24. 2008. Web. Nov. 2016.

    Deloitte LLP. “The Role of Senior Leaders in IT Governance.” The Wall Street Journal, 22 Jun. 2015. Web. Oct. 2016.

    Dragoon, Alice. “Four Governance Best Practices.” CIO From IDG, 15 Aug. 2003. Web. Dec. 2016.

    du Preez, Gert. “Company Size Matters: Perspectives on IT Governance.” PricewaterhouseCoopers, Aug. 2011. Web. Nov. 2016.

    Hagen, Christian, et. al. “Building a Capability-Driven IT Organization.” A.T. Kearney, Jun. 2011. Web. Nov. 2016.

    Heller, Martha. “Five Best Practices for IT Governance.” CFO.com, 27 Aug. 2012. Web. Oct. 2016.

    Hoch, Detlev, and Payan, Miguel. “Establishing Good IT Governance in the Public Sector.” McKinsey Dusseldorf, Mar. 2008. Web. Oct. 2016.

    Horne, Andrew, and Brian Foster. “IT Governance Is Killing Innovation.” Harvard Business Review, 22 Aug. 2013. Web. Dec. 2016.

    ISACA. “COBIT 5: Enabling Processes.” ISACA, 2012. Web. Oct. 2016.

    IT Governance Institute. “An Executive View of IT Governance.” IT Governance Institute, in association with PricewaterhouseCoopers. 2009. Web. Nov. 2016.

    Bibliography continued

    IT Governance Institute. “IT Governance Roundtable: Defining IT Governance.” IT Governance Institute, 2009. Web. Nov. 2016.

    Macgregor, Stuart. “The linchpin between Corporate Governance and IT Governance.” The Open Group’s EA Forum Johannesburg and Cape Town, Nov. 2013. Web. Nov. 2016.

    Mallette, Debra. “Implementing IT Governance An Introduction.” ISACA San Francisco Chapter, 23 Sep. 2009. Web. Oct. 2016.

    Massachusetts Institute of Technology. “IT Governance Introduction.” MIT Centre for Information System Research, 2016. Web. Nov. 2016.

    Mueller, Lynn, et. al. “IBM IT Governance Approach – Business Performance through IT Execution.” IBM Redbooks, Feb. 2008. Web. Nov. 2016.

    National Computing Centre. “IT Governance: Developing a successful governance strategy.” The National Computing Centre, Nov. 2005. Web. Oct. 2016.

    Pittsburgh ISACA Chapter. “Practical Approach to COBIT 5.0.” Pittsburgh ISACA Chapter, 17 Sep. 2012. Web. Nov. 2016.

    PricewaterhouseCoopers. “Great by governance: Improve IT performance and Value While Managing Risks.” PricewaterhouseCoopers, Nov. 2014. Web. Dec. 2016.

    PricewaterhouseCoopers. “IT Governance in Practice: Insights from leading CIOs.” PricewaterhouseCoopers, 2006. Web. Nov. 2016.

    Routh, Richard L. “IT Governance Part 1 of 2.” Online video clip. YouTube. The Institute of CIO Excellence, 01 Aug. 2012. Web. Nov. 2016.

    Salleh, Noor Akma Mohd, et. al. “IT Governance in Airline Industry: A Multiple Case Study.” International Journal of Digital Society, Dec. 2010. Web. Nov. 2016.

    Bibliography continued

    Speckert, Thomas, et. al. “IT Governance in Organizations Facing Decentralization – Case Study in Higher Education.” Department of Computer and Systems Sciences. Stockholm University, 2014. Web. Nov. 2016.

    Thorp, John. The Information Paradox—Realizing the Business Benefits of Information Technology. Revised Edition, McGraw Hill, 2003 (written jointly with Fujitsu).

    Vandervost, Guido, et. al. “IT Governance for the CxO.” Deloitte, Nov. 2013. Web. Nov. 2016.

    Weill, Peter, and Jeanne W. Ross. “IT Governance: How Top Performers Manage IT Decision Rights for Superior Results.” Boston: Harvard Business School, 2004. Print. Oct. 2016.

    Wong, Daron, et. al. “IT Governance in Oil and Gas: CIO Roundtable, Priorities for Surviving and Thriving in Lean Times.” Online video clip. YouTube. IT Media Group, Jun. 2016. Web. Nov. 2016.

    Activate Your Augmented Reality Initiative

    • Buy Link or Shortcode: {j2store}465|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Augmented reality is a new technology and use cases are still emerging. Organizations have to work hard to stay ahead of the curve and predict how they will be impacted.
    • There are limited off-the-shelf augmented reality solutions in terms of business applications. IT not only needs to understand the emerging augmented reality hardware, but also the plethora of development platforms.

    Our Advice

    Critical Insight

    • Augmented reality presents a new avenue to solve problems that cannot be addressed efficiently with existing technology. It is a new tool that will impact the way you work.
    • Beyond addressing existing problems, augmented reality will provide the ability to differently execute business processes. Current processes have been designed with existing systems and capabilities in mind. Augmented reality impacts organizational design processes that are more complex.
    • As a technology with an evolving set of use cases, IT and the business must anticipate some of the challenges that may arise with the use of augmented reality (e.g. health and safety, application development, regulatory).

    Impact and Result

    • Our methodology addresses the possible issues by using a case-study approach to demonstrate the “art of the possible” for augmented reality.
    • With an understanding of augmented reality, it is possible to find applicable use cases for this emerging technology and get a leg up on competitors.
    • By utilizing Info-Tech’s Augmented Reality Use Case Picklist and the Augmented Reality Stakeholder Presentation Template, the IT team and their business stakeholders can confidently approach augmented reality adoption.

    Activate Your Augmented Reality Initiative Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why your organization should care about augmented reality’s potential to transform the workplace and how Info-Tech will support you as you identify and build your augmented reality use case.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand augmented reality

    Analyze the four key benefits of augmented reality to understand how the technology can resolve industry issues.

    • Activate Your Augmented Reality Initiative – Phase 1: Understand Augmented Reality
    • Augmented Reality Glossary

    2. Finding space for augmented reality

    Develop and prioritize use cases for augmented reality using Info-Tech’s AR Initiative Framework.

    • Activate Your Augmented Reality Initiative – Phase 2: Finding Space for Augmented Reality
    • Augmented Reality Use Case Picklist

    3. Communicate project decisions to stakeholders

    Present the augmented reality initiative to stakeholders and understand the way forward for the AR initiative.

    • Activate Your Augmented Reality Initiative – Phase 3: Communicate Project Decisions to Stakeholders
    • Augmented Reality Stakeholder Presentation Template
    [infographic]

    Workshop: Activate Your Augmented Reality Initiative

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Augmented Reality and Its Use Cases

    The Purpose

    Understand the fundamentals of augmented reality technology and its real-world business applications.

    Key Benefits Achieved

    A prioritized list of augmented reality use cases.

    Activities

    1.1 Introduce augmented reality technology.

    1.2 Understand augmented reality use cases.

    1.3 Review augmented reality case studies.

    Outputs

    An understanding of the history and current state of augmented reality technology.

    An understanding of “the art of the possible” for augmented reality.

    An enhanced understanding of augmented reality.

    2 Conduct an Environmental Scan and Internal Review

    The Purpose

    Examine where the organization stands in the current competitive environment.

    Key Benefits Achieved

    Understanding of what is needed from an augmented reality initiative to differentiate your organization from its competitors.

    Activities

    2.1 Environmental analysis (PEST+SWOT).

    2.2 Competitive analysis.

    2.3 Listing of interaction channels and disposition.

    Outputs

    An understanding of the internal and external propensity for augmented reality.

    An understanding of comparable organizations’ approach to augmented reality.

    A chart with the disposition of each interaction channel and its applicability to augmented reality.

    3 Parse Critical Technology Drivers

    The Purpose

    Determine which business processes will be affected by augmented reality.

    Key Benefits Achieved

    Understanding of critical technology drivers and their KPIs.

    Activities

    3.1 Identify affected process domains.

    3.2 Brainstorm impacts of augmented reality on workflow enablement.

    3.3 Distill critical technology drivers.

    3.4 Identify KPIs for each driver.

    Outputs

    A list of affected process domains.

    An awareness of critical technology drivers for the augmented reality initiative.

    Passwordless Authentication

    • Buy Link or Shortcode: {j2store}466|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: End-User Computing
    • Parent Category Link: /end-user-computing
    • Stakeholders believe that passwords are still good enough.
    • You don’t know how the vendor products match to the capabilities you need to offer.
    • What do you need to test when you prototype these new technologies?
    • What associated processes/IT domains will be impacted or need to be considered?

    Our Advice

    Critical Insight

    Passwordless is the right direction even if it’s not your final destination.

    Impact and Result

    • Be able to handle objections from those who believe passwords are still “fine.”
    • Prioritize the capabilities you need to offer the enterprise, and match them to products/features you can buy from vendors.
    • Integrate passwordless initiatives with other key functions (cloud, IDaM, app rationalization, etc.).

    Passwordless Authentication Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Passwordless Authentication – Know when you’ve been beaten!

    Back in 2004 we were promised "the end of passwords" – why, then, are we still struggling with them today?

    • Passwordless Authentication Storyboard
    [infographic]

    Further reading

    Passwordless Authentication

    Know when you've been beaten!

    Executive Summary

    Your Challenge

    • The IT world is an increasingly dangerous place.
    • Every year literally billions of credentials are compromised and exposed on the internet.
    • The average employee has between 27 and 191 passwords to manage.
    • The line between business persona and personal persona has been blurred into irrelevancy.
    • You need a method of authenticating users that is up to these challenges

    Common Obstacles

    • Legacy systems aside (wouldn't that be nice) this still won't be easy.
    • Social inertia – passwords worked before, so surely, they can still work today! Besides, users don't want to change.
    • Analysis paralysis – I don't want to get this wrong! How do I choose something that is going to be at the core of my infrastructure for the next 10 years?
    • Identity management – how can you fix authentication when people have multiple usernames?

    Info-Tech's Approach

    • Inaction is not an option.
    • Most commercial, off-the-shelf apps are moving to a SaaS model, so start your efforts with them.
    • Your existing vendors already have technologies you are underusing or ignoring – stop that!
    • Your users want this change – they just might not know it yet…
    • Much like zero trust network access, the journey is more important than the destination. Incremental steps on the path toward passwordless authentication will still yield significant benefits.

    Info-Tech Insight

    Users have been burdened with unrealistic expectations when it comes to their part in maintaining enterprise security. Given the massive rise in the threat landscape, it is time for Infrastructure to adopt a user-experience-based approach if we want to move the needle on improving security posture.

    Password Security Fallacy

    "If you buy the premise…you buy the bit."
    Johnny Carson

    We've had plenty of time to see this coming.

    Why haven't we done something?

    • Passwords are a 1970s construct.
    • End-users are complexity averse.
    • Credentials are leaked all the time.
    • New technologies will defeat even the most complex passwords.

    Build the case, both to business stakeholders and end users, that "password" is not a synonym for "security."

    Be ready for some objection handling!

    This is an image of Bill Gates and Gavin Jancke at the 2004 RSA Conference in San Francisco, CA

    Image courtesy of Microsoft

    RSA Conference, 2004
    San Francisco, CA

    "There is no doubt that over time, people are going to rely less and less on passwords. People use the same password on different systems, they write them down and they just don't meet the challenge for anything you really want to secure."
    Bill Gates

    What about "strong" passwords?

    There has been a password arms race going on since 1988

    A massive worm attack against ARPANET prompted the initial research into password strength

    Password strength can be expressed as a function of randomness or entropy. The greater the entropy the harder for an attacker to guess the password.

    This is an image of Table 1 from Google Cloud Solutions Architects.  it shows the number of bits of entropy for a number of Charsets.

    Table: Modern password security for users
    Ian Maddox and Kyle Moschetto, Google Cloud Solutions Architects

    From this research, increasing password complexity (length, special characters, etc.) became the "best practice" to secure critical systems.

    How many passwords??

    XKCD Comic #936 (published in 2011)

    This is an image of XKCD Comic # 936.

    Image courtesy of Randall Munroe XKCD Comics (CC BY-NC 2.5)

    It turns out that humans however are really bad at remembering complex passwords.

    An Intel study (2016) suggested that the average enterprise employee needed to remember 27 passwords. A more recent study from LastPass puts that number closer to 191.

    PEBKAC
    Problem Exists Between Keyboard and Chair

    Increasing entropy is the wrong way to fight this battle – which is good because we'd lose anyway.

    Over the course of a single year, researchers at the University of California, Berkeley identified and tracked nearly 2 billion compromised credentials.

    3.8 million were obtained via social engineering, another 788K from keyloggers. That's approx. 250,000 clear text credentials harvested every week!

    The entirety of the password ecosystem has significant vulnerabilities in multiple areas:

    • Unencrypted server- and client-side storage
    • Sharing
    • Reuse
    • Phishing
    • Keylogging
    • Question-based resets

    Even the 36M encrypted credentials compromised every week are just going to be stored and cracked later.

    Source: Google, University of California, Berkeley, International Computer Science Institute

     data-verified=22B hash/s">

    Image courtesy of NVIDIA, NVIDIA Grace

    • Current GPUs (2021) have 200+ times more cracking power than CPU systems.

    <8h 2040-bit RSA Key

    Image: IBM Quantum System One (CES 2020) by IBM Research is licensed under CC BY-ND 2.0

    • Quantum computing can smash current encryption methods.
    • Google engineers have demonstrated techniques that reduce the number of qubits required from 1B to a mere 20 million

    Enabling Technologies

    "Give me a place to stand, and a lever long enough, and I will move the world."
    Archimedes

    Technology gives us (too many) options

    The time to prototype is NOW!

    Chances are you are already paying for one or more of these technologies from a current vendor:

    • SSO, password managers
    • Conditional access
    • Multifactor
    • Hardware tokens
    • Biometrics
    • PINs

    Address all three factors of authentication

    • Something the user knows
    • Something the user has
    • Something the user is

    Global Market of $12.8B
    ~16.7% CAGR
    Source: Report Linker, 2022.

    Focus your prototype efforts in four key testing areas

    • Deployment
    • User adoption/training
    • Architecture (points of failure)
    • Disaster recovery

    Three factors for positive identification

    Passwordless technologies focus on alternate authentication factors to supplement or replace shared secrets.

    Knows: A secret shared between the user and the system; Has: A token possessed by the user and identifiable as unique by the system; Is: A distinctive and repeatable attribute of the user sampled by the system

    Something you know

    Shared secrets have well-known significant modern-day problems, but only when used in isolation. For end users, consider time-limited single use options, password managers, rate-limited login attempts, and reset rather than retrieval requests. On the system side, never forget strong cryptographic hashing along with a side of salt and pepper when storing passwords.

    Something you have

    A token (now known as a cryptographic identification device) such as a pass card, fob, smartphone, or USB key that is expected to be physically under the control of the user and is uniquely identifiable by the system. Easily decoupled in the event the token is lost, but potentially expensive and time-consuming to reprovision.

    Something you are or do

    Commonly referred to as biometrics, there are two primary classes. The first is measurable physical characteristics of the user such as a fingerprint, facial image, or retinal scan. The second class is a series of behavioral traits such as expected location, time of day, or device. These traits can be linked together in a conditional access policy.

    Unlike other authentication factors, biometrics DO NOT provide for exact matches and instead rely on a confidence interval. A balance must be struck against the user experience of false negatives and the security risk of a false positive.

    Prototype testing criteria

    Deployment

    Does the solution support the full variety of end-user devices you have in use?

    Can the solution be configured with your existing single sign-on or central identity broker?

    User Experience

    Users already want a better experience than passwords.

    What new behavior are you expecting (compelling) from the user?

    How often and under what conditions will that behavior occur?

    Architecture

    Where are the points of failure in the solution?

    Consider technical elements like session thresholds for reauthorization, but also elements like automation and self-service.

    Disaster Recovery

    Understand the exact responsibilities Infra&Ops have in the event of a system or user failure.

    As many solutions are based in the public cloud, manage stakeholder expectations accordingly.

    Next Steps

    "Move the goalposts…and declare victory."
    Informal Fallacy (yet very effective…)

    It is more a direction than a destination…

    Get the easy wins in the bank and then lay the groundwork for the long campaign ahead.

    You're not going to get to a passwordless world overnight. You might not even get there for many years. But an agile approach to the journey ensures you will realize value every step of the way:

    • Start in the cloud:
    • Choose a single sign-on platform such as Azure Active Directory, Okta, Auth0, AWS IAM, TruSONA, HYPR, or others. Document Your Cloud Strategy.
    • Integrate the SaaS applications from your portfolio with your chosen platform.
    • Establish visibility and rationalize identity management:
      • Accounts with elevated privileges present the most risk – evaluate your authentication factors for these accounts first.
      • There is elegance (and deployment success) in Simplifying Identity & Access Management.
    • Pay your tech debt:

    Fast IDentity Online (2) is now part of the web's DNA and is critical for digital transformation

    • IoT
    • Anywhere remote work
    • Government identity services
    • Digital wallets

    Bibliography

    "Backup Vs. Archiving: Know the Difference." Open-E. Accessed 05 Mar 2022.Web.
    G, Denis. "How to Build Retention Policy." MSP360, Jan 3, 2020. Accessed 10 Mar 2022.
    Ipsen, Adam. "Archive Vs. Backup: What's the Difference? A Definition Guide." BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.
    Kang, Soo. "Mitigating the Expense of E-Discovery; Recognizing the Difference Between Back-Ups and Archived Data." Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.
    Mayer, Alex. "The 3-2-1 Backup Rule – An Efficient Data Protection Strategy." Naviko. Accessed 12 Mar 2022.
    Steel, Amber. "LastPass Reveals 8 Truths about Passwords in the New Password Exposé." LastPass Blog, 1 Nov. 2017. Web.
    "The Global Passwordless Authentication Market Size Is Estimated to Be USD 12.79 Billion in 2021 and Is Predicted to Reach USD 53.64 Billion by 2030 With a CAGR of 16.7% From 2022-2030." Report Linker, 9 June 2022. Web.
    "What Is Data-Archiving?" Proofpoint. Accessed 07 Mar 2022.

    Modernize Your Microsoft Licensing for the Cloud Era

    • Buy Link or Shortcode: {j2store}304|cart{/j2store}
    • member rating overall impact (scale of 10): 9.1/10 Overall Impact
    • member rating average dollars saved: $102,414 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Licensing
    • Parent Category Link: /licensing
    • Microsoft licensing is complicated. Often, the same software can be licensed a number of ways. It’s difficult to know which edition and licensing model is best.
    • Licensing and features often change with the release of new software versions, compounding the problem by making it difficult to stay current.
    • In tough economic times, IT is asked to reduce capital and operating expenses wherever possible. As one of the top five expense items in most enterprise software budgets, Microsoft licensing is a primary target for cost reduction.

    Our Advice

    Critical Insight

    • Focus on needs first. Conduct a thorough needs assessment and document the results. Well-documented needs will be your best asset in navigating Microsoft licensing and negotiating your agreement.
    • Beware the bundle. Be aware when purchasing the M365 suite that there is no way out. Negotiating a low price is critical, as all leverage swings to Microsoft once it is on your agreement.
    • If the cloud doesn’t fit, be ready to pay up or start making room. Microsoft has drastically reduced discounting for on-premises products, support has been reduced, and product rights have been limited. If you are planning to remain on premises, be prepared to pay up.

    Impact and Result

    • Understand what your organization needs and what your business requirements are. It’s always easier to purchase more later than try to reduce your spend.
    • Complete cost calculations carefully, as the cloud might end up costing significantly more for the desired feature set. However, in some scenarios, it may be more cost efficient for organizations to license in the cloud.
    • If there are significant barriers to cloud adoption, discuss and document them. You’ll need this documentation in three years when it’s time to renew your agreement.

    Modernize Your Microsoft Licensing for the Cloud Era Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Modernize Your Microsoft Licensing Deck – A deck to help you build a strategy for your Microsoft licensing renewal.

    This storyboard will help you build a strategy for your Microsoft licensing renewal from conducting a thorough needs assessment to examining your licensing position, evaluating Microsoft's licensing options, and negotiations.

    • Modernize Your Microsoft Licensing for the Cloud Era – Phases 1-4

    2. Microsoft Cloud Products Cost Modeler – A tool to model estimated costs for Microsoft's cloud products.

    The Microsoft Cloud Products Cost Modeler will provide a rough estimate of what you can expect to pay for Office 365 or Dynamics CRM licensing, before you enter into negotiations. This is not your final cost, but it will give you an idea.

    • Microsoft Cloud Products Cost Modeler

    3. Microsoft Licensing Purchase Reference Guide - A template to capture licensing stakeholder information, proposed changes to licensing, and negotiation items.

    The Microsoft Licensing Purchase Reference Guide can be used throughout the process of licensing review: from initial meetings to discuss compliance state and planned purchases, to negotiation meetings with resellers. Use it in conjunction with Info-Tech's Microsoft Licensing Effective License Position Template.

    • Microsoft Licensing Purchase Reference Guide

    4. Negotiation Timeline for Microsoft – A template to navigate your negotiations with Microsoft.

    This tool will help you plot out your negotiation timeline, depending on where you are in your contract negotiation process.

  • 6-12 months
  • Less than 3 months
    • Negotiation Timeline for Microsoft – Visio
    • Negotiation Timeline for Microsoft – PDF

    5. Effective Licensing Position Tool – A template to help you create an effective licensing position and determine your compliance position.

    This template helps organizations to determine the difference between the number of software licenses they own and the number of software copies deployed. This is known as the organization’s effective license position (ELP).

    • Effective Licensing Position Tool
    [infographic]

    Assess Infrastructure Readiness for Digital Transformation

    • Buy Link or Shortcode: {j2store}300|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design

    There are many challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt
    • Skills and talent in the IT team
    • A culture that resists change
    • Fear of job loss

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Our Advice

    Critical Insight

    By using the framework of culture, competencies, collaboration and capabilities, organizations can create dimensions in their I&O structure in order to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence though the effective integration of people, process, and technology.

    Impact and Result

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    Assess Infrastructure Readiness for Digital Transformation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess Infrastructure Readiness for Digital Transformation – Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers for success.

  • Be customer centric as opposed to being technology driven.
  • Understanding business needs and pain points is key to delivering solutions.
  • Approach infrastructure digital transformation in iterations and look at this as a journey.
    • Assess Infrastructure Readiness for Digital Transformation Storyboard
    • I&O Digital Transformation Maturity Assessment Tool

    Infographic

    Further reading

    Assess Infrastructure Readiness for Digital Transformation

    Unlock the full potential of your infrastructure with a digital transformation strategy and clear the barriers to success.

    Analyst Perspective

    It’s not just about the technology!

    Many businesses fail in their endeavors to complete a digital transformation, but the reasons are complex, and there are many ways to fail, whether it is people, process, or technology. In fact, according to many surveys, 70% of digital transformations fail, and it’s mainly down to strategy – or the lack thereof.

    A lot of organizations think of digital transformation as just an investment in technology, with no vision of what they are trying to achieve or transform. So, out of the gate, many organizations fail to undergo a meaningful transformation, change their business model, or bring about a culture of digital transformation needed to be seriously competitive in their given market.

    When it comes to I&O leaders who have been given a mandate to drive digital transformation projects, they still must align to the vision and mission of the organization; they must still train and hire staff that will be experts in their field; they must still drive process improvements and align the right technology to meet the needs of a digital transformation.

    John Donovan

    John Donovan

    Principal Research Director, I&O
    Info-Tech Research Group

    Insight summary

    Overarching insight

    Digital transformation requires I&O teams to shift from traditional infrastructure management to becoming a strategic enabler, driving agility, innovation, and operational excellence through effective integration of people, process, and technology.

    Insight 1

    Collaboration is a key component of I&O – Promote strong collaboration between I&O and other business functions. When doing a digital transformation, it is clear that this is a cross-functional effort. Business leaders and IT teams need to align their objectives, prioritize initiatives, and ensure that you are seamlessly integrating technologies with the new business functions.

    Insight 2

    Embrace agility and adaptability as core principles – As the digital landscape continues to evolve, it is paramount that I&O leaders are agile and adaptable to changing business needs, adopting new technology and implementing new innovative solutions. The culture of continuous improvement and openness to experimentation and learning will assist the I&O leaders in their journey.

    Insight 3

    Future-proof your infrastructure and operations – By anticipating emerging technologies and trends, you can proactively plan and organize your team for future needs. By investing in scalable, flexible infrastructure such as cloud services, automation, AI technologies, and continuously upskilling the IT staff, you can stay relevant and forward-looking in the digital space.

    Tactical insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployment of services.

    Tactical insight

    Having a clear strategy, with leadership commitment along with hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Executive Summary

    Your Challenge

    There are a lot of challenges for I&O when it comes to digital transformation, including:

    • Legacy infrastructure technical debt.
    • Skills and talent in the IT team.
    • A culture that resists change.
    • Fear of job loss.

    These and many more will hinder your progress, which demonstrates the need to invest in modernizing your infrastructure, investing in training and hiring talent, and cultivating a culture that supports digital transformation.

    Common Obstacles

    Many obstacles to digital transformation begin with non-I&O activities, including:

    • Lack of a clear vision and strategy.
    • Siloed organizational structure.
    • Lack of governance and data management.
    • Limited budget and resources.

    By addressing these obstacles, I&O will have a better chance of a successful transformation and delivering the full potential of digital technologies.

    Info-Tech's Approach

    Building a culture of innovation by developing clear goals and creating a vision will be key.

    • Be customer centric as opposed to being technology driven.
    • Understand the business needs and pain points in order to effectively deliver solutions.
    • Approach infrastructure digital transformation in iterations and look at it as a journey.

    By completing the Info-Tech digital readiness questionnaire, you will see where you are in terms of maturity and areas you need to concentrate on.

    Info-Tech Insight

    By driving a customer-centric approach, delivering a successful transformation can be tailored to the business goals and drive adoption and engagement. Refining your roadmap through data and analytics will drive this change. Use third-party expertise to guide your transformation and help build that vision of the future.

    The cost of digital transformation

    The challenges that stand in the way of your success, and what is needed to reverse the risk

    What CIOs are saying about their challenges

    26% of those CIOs surveyed cite resistance to change, with entrenched viewpoints demonstrating a real need for a cultural shift to enhance the digital transformation journey.

    Source: Prophet, 2019.

    70% of digital transformation projects fall short of their objectives – even when their leadership is aligned, often with serious consequences.

    Source: BCG, 2020.

    Having a clear strategy and commitment from leadership, hiring and training the right people, monitoring and measuring your progress, and ensuring it is a business-led journey will increase your chances of success.

    Info-Tech Insight

    Cultural change, business alignment, skills training, and setting a clear strategy with KPIs to demonstrate success are all key to being successful in your digital journey.

    Small and medium-sized enterprises

    What business owners and CEOs are saying about their digital transformation

    57% of small business owners feel they must improve their IT infrastructure to optimize their operations.

    Source: SMB Story, 2023.

    64% of CEOs believe driving digital transformation at a rapid pace is critical to attracting and retaining talent and customers.

    Source: KPMG, 2022.

    Info-Tech Insight

    An IT infrastructure maturity assessment is a foundational step in the journey of digital transformation. The demand will be on performance, resilience, and scalability. IT infrastructure must be able to support innovation and rapid deployments.

    Mergers & Acquisitions: The Buy Blueprint

    • Buy Link or Shortcode: {j2store}325|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: 5 Average Days Saved
    • member rating average days saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy

    There are four key scenarios or entry points for IT as the acquiring organization in M&As:

    • IT can suggest an acquisition to meet the business objectives of the organization.
    • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
    • IT participates in due diligence activities and valuates the organization potentially being acquired.
    • IT needs to reactively prepare its environment to enable the integration.

    Consider the ideal scenario for your IT organization.

    Our Advice

    Critical Insight

    Acquisitions are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

    • The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
    • A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
    • Transactions that are driven by digital motivations, requiring IT’s expertise.
    • There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.

    Impact and Result

    Prepare for a growth/integration transaction by:

    • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
    • Creating a standard strategy that will enable strong program management.
    • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

    Mergers & Acquisitions: The Buy Blueprint Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how your organization can excel its growth strategy by engaging in M&A transactions. Review Info-Tech’s methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Proactive Phase

    Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

    • One-Pager: M&A Proactive
    • Case Study: M&A Proactive
    • Information Asset Audit Tool
    • Data Valuation Tool
    • Enterprise Integration Process Mapping Tool
    • Risk Register Tool
    • Security M&A Due Diligence Tool

    2. Discovery & Strategy

    Create a standardized approach for how your IT organization should address acquisitions.

    • One-Pager: M&A Discovery & Strategy – Buy
    • Case Study: M&A Discovery & Strategy – Buy

    3. Due Diligence & Preparation

    Evaluate the target organizations to minimize risk and have an established integration project plan.

    • One-Pager: M&A Due Diligence & Preparation – Buy
    • Case Study: M&A Due Diligence & Preparation – Buy
    • IT Due Diligence Charter
    • Technical Debt Business Impact Analysis Tool
    • IT Culture Diagnostic
    • M&A Integration Project Management Tool (SharePoint)
    • SharePoint Template: Step-by-Step Deployment Guide
    • M&A Integration Project Management Tool (Excel)
    • Resource Management Supply-Demand Calculator

    4. Execution & Value Realization

    Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

    • One-Pager: M&A Execution & Value Realization – Buy
    • Case Study: M&A Execution & Value Realization – Buy

    Infographic

    Workshop: Mergers & Acquisitions: The Buy Blueprint

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Pre-Transaction Discovery & Strategy

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for acquiring.

    Formalize the program plan.

    Create the valuation framework.

    Strategize the transaction and finalize the M&A strategy and approach.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Set up crucial elements to facilitate the success of the transaction.

    Have a repeatable transaction strategy that can be reused for multiple organizations.

    Activities

    1.1 Conduct the CIO Business Vision and CEO-CIO Alignment Diagnostics.

    1.2 Identify key stakeholders and outline their relationship to the M&A process.

    1.3 Identify the rationale for the company's decision to pursue an acquisition.

    1.4 Assess the IT/digital strategy.

    1.5 Identify pain points and opportunities tied to the acquisition.

    1.6 Create the IT vision and mission statements and identify IT guiding principles and the transition team.

    1.7 Document the M&A governance.

    1.8 Establish program metrics.

    1.9 Create the valuation framework.

    1.10 Establish the integration strategy.

    1.11 Conduct a RACI.

    1.12 Create the communication plan.

    1.13 Prepare to assess target organization(s).

    Outputs

    Business perspectives of IT

    Stakeholder network map for M&A transactions

    Business context implications for IT

    IT’s acquiring strategic direction

    Governance structure

    M&A program metrics

    IT valuation framework

    Integration strategy

    RACI

    Communication plan

    Prepared to assess target organization(s)

    2 Mid-Transaction Due Diligence & Preparation

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for integration.

    Assess the target organization(s).

    Create the valuation framework.

    Plan the integration roadmap.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Methodology identified to assess organizations during due diligence.

    Methodology can be reused for multiple organizations.

    Integration activities are planned and assigned.

    Activities

    2.1 Gather and evaluate the stakeholders involved, M&A strategy, future-state operating model, and governance.

    2.2 Review the business rationale for the acquisition.

    2.3 Establish the integration strategy.

    2.4 Create the due diligence charter.

    2.5 Create a list of IT artifacts to be reviewed in the data room.

    2.6 Conduct a technical debt assessment.

    2.7 Assess the current culture and identify the goal culture.

    2.8 Identify the needed workforce supply.

    2.9 Create the valuation framework.

    2.10 Establish the integration roadmap.

    2.11 Establish and align project metrics with identified tasks.

    2.12 Estimate integration costs.

    Outputs

    Stakeholder map

    IT strategy assessment

    IT operating model and IT governance structure defined

    Business context implications for IT

    Integration strategy

    Due diligence charter

    Data room artifacts

    Technical debt assessment

    Culture assessment

    Workforce supply identified

    IT valuation framework

    Integration roadmap and associated resourcing

    3 Post-Transaction Execution & Value Realization

    The Purpose

    Establish the transaction foundation.

    Discover the motivation for integration.

    Plan the integration roadmap.

    Prepare employees for the transition.

    Engage in integration.

    Assess the transaction outcomes.

    Key Benefits Achieved

    All major stakeholders are on the same page.

    Integration activities are planned and assigned.

    Employees are set up for a smooth and successful transition.

    Integration strategy and roadmap executed to benefit the organization.

    Review what went well and identify improvements to be made in future transactions.

    Activities

    3.1 Identify key stakeholders and determine IT transaction team.

    3.2 Gather and evaluate the M&A strategy, future-state operating model, and governance.

    3.3 Review the business rationale for the acquisition.

    3.4 Establish the integration strategy.

    3.5 Prioritize integration tasks.

    3.6 Establish the integration roadmap.

    3.7 Establish and align project metrics with identified tasks.

    3.8 Estimate integration costs.

    3.9 Assess the current culture and identify the goal culture.

    3.10 Identify the needed workforce supply.

    3.11 Create an employee transition plan.

    3.12 Create functional workplans for employees.

    3.13 Complete the integration by regularly updating the project plan.

    3.14 Begin to rationalize the IT environment where possible and necessary.

    3.15 Confirm integration costs.

    3.16 Review IT’s transaction value.

    3.17 Conduct a transaction and integration SWOT.

    3.18 Review the playbook and prepare for future transactions.

    Outputs

    M&A transaction team

    Stakeholder map

    IT strategy assessed

    IT operating model and IT governance structure defined

    Business context implications for IT

    Integration strategy

    Integration roadmap and associated resourcing

    Culture assessment

    Workforce supply identified

    Employee transition plan

    Employee functional workplans

    Updated integration project plan

    Rationalized IT environment

    SWOT of transaction

    M&A Buy Playbook refined for future transactions

    Further reading

    Mergers & Acquisitions: The Buy Blueprint

    For IT leaders who want to have a role in the transaction process when their business is engaging in an M&A purchase.

    EXECUTIVE BRIEF

    Analyst Perspective

    Don’t wait to be invited to the M&A table, make it.

    Photo of Brittany Lutes, Research Analyst, CIO Practice, Info-Tech Research Group.
    Brittany Lutes
    Research Analyst,
    CIO Practice
    Info-Tech Research Group
    Photo of Ibrahim Abdel-Kader, Research Analyst, CIO Practice, Info-Tech Research Group.
    Ibrahim Abdel-Kader
    Research Analyst,
    CIO Practice
    Info-Tech Research Group

    IT has always been an afterthought in the M&A process, often brought in last minute once the deal is nearly, if not completely, solidified. This is a mistake. When IT is brought into the process late, the business misses opportunities to generate value related to the transaction and has less awareness of critical risks or inaccuracies.

    To prevent this mistake, IT leadership needs to develop strong business relationships and gain respect for their innovative suggestions. In fact, when it comes to modern M&A activity, IT should be the ones suggesting potential transactions to meet business needs, specifically when it comes to modernizing the business or adopting digital capabilities.

    IT needs to stop waiting to be invited to the acquisition or divestiture table. IT needs to suggest that the table be constructed and actively work toward achieving the strategic objectives of the business.

    Executive Summary

    Your Challenge

    There are four key scenarios or entry points for IT as the acquiring organization in M&As:

    • IT can suggest an acquisition to meet the business objectives of the organization.
    • IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspectives.
    • IT participates in due diligence activities and valuates the organization potentially being acquired.
    • IT needs to reactively prepare its environment to enable the integration.

    Consider the ideal scenario for your IT organization.

    Common Obstacles

    Some of the obstacles IT faces include:

    • IT is often told about the transaction once the deal has already been solidified and is now forced to meet unrealistic business demands.
    • The business does not trust IT and therefore does not approach IT to define value or reduce risks to the transaction process.
    • The people and culture element are forgotten or not given adequate priority.

    These obstacles often arise when IT waits to be invited into the transaction process and misses critical opportunities.

    Info-Tech's Approach

    Prepare for a growth/integration transaction by:

    • Recognizing the trend for organizations to engage in M&A activity and the increased likelihood that, as an IT leader, you will be involved in a transaction in your career.
    • Creating a standard strategy that will enable strong program management.
    • Properly considering all the critical components of the transaction and integration by prioritizing tasks that will reduce risk, deliver value, and meet stakeholder expectations.

    Info-Tech Insight

    As the number of merger, acquisition, and divestiture transactions continues to increase, so too does IT’s opportunity to leverage the growing digital nature of these transactions and get involved at the onset.

    The changing M&A landscape

    Businesses will embrace more digital M&A transactions in the post-pandemic world

    • When the pandemic occurred, businesses reacted by either pausing (61%) or completely cancelling (46%) deals that were in the mid-transaction state (Deloitte, 2020). The uncertainty made many organizations consider whether the risks would be worth the potential benefits.
    • However, many organizations quickly realized the pandemic is not a hindrance to M&A transactions but an opportunity. Over 16,000 American companies were involved in M&A transactions in the first six months of 2021 (The Economist). For reference, this had been averaging around 10,000 per six months from 2016 to 2020.
    • In addition to this transaction growth, organizations have increasingly been embracing digital. These trends increase the likelihood that, as an IT leader, you will engage in an M&A transaction. However, it is up to you when you get involved in the transactions.

    The total value of transactions in the year after the pandemic started was $1.3 billion – a 93% increase in value compared to before the pandemic. (Nasdaq)

    Virtual deal-making will be the preferred method of 55% of organizations in the post-pandemic world. (Wall Street Journal, 2020)

    Your challenge

    IT is often not involved in the M&A transaction process. When it is, it’s often too late.

    • The most important driver of an acquisition is the ability to access new technology (DLA Piper), and yet 50% of the time, IT isn’t involved in the M&A transaction at all (IMAA Institute, 2017).
    • Additionally, IT’s lack of involvement in the process negatively impacts the business:
      • Most organizations (60%) do not have a standardized approach to integration (Steeves and Associates).
      • Weak integration teams contribute to the failure of 70% of M&A integrations (The Wall Street Journal, 2019).
      • Less than half (47%) of organizations actually experience the positive results sought by the M&A transaction (Steeves and Associates).
    • Organizations pursuing M&A and not involving IT are setting themselves up for failure.

    Only half of M&A deals involve IT (Source: IMAA Institute, 2017)

    Common Obstacles

    These barriers make this challenge difficult to address for many organizations:

    • IT is rarely afforded the opportunity to participate in the transaction deal. When IT is invited, this often happens later in the process where integration will be critical to business continuity.
    • IT has not had the opportunity to demonstrate that it is a valuable business partner in other business initiatives.
    • One of the most critical elements that IT often doesn’t take the time or doesn’t have the time to focus on is the people and leadership component.
    • IT waits to be invited to the process rather then actively involving themselves and suggesting how value can be added to the process.

    In hindsight, it’s clear to see: Involving IT is just good business.

    47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion. (Source: IMAA Institute, 2017)

    40% of acquiring businesses discovered a cybersecurity problem at an acquisition.” (Source: Okta)

    Info-Tech's approach

    Acquisitions & Divestitures Framework

    Acquisitions and divestitures are inevitable in modern business, and IT’s involvement in the process should be too. This progression is inspired by:

    1. The growing trend for organizations to increase, decrease, or evolve through these types of transactions.
    2. Transactions that are driven by digital motivations, requiring IT’s expertise.
    3. A maturing business perspective of IT, preventing the difficulty that IT is faced with when invited into the transaction process late.
    4. There never being such a thing as a true merger, making the majority of M&A activity either acquisitions or divestitures.
    A diagram highlighting the 'IT Executives' Role in Acquisitions and Divestitures' when they are integrated at different points in the 'Core Business Timeline'. There are four main entry points 'Proactive', 'Discovery and Strategy', 'Due Diligence and Preparation', and 'Execution and Value Realized'. It is highlighted that IT can and should start at 'Proactive', but most organizations start at 'Execution and Value Realized'. 'Proactive': suggest opportunities to evolve the organization; prove IT's value and engage in growth opportunities early. Innovators start here. Steps of the business timeline in 'Proactive' are 'Organization strategies are defined' and 'M and A is considered to enable strategy'. After a buy or sell transaction is initiated is 'Discovery and Strategy': pre-transaction state. If it is a Buy transaction, 'Establish IT's involvement and approach'. If it is a Sell transaction, 'Prepare to engage in negotiations'. Business Partners start here. Steps of the business timeline in 'Discovery and Strategy' are 'Searching criteria is set', 'Potential candidates are considered', and 'LOI is sent/received'. 'Due Diligence and Preparation': mid-transaction state. If it is a Buy transaction, 'Identify potential transaction benefits and risks'. If it is a Sell transaction, 'Comply, communicate, and collaborate in transaction'. Trusted Operators start here. Steps of the business timeline in 'Due Diligence and Preparation' are 'Due diligence engagement occurs', 'Final agreement is reached', and 'Preparation for transaction execution occurs'. 'Execution and Value Realization': post-transaction state. If it is a Buy transaction, 'Integrate the IT environments and achieve business value'. If it is a Sell transaction, 'Separate the IT environment and deliver on transaction terms'. Firefighters start here. Steps of the business timeline in 'Execution and Value Realization' are 'Staff and operations are addressed appropriately', 'Day 1 of implementation and integration activities occurs', '1st 100 days of new entity state occur' and 'Ongoing risk mitigating and value creating activities occur'.

    The business’ view of IT will impact how soon IT can get involved

    There are four key entry points for IT

    A colorful visualization of the four key entry points for IT and a fifth not-so-key entry point. Starting from the top: 'Innovator', Information and Technology as a Competitive Advantage, 90% Satisfaction; 'Business Partner', Effective Delivery of Strategic Business Projects, 80% Satisfaction; 'Trusted Operator', Enablement of Business Through Application and Work Orders, 70% Satisfaction; 'Firefighter', Reliable Infrastructure and IT Service Desk, 60% Satisfaction; and then 'Unstable', Inability to Consistently Deliver Basic Services, <60% Satisfaction.
    1. Innovator: IT suggests an acquisition to meet the business objectives of the organization.
    2. Business Partner: IT is brought in to strategy plan the acquisition from both the business’ and IT’s perspective.
    3. Trusted Operator: IT participates in due diligence activities and valuates the organization potentially being acquired.
    4. Firefighter: IT reactively engages in the integration with little time to prepare.

    Merger, acquisition, and divestiture defined

    Merger

    A merger looks at the equal combination of two entities or organizations. Mergers are rare in the M&A space, as the organizations will combine assets and services in a completely equal 50/50 split. Two organizations may also choose to divest business entities and merge as a new company.

    Acquisition

    The most common transaction in the M&A space, where an organization will acquire or purchase another organization or entities of another organization. This type of transaction has a clear owner who will be able to make legal decisions regarding the acquired organization.

    Divestiture

    An organization may decide to sell partial elements of a business to an acquiring organization. They will separate this business entity from the rest of the organization and continue to operate the other components of the business.

    Info-Tech Insight

    A true merger does not exist, as there is always someone initiating the discussion. As a result, most M&A activity falls into acquisition or divestiture categories.

    Buying vs. selling

    The M&A process approach differs depending on whether you are the executive IT leader on the buy side or sell side

    This blueprint is only focused on the buy side:

    • More than two organizations could be involved in a transaction.
    • Examples of buy-related scenarios include:
      • Your organization is buying another organization with the intent of having the purchased organization keep its regular staff, operations, and location. This could mean minimal integration is required.
      • Your organization is buying another organization in its entirety with the intent of integrating it into your original company.
      • Your organization is buying components of another organization with the intent of integrating them into your original company.
    • As the purchasing organization, you will probably be initiating the purchase and thus will be valuating the selling organization during due diligence and leading the execution plan.

    The sell side is focused on:

    • Examples of sell-related scenarios include:
      • Your organization is selling to another organization with the intent of keeping its regular staff, operations, and location. This could mean minimal separation is required.
      • Your organization is selling to another organization with the intent of separating to be a part of the purchasing organization.
      • Your organization is engaging in a divestiture with the intent of:
        • Separating components to be part of the purchasing organization permanently.
        • Separating components to be part of a spinoff and establish a unit as a standalone new company.
    • As the selling organization, you could proactively seek out suitors to purchase all or components of your organization, or you could be approached by an organization.

    For more information on divestitures or selling your entire organization, check out Info-Tech’s Mergers & Acquisitions: The Sell Blueprint.

    Core business timeline

    For IT to be valuable in M&As, you need to align your deliverables and your support to the key activities the business and investors are working on.

    Info-Tech’s methodology for Buying Organizations in Mergers, Acquisitions, or Divestitures

    1. Proactive

    2. Discovery & Strategy

    3. Due Diligence & Preparation

    4. Execution & Value Realization

    Phase Steps

    1. Identify Stakeholders and Their Perspective of IT
    2. Assess IT’s Current Value and Future State
    3. Drive Innovation and Suggest Growth Opportunities
    1. Establish the M&A Program Plan
    2. Prepare IT to Engage in the Acquisition
    1. Assess the Target Organization
    2. Prepare to Integrate
    1. Execute the Transaction
    2. Reflection and Value Realization

    Phase Outcomes

    Be an innovative IT leader by suggesting how and why the business should engage in an acquisition or divestiture.

    Create a standardized approach for how your IT organization should address acquisitions.

    Evaluate the target organizations successfully and establish an integration project plan.

    Deliver on the integration project plan successfully and communicate IT’s transaction value to the business.

    Potential metrics for each phase

    1. Proactive

    2. Discovery & Strategy

    3. Due Diligence & Preparation

    4. Execution & Value Realization

    • % Share of business innovation spend from overall IT budget
    • % Critical processes with approved performance goals and metrics
    • % IT initiatives that meet or exceed value expectation defined in business case
    • % IT initiatives aligned with organizational strategic direction
    • % Satisfaction with IT's strategic decision-making abilities
    • $ Estimated business value added through IT-enabled innovation
    • % Overall stakeholder satisfaction with IT
    • % Percent of business leaders that view IT as an Innovator
    • % IT budget as a percent of revenue
    • % Assets that are not allocated
    • % Unallocated software licenses
    • # Obsolete assets
    • % IT spend that can be attributed to the business (chargeback or showback)
    • % Share of CapEx of overall IT budget
    • % Prospective organizations that meet the search criteria
    • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
    • % Business leaders that view IT as a Business Partner
    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target
    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    The IT executive’s role in the buying transaction is critical

    And IT leaders have a greater likelihood than ever of needing to support a merger, acquisition, or divestiture.

    1. Reduced Risk

      IT can identify risks that may go unnoticed when IT is not involved.
    2. Increased Accuracy

      The business can make accurate predictions around the costs, timelines, and needs of IT.
    3. Faster Integration

      Faster integration means faster value realization for the business.
    4. Informed Decision Making

      IT leaders hold critical information that can support the business in moving the transaction forward.
    5. Innovation

      IT can suggest new opportunities to generate revenue, optimize processes, or reduce inefficiencies.

    The IT executive’s critical role is demonstrated by:

    • Reduced Risk

      47% of senior leaders wish they would have spent more time on IT due diligence to prevent value erosion (IMAA Institute, 2017).
    • Increased Accuracy

      87% of respondents to a Deloitte survey effectively conducted a virtual deal, with a focus on cybersecurity and integration (Deloitte, 2020).
    • Faster Integration

      Integration costs range from as low as $4 million to as high as $3.8 billion, making the process an investment for the organization (CIO Dive).
    • Informed Decision Making

      Only 38% of corporate and 22% of private equity firms include IT as a significant aspect in their transaction approach (IMAA Institute, 2017).
    • Innovation

      Successful CIOs involved in M&As can spend 70% of their time on aspects outside of IT and 30% of their time on technology and delivery (CIO).

    Playbook benefits

    IT Benefits

    • IT will be seen as an innovative partner to the business, and its suggestions and involvement in the organization will lead to benefits, not hindrances.
    • Develop a streamlined method to valuate the potential organization being purchased and ensure risk management concerns are brought to the business’ attention immediately.
    • Create a comprehensive list of items that IT needs to do during the integration that can be prioritized and actioned.

    Business Benefits

    • The business will get accurate and relevant information about the organization being acquired, ensuring that the anticipated value of the transaction is correctly planned for.
    • Fewer business interruptions will happen, because IT can accurately plan for and execute the high-priority integration tasks.
    • The business can make a fair offer to the purchased organization, having properly valuated all aspects being bought, including the IT environment.

    Insight summary

    Overarching Insight

    As an IT executive, take control of when you get involved in a growth transaction. Do this by proactively identifying acquisition targets, demonstrating the value of IT, and ensuring that integration of IT environments does not lead to unnecessary and costly decisions.

    Proactive Insight

    CIOs on the forefront of digital transformation need to actively look for and suggest opportunities to acquire or partner on new digital capabilities to respond to rapidly changing business needs.

    Discovery & Strategy Insight

    IT organizations that have an effective M&A program plan are more prepared for the buying transaction, enabling a successful outcome. A structured strategy is particularly necessary for organizations expected to deliver M&As rapidly and frequently.

    Due Diligence & Preparation Insight

    Most IT synergies can be realized in due diligence. It is more impactful to consider IT processes and practices (e.g. contracts and culture) in due diligence rather than later in the integration.

    Execution & Value Realization Insight

    IT needs to realize synergies within the first 100 days of integration. The most successful transactions are when IT continuously realizes synergies a year after the transaction and beyond.

    Blueprint deliverables

    Key Deliverable: M&A Buy Playbook

    The M&A Buy Playbook should be a reusable document that enables your IT organization to successfully deliver on any acquisition transaction.

    Screenshots of the 'M and A Buy Playbook' deliverable.

    M&A Buy One-Pager

    See a one-page overview of each phase of the transaction.

    Screenshots of the 'M and A Buy One-Pagers' deliverable.

    M&A Buy Case Studies

    Read a one-page case study for each phase of the transaction.

    Screenshots of the 'M and A Buy Case Studies' deliverable.

    M&A Integration Project Management Tool (SharePoint)

    Manage the integration process of the acquisition using this SharePoint template.

    Screenshots of the 'M and A Integration Project Management Tool (SharePoint)' deliverable.

    M&A Integration Project Management Tool (Excel)

    Manage the integration process of the acquisition using this Excel tool if you can’t or don’t want to use SharePoint.

    Screenshots of the 'M and A Integration Project Management Tool (Excel)' deliverable.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 10 calls over the course of 2 to 4 months.

      Proactive Phase

    • Call #1: Scope requirements, objectives, and your specific challenges.
    • Discovery & Strategy Phase

    • Call #2: Determine stakeholders and their perspectives of IT.
    • Call #3: Identify how M&A could support business strategy and how to communicate.
    • Due Diligence & Preparation Phase

    • Call #4: Establish a transaction team and acquisition strategic direction.
    • Call #5: Create program metrics and identify a standard integration strategy.
    • Call #6: Assess the potential organization(s).
    • Call #7: Identify the integration program plan.
    • Execution & Value Realization Phase

    • Call #8: Establish employee transitions to retain key staff.
    • Call #9: Assess IT’s ability to deliver on the acquisition transaction.

    The Buy Blueprint

    Phase 1

    Proactive

    Phase 1

    Phase 2 Phase 3 Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Conduct the CEO-CIO Alignment diagnostic
    • Conduct the CIO Business Vision diagnostic
    • Visualize relationships among stakeholders to identify key influencers
    • Group stakeholders into categories
    • Prioritize your stakeholders
    • Plan to communicate
    • Valuate IT
    • Assess the IT/digital strategy
    • Determine pain points and opportunities
    • Align goals to opportunities
    • Recommend growth opportunities

    This phase involves the following participants:

    • IT and business leadership

    What is the Proactive phase?

    Embracing the digital drivers

    As the number of merger, acquisition, or divestiture transactions driven by digital means continues to increase, IT has an opportunity to not just be involved in a transaction but actively seek out potential deals.

    In the Proactive phase, the business is not currently considering a transaction. However, the business could consider one to reach its strategic goals. IT organizations that have developed respected relationships with the business leaders can suggest these potential transactions.

    Understand the business’ perspective of IT, determine who the critical M&A stakeholders are, valuate the IT environment, and examine how it supports the business goals in order to suggest an M&A transaction.

    In doing so, IT isn’t waiting to be invited to the transaction table – it’s creating it.

    Goal: To support the organization in reaching its strategic goals by suggesting M&A activities that will enable the organization to reach its objectives faster and with greater-value outcomes.

    Proactive Prerequisite Checklist

    Before coming into the Proactive phase, you should have addressed the following:

    • Understand what mergers, acquisitions, and divestitures are.
    • Understand what mergers, acquisitions, and divestitures mean for the business.
    • Understand what mergers, acquisitions, and divestitures mean for IT.

    Review the Executive Brief for more information on mergers, acquisitions, and divestitures for purchasing organizations.

    Proactive

    Step 1.1

    Identify M&A Stakeholders and Their Perspective of IT

    Activities

    • 1.1.1 Conduct the CEO-CIO Alignment diagnostic
    • 1.1.2 Conduct the CIO Business Vision diagnostic
    • 1.1.3 Visualize relationships among stakeholders to identify key influencers
    • 1.1.4 Group stakeholders into categories
    • 1.1.5 Prioritize your stakeholders
    • 1.16 Plan to communicate

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical M&A stakeholders

    Outcomes of Step

    Understand how the business perceives IT and establish strong relationships with critical M&A stakeholders.

    Business executives' perspectives of IT

    Leverage diagnostics and gain alignment on IT’s role in the organization

    • To suggest or get involved with a merger, acquisition, or divestiture, the IT executive leader needs to be well respected by other members of the executive leadership team and the business.
    • Specifically, the Proactive phase relies on the IT organization being viewed as an Innovator within the business.
    • Identify how the CEO/business executive currently views IT and where they would like IT to move within the Maturity Ladder.
    • Additionally, understand how other critical department leaders view IT and how they view the partnership with IT.
    A colorful visualization titled 'Maturity Ladder' detailing levels of IT function that a business may choose from based on the business executives' perspectives of IT. Starting from the bottom: 'Struggle', Does not embarrass, Does not crash; 'Support', Keeps business happy, Keeps costs low; 'Optimize', Increases efficiency, Decreases costs; 'Expand', Extends into new business, Generates revenue; 'Transform', Creates new industry.

    Misalignment in target state requires further communication between the CIO and CEO to ensure IT is striving toward an agreed-upon direction.

    Info-Tech’s CIO Business Vision (CIO BV) diagnostic measures a variety of high-value metrics to provide a well-rounded understanding of stakeholder satisfaction with IT.

    Sample of Info-Tech's CIO Business Vision diagnostic measuring percentages of high-value metrics like 'IT Satisfaction' and 'IT Value' regarding business leader satisfaction. A note for these two reads 'Evaluate business leader satisfaction with IT this year and last year'. A section titled 'Relationship' has metrics such as 'Understands Needs' and 'Trains Effectively'. A note for this section reads 'Examine indicators of the relationship between IT and the business'. A section titled 'Security Friction' has metrics such as 'Regulatory Compliance-Driven' and 'Office/Desktop Security'.

    Business Satisfaction and Importance for Core Services

    The core services of IT are important when determining what IT should focus on. The most important services with the lowest satisfaction offer the largest area of improvement for IT to drive business value.

    Sample of Info-Tech's CIO Business Vision diagnostic specifically comparing the business satisfaction of 12 core services with their importance. Services listed include 'Service Desk', 'IT Security', 'Requirements Gathering', 'Business Apps', 'Data Quality', and more. There is a short description of the services, a percentage for the business satisfaction with the service, a percentage comparing it to last year, and a numbered ranking of importance for each service. A note reads 'Assess satisfaction and importance across 12 core IT capabilities'.

    1.1.1 Conduct the CEO-CIO Alignment diagnostic

    2 weeks

    Input: IT organization expertise and the CEO-CIO Alignment diagnostic

    Output: An understanding of an executive business stakeholder’s perception of IT

    Materials: CEO-CIO Alignment diagnostic, M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    1. The CEO-CIO Alignment diagnostic can be a powerful input. Speak with your Info-Tech account representative to conduct the diagnostic. Use the results to inform current IT capabilities.
    2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret and draw conclusions from the results.
    3. Examine the results of the survey and note where there might be specific capabilities that could be improved.
    4. Determine whether there are any areas of significant disagreement between the you and the CEO. Mark down those areas for further conversations. Additionally, take note of areas that could be leveraged to support growth transactions or support your rationale in recommending growth transactions.

    Download the sample report.

    Record the results in the M&A Buy Playbook.

    1.1.2 Conduct the CIO Business Vision diagnostic

    2 weeks

    Input: IT organization expertise, CIO BV diagnostic

    Output: An understanding of business stakeholder perception of certain IT capabilities and services

    Materials: CIO Business Vision diagnostic, Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, Senior business leaders

    1. The CIO Business Vision (CIO BV) diagnostic can be a powerful tool for identifying IT capability focus areas. Speak with your account representative to conduct the CIO BV diagnostic. Use the results to inform current IT capabilities.
    2. You may choose to debrief the results of your diagnostic with an Info-Tech analyst. We recommend this to help your team understand how to interpret the results and draw conclusions from the diagnostic.
    3. Examine the results of the survey and take note of any IT services that have low scores.
    4. Read through the diagnostic comments and note any common themes. Especially note which stakeholders identified they have a favorable relationship with IT and which stakeholders identified they have an unfavorable relationship. For those who have an unfavorable relationship, identify if they will have a critical role in a growth transaction.

    Download the sample report.

    Record the results in the M&A Buy Playbook.

    Create a stakeholder network map for M&A transactions

    Follow the trail of breadcrumbs from your direct stakeholders to their influencers to uncover hidden stakeholders.

    Example:

    Diagram of stakeholders and their relationships with other stakeholders, such as 'Board Members', 'CFO/Finance', 'Compliance', etc. with 'CIO/IT Leader' highlighted in the middle. There are unidirectional black arrows and bi-directional green arrows indicating each connection.

      Legend
    • Black arrows indicate the direction of professional influence
    • Dashed green arrows indicate bidirectional, informal influence relationships

    Info-Tech Insight

    Your stakeholder map defines the influence landscape that the M&A transaction will occur within. This will identify who holds various levels of accountability and decision-making authority when a transaction does take place.

    Use connectors to determine who may be influencing your direct stakeholders. They may not have any formal authority within the organization, but they may have informal yet substantial relationships with your stakeholders.

    1.1.3 Visualize relationships among stakeholders to identify key influencers

    1-3 hours

    Input: List of M&A stakeholders

    Output: Relationships among M&A stakeholders and influencers

    Materials: M&A Buy Playbook

    Participants: IT executive leadership

    1. The purpose of this activity is to list all the stakeholders within your organization that will have a direct or indirect impact on the M&A transaction.
    2. Determine the critical stakeholders, and then determine the stakeholders of your stakeholders and consider adding each of them to the stakeholder list.
    3. Assess who has either formal or informal influence over your stakeholders; add these influencers to your stakeholder list.
    4. Construct a diagram linking stakeholders and their influencers together.
      • Use black arrows to indicate the direction of professional influence.
      • Use dashed green arrows to indicate bidirectional, informal influence relationships.

    Record the results in the M&A Buy Playbook.

    Categorize your stakeholders with a prioritization map

    A stakeholder prioritization map helps IT leaders categorize their stakeholders by their level of influence and ownership in the merger, acquisition, or divestiture process.

    A prioritization map of stakeholder categories split into four quadrants. The vertical axis is 'Influence', from low on the bottom to high on top. The horizontal axis is 'Ownership/Interest', from low on the left to high on the right. 'Spectators' are low influence, low ownership/interest. 'Mediators' are high influence, low ownership/interest. 'Noisemakers' are low influence, high ownership/interest. 'Players' are high influence, high ownership/interest.

    There are four areas in the map, and the stakeholders within each area should be treated differently.

    Players – players have a high interest in the initiative and the influence to effect change over the initiative. Their support is critical, and a lack of support can cause significant impediment to the objectives.

    Mediators – mediators have a low interest but significant influence over the initiative. They can help to provide balance and objective opinions to issues that arise.

    Noisemakers – noisemakers have low influence but high interest. They tend to be very vocal and engaged, either positively or negatively, but have little ability to enact their wishes.

    Spectators – generally, spectators are apathetic and have little influence over or interest in the initiative.

    1.1.4 Group stakeholders into categories

    30 minutes

    Input: Stakeholder map, Stakeholder list

    Output: Categorization of stakeholders and influencers

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, Stakeholders

    1. Identify your stakeholders’ interest in and influence on the M&A process as high, medium, or low by rating the attributes below.
    2. Map your results to the model to the right to determine each stakeholder’s category.

    Same prioritization map of stakeholder categories as before. This one has specific stakeholders mapped onto it. 'CFO' is mapped as low interest and middling influence, between 'Mediator' and 'Spectator'. 'CIO' is mapped as higher than average interest and high influence, a 'Player'. 'Board Member' is mapped as high interest and high influence, a 'Player'.

    Level of Influence
    • Power: Ability of a stakeholder to effect change.
    • Urgency: Degree of immediacy demanded.
    • Legitimacy: Perceived validity of stakeholder’s claim.
    • Volume: How loud their “voice” is or could become.
    • Contribution: What they have that is of value to you.
    Level of Interest

    How much are the stakeholder’s individual performance and goals directly tied to the success or failure of the product?

    Record the results in the M&A Buy Playbook.

    Prioritize your stakeholders

    There may be too many stakeholders to be able to manage them all. Focus your attention on the stakeholders that matter most.

    Level of Support

    Supporter

    Evangelist

    Neutral

    Blocker

    Stakeholder Category Player Critical High High Critical
    Mediator Medium Low Low Medium
    Noisemaker High Medium Medium High
    Spectator Low Irrelevant Irrelevant Low

    Consider the three dimensions for stakeholder prioritization: influence, interest, and support. Support can be determined by answering the following question: How significant is that stakeholder to the M&A or divestiture process?

    These parameters are used to prioritize which stakeholders are most important and should receive your focused attention.

    1.1.5 Prioritize your stakeholders

    30 minutes

    Input: Stakeholder matrix

    Output: Stakeholder and influencer prioritization

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, M&A/divestiture stakeholders

    1. Identify the level of support of each stakeholder by answering the following question: How significant is that stakeholder to the M&A transaction process?
    2. Prioritize your stakeholders using the prioritization scheme on the previous slide.

    Stakeholder

    Category

    Level of Support

    Prioritization

    CMO Spectator Neutral Irrelevant
    CIO Player Supporter Critical

    Record the results in the M&A Buy Playbook.

    Define strategies for engaging stakeholders by type

    A revisit to the map of stakeholder categories, but with strategies listed for each one, and arrows on the side instead of an axis. The vertical arrow is 'Authority', which increases upward, and the horizontal axis is Ownership/Interest which increases as it moves to the right. The strategy for 'Players' is 'Engage', for 'Mediators' is 'Satisfy', for 'Noisemakers' is 'Inform', and for 'Spectators' is 'Monitor'.

    Type

    Quadrant

    Actions

    Players High influence, high interest – actively engage Keep them updated on the progress of the project. Continuously involve Players in the process and maintain their engagement and interest by demonstrating their value to its success.
    Mediators High influence, low interest – keep satisfied They can be the game changers in groups of stakeholders. Turn them into supporters by gaining their confidence and trust and including them in important decision-making steps. In turn, they can help you influence other stakeholders.
    Noisemakers Low influence, high interest – keep informed Try to increase their influence (or decrease it if they are detractors) by providing them with key information, supporting them in meetings, and using Mediators to help them.
    Spectators Low influence, low interest – monitor They are followers. Keep them in the loop by providing clarity on objectives and status updates.

    Info-Tech Insight

    Each group of stakeholders draws attention and resources away from critical tasks. By properly identifying stakeholder groups, the IT executive leader can develop corresponding actions to manage stakeholders in each group. This can dramatically reduce wasted effort trying to satisfy Spectators and Noisemakers while ensuring the needs of Mediators and Players are met.

    1.1.6 Plan to communicate

    30 minutes

    Input: Stakeholder priority, Stakeholder categorization, Stakeholder influence

    Output: Stakeholder communication plan

    Materials: Flip charts, Markers, Sticky notes, M&A Buy Playbook

    Participants: IT executive leadership, M&A/divestiture stakeholders

    The purpose of this activity is to make a communication plan for each of the stakeholders identified in the previous activities, especially those who will have a critical role in the M&A transaction process.

    1. In the M&A Buy Playbook, input the type of influence each stakeholder has on IT, how they would be categorized in the M&A process, and their level of priority. Use this information to create a communication plan.
    2. Determine the methods and frequency of communication to keep the necessary stakeholder satisfied and maintain or enhance IT’s profile within the organization.

    Record the results in the M&A Buy Playbook.

    Proactive

    Step 1.2

    Assess IT’s Current Value and Method to Achieve a Future State

    Activities

    • 1.2.1 Valuate IT
    • 1.2.2 Assess the IT/digital strategy

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical stakeholders to M&A

    Outcomes of Step

    Identify critical opportunities to optimize IT and meet strategic business goals through a merger, acquisition, or divestiture.

    How to valuate your IT environment

    And why it matters so much

    • Valuating your current organization’s IT environment is a critical step that all IT organizations should take, whether involved in an M&A or not, to fully understand what it might be worth.
    • The business investments in IT can be directly translated into a value amount. For every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
    • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT is so critical.
    • There are three ways a business or asset can be valuated:
      • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
      • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
      • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.
    • (Source: “Valuation Methods,” Corporate Finance Institute)

    Four ways to create value through digital

    1. Reduced costs
    2. Improved customer experience
    3. New revenue sources
    4. Better decision making
    5. (Source: McKinsey & Company)

    1.2.1 Valuate IT

    1 day

    Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

    Output: Valuation of IT

    Materials: Relevant templates/tools listed on the following slides, Capital budget, Operating budget, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership

    The purpose of this activity is to demonstrate that IT is not simply an operational functional area that diminishes business resources. Rather, IT contributes significant value to the business.

    1. Review each of the following slides to valuate IT’s data, applications, infrastructure and operations, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount.
    2. Input the financial amounts identified for each critical area into a summary slide. Use this information to determine where IT is delivering value to the organization.

    Info-Tech Insight

    Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

    Record the results in the M&A Buy Playbook.

    Data valuation

    Data valuation identifies how you monetize the information that your organization owns.

    Create a data value chain for your organization

    When valuating the information and data that exists in an organization, there are many things to consider.

    Info-Tech has two tools that can support this process:

    1. Information Asset Audit Tool: Use this tool first to take inventory of the different information assets that exist in your organization.
    2. Data Valuation Tool: Once information assets have been accounted for, valuate the data that exists within those information assets.

    Data Collection

    Insight Creation

    Value Creation

    Data Valuation

    01 Data Source
    02 Data Collection Method
    03 Data
    04 Data Analysis
    05 Insight
    06 Insight Delivery
    07 Consumer
    08 Value in Data
    09 Value Dimension
    10 Value Metrics Group
    11 Value Metrics
    Screenshots of Tab 2 of Info-Tech's Data Valuation Tool.

    Instructions

    1. Using the Data Valuation Tool, start gathering information based on the eight steps above to understand your organization’s journey from data to value.
    2. Identify the data value spectrum. (For example: customer sales service, citizen licensing service, etc.)
    3. Fill out the columns for data sources, data collection, and data first.
    4. Capture data analysis and related information.
    5. Then capture the value in data.
    6. Add value dimensions such as usage, quality, and economic dimensions.
      • Remember that economic value is not the only dimension, and usage/quality has a significant impact on economic value.
    7. Collect evidence to justify your data valuation calculator (market research, internal metrics, etc.).
    8. Finally, calculate the value that has a direct correlation with underlying value metrics.

    Application valuation

    Calculate the value of your IT applications

    When valuating the applications and their users in an organization, consider using a business process map. This shows how business is transacted in the company by identifying which IT applications support these processes and which business groups have access to them. Info-Tech has a business process mapping tool that can support this process:

    • Enterprise Integration Process Mapping Tool: Complete this tool first to map the different business processes to the supporting applications in your organization.

    Instructions

    1. Start by calculating user costs. This is the product of the (# of users) × (% of time spent using IT) × (fully burdened salary).
    2. Identify the revenue per employee and divide that by the average cost per employee to calculate the derived productivity ratio (DPR).
    3. Once you have calculated the user costs and DPR, multiply those total values together to get the application value.
    4. User Costs

      Total User Costs

      Derived Productivity Ratio (DPR)

      Total DPR

      Application Value

      # of users % time spent using IT Fully burdened salary Multiply values from the 3 user costs columns Revenue per employee Average cost per employee (Revenue P.E) ÷ (Average cost P.E) (User costs) X (DPR)

    5. Once the total application value is established, calculate the combined IT and business costs of delivering that value. IT and business costs include inflexibility (application maintenance), unavailability (downtime costs, including disaster exposure), IT costs (common costs statistically allocated to applications), and fully loaded cost of active (full-time equivalent [FTE]) users.
    6. Calculate the net value of applications by subtracting the total IT and business costs from the total application value calculated in step 3.
    7. IT and Business Costs

      Total IT and Business Costs

      Net Value of Applications

      Application maintenance Downtime costs (include disaster exposure) Common costs allocated to applications Fully loaded costs of active (FTE) users Sum of values from the four IT and business costs columns (Application value) – (IT and business costs)

    (Source: CSO)

    Infrastructure valuation

    Assess the foundational elements of the business’ information technology

    The purpose of this exercise is to provide a high-level infrastructure valuation that will contribute to valuating your IT environment.

    Calculating the value of the infrastructure will require different methods depending on the environment. For example, a fully cloud-hosted organization will have different costs than a fully on-premises IT environment.

    Instructions:

    1. Start by listing all of the infrastructure-related items that are relevant to your organization.
    2. Once you have finalized your items column, identify the total costs/value of each item.
      • For example, total software costs would include servers and storage.
    3. Calculate the total cost/value of your IT infrastructure by adding all of values in the right column.

    Item

    Costs/Value

    Hardware Assets Total Value +$3.2 million
    Hardware Leased/Service Agreement -$
    Software Purchased +$
    Software Leased/Service Agreement -$
    Operational Tools
    Network
    Disaster Recovery
    Antivirus
    Data Centers
    Service Desk
    Other Licenses
    Total:

    For additional support, download the M&A Runbook for Infrastructure and Operations.

    Risk and security

    Assess risk responses and calculate residual risk

    The purpose of this exercise is to provide a high-level risk assessment that will contribute to valuating your IT environment. For a more in-depth risk assessment, please refer to the Info-Tech tools below:

    1. Risk Register Tool
    2. Security M&A Due Diligence Tool

    Instructions

    1. Review the probability and impact scales below and ensure you have the appropriate criteria that align to your organization before you conduct a risk assessment.
    2. Identify the probability of occurrence and estimated financial impact for each risk category detail and fill out the table on the right. Customize the table as needed so it aligns to your organization.
    3. Probability of Risk Occurrence

      Occurrence Criteria
      (Classification; Probability of Risk Event Within One Year)

      Negligible Very Unlikely; ‹20%
      Very Low Unlikely; 20 to 40%
      Low Possible; 40 to 60%
      Moderately Low Likely; 60 to 80%
      Moderate Almost Certain; ›80%

    Note: If needed, you can customize this scale with the severity designations that you prefer. However, make sure you are always consistent with it when conducting a risk assessment.

    Financial & Reputational Impact

    Budgetary and Reputational Implications
    (Financial Impact; Reputational Impact)

    Negligible (‹$10,000; Internal IT stakeholders aware of risk event occurrence)
    Very Low ($10,000 to $25,000; Business customers aware of risk event occurrence)
    Low ($25,000 to $50,000; Board of directors aware of risk event occurrence)
    Moderately Low ($50,000 to $100,000; External customers aware of risk event occurrence)
    Moderate (›$100,000; Media coverage or regulatory body aware of risk event occurrence)

    Risk Category Details

    Probability of Occurrence

    Estimated Financial Impact

    Estimated Severity (Probability X Impact)

    Capacity Planning
    Enterprise Architecture
    Externally Originated Attack
    Hardware Configuration Errors
    Hardware Performance
    Internally Originated Attack
    IT Staffing
    Project Scoping
    Software Implementation Errors
    Technology Evaluation and Selection
    Physical Threats
    Resource Threats
    Personnel Threats
    Technical Threats
    Total:

    1.2.2 Assess the IT/digital strategy

    4 hours

    Input: IT strategy, Digital strategy, Business strategy

    Output: An understanding of an executive business stakeholder’s perception of IT, Alignment of IT/digital strategy and overall organization strategy

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    The purpose of this activity is to review the business and IT strategies that exist to determine if there are critical capabilities that are not being supported.

    Ideally, the IT and digital strategies would have been created following development of the business strategy. However, sometimes the business strategy does not directly call out the capabilities it requires IT to support.

    1. On the left half of the corresponding slide in the M&A Buy Playbook, document the business goals, initiatives, and capabilities. Input this information from the business or digital strategies. (If more space for goals, initiatives, or capabilities is needed, duplicate the slide).
    2. On the other half of the slide, document the IT goals, initiatives, and capabilities. Input this information from the IT strategy and digital strategy.

    For additional support, see Build a Business-Aligned IT Strategy.

    Record the results in the M&A Buy Playbook.

    Proactive

    Step 1.3

    Drive Innovation and Suggest Growth Opportunities

    Activities

    • 1.3.1 Determine pain points and opportunities
    • 1.3.2 Align goals with opportunities
    • 1.3.3 Recommend growth opportunities

    This step involves the following participants:

    • IT executive leader
    • IT leadership
    • Critical M&A stakeholders

    Outcomes of Step

    Establish strong relationships with critical M&A stakeholders and position IT as an innovative business partner that can suggest growth opportunities.

    1.3.1 Determine pain points and opportunities

    1-2 hours

    Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade

    Output: List of pain points or opportunities that IT can address

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business stakeholders

    The purpose of this activity is to determine the pain points and opportunities that exist for the organization. These can be external or internal to the organization.

    1. Identify what opportunities exist for your organization. Opportunities are the potential positives that the organization would want to leverage.
    2. Next, identify pain points, which are the potential negatives that the organization would want to alleviate.
    3. Spend time considering all the options that might exist, and keep in mind what has been identified previously.

    Opportunities and pain points can be trends, other departments’ initiatives, business perspectives of IT, etc.

    Record the results in the M&A Buy Playbook.

    1.3.2 Align goals with opportunities

    1-2 hours

    Input: CEO-CIO Alignment diagnostic, CIO Business Vision diagnostic, Valuation of IT environment, IT-business goals cascade, List of pain points and opportunities

    Output: An understanding of an executive business stakeholder’s perception of IT, Foundations for growth strategy

    Materials: Computer, Whiteboard and markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business stakeholders

    The purpose of this activity is to determine whether a growth or separation strategy might be a good suggestion to the business in order to meet its business objectives.

    1. For the top three to five business goals, consider:
      1. Underlying drivers
      2. Digital opportunities
      3. Whether a growth or reduction strategy is the solution
    2. Just because a growth or reduction strategy is a solution for a business goal does not necessarily indicate M&A is the way to go. However, it is important to consider before you pursue suggesting M&A.

    Record the results in the M&A Buy Playbook.

    1.3.3 Recommend growth opportunities

    1-2 hours

    Input: Growth or separation strategy opportunities to support business goals, Stakeholder communication plan, Rationale for the suggestion

    Output: M&A transaction opportunities suggested

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, Business executive/CEO

    The purpose of this activity is to recommend a merger, acquisition, or divestiture to the business.

    1. Identify which of the business goals the transaction would help solve and why IT is the one to suggest such a goal.
    2. Leverage the stakeholder communication plan identified previously to give insight into stakeholders who would have a significant level of interest, influence, or support in the process.

    Info-Tech Insight

    With technology and digital driving many transactions, leverage this opening and begin the discussions with your business on how and why an acquisition would be a great opportunity.

    Record the results in the M&A Buy Playbook.

    By the end of this Proactive phase, you should:

    Be prepared to suggest M&A opportunities to support your company’s goals through growth or acquisition transactions

    Key outcome from the Proactive phase

    Develop progressive relationships and strong communication with key stakeholders to suggest or be aware of transformational opportunities that can be achieved through growth or reduction strategies such as mergers, acquisitions, or divestitures.

    Key deliverables from the Proactive phase
    • Business perspective of IT examined
    • Key stakeholders identified and relationship to the M&A process outlined
    • Ability to valuate the IT environment and communicate IT’s value to the business
    • Assessment of the business, digital, and IT strategies and how M&As could support those strategies
    • Pain points and opportunities that could be alleviated or supported through an M&A transaction
    • Acquisition or buying recommendations

    The Buy Blueprint

    Phase 2

    Discovery & Strategy

    Phase 1

    Phase 2

    Phase 3Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Create the mission and vision
    • Identify the guiding principles
    • Create the future-state operating model
    • Determine the transition team
    • Document the M&A governance
    • Create program metrics
    • Establish the integration strategy
    • Conduct a RACI
    • Create the communication plan
    • Assess the potential organization(s)

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Transaction FoundationDiscover the Motivation for AcquiringFormalize the Program PlanCreate the Valuation FrameworkStrategize the TransactionNext Steps and Wrap-Up (offsite)

    Activities

    • 0.1 Conduct the CIO Business Vision and CEO-CIO Alignment diagnostics
    • 0.2 Identify key stakeholders and outline their relationship to the M&A process
    • 0.3 Identify the rationale for the company's decisions to pursue an acquisition
    • 1.1 Review the business rationale for the acquisition
    • 1.2 Assess the IT/digital strategy
    • 1.3 Identify pain points and opportunities tied to the acquisition
    • 1.4 Create the IT vision statement, create the IT mission statement, and identify IT guiding principles
    • 2.1 Create the future-state operating model
    • 2.2 Determine the transition team
    • 2.3 Document the M&A governance
    • 2.4 Establish program metrics
    • 3.1 Valuate your data
    • 3.2 Valuate your applications
    • 3.3 Valuate your infrastructure
    • 3.4 Valuate your risk and security
    • 3.5 Combine individual valuations to make a single framework
    • 4.1 Establish the integration strategy
    • 4.2 Conduct a RACI
    • 4.3 Review best practices for assessing target organizations
    • 4.4 Create the communication plan
    • 5.1 Complete in-progress deliverables from previous four days
    • 5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables

    1. Business perspectives of IT
    2. Stakeholder network map for M&A transactions
    1. Business context implications for IT
    2. IT’s acquisition strategic direction
    1. Operating model for future state
    2. Transition team
    3. Governance structure
    4. M&A program metrics
    1. IT valuation framework
    1. Integration strategy
    2. RACI
    3. Communication plan
    1. Completed M&A program plan and strategy
    2. Prepared to assess target organization(s)

    What is the Discovery & Strategy phase?

    Pre-transaction state

    The Discovery & Strategy phase during an acquisition is a unique opportunity for many IT organizations. IT organizations that can participate in the acquisition transaction at this stage are likely considered a strategic partner of the business.

    For one-off acquisitions, IT being invited during this stage of the process is rare. However, for organizations that are preparing to engage in many acquisitions over the coming years, this type of strategy will greatly benefit from IT involvement. Again, the likelihood of participating in an M&A transaction is increasing, making it a smart IT leadership decision to, at the very least, loosely prepare a program plan that can act as a strategic pillar throughout the transaction.

    During this phase of the pre-transaction state, IT will also be asked to participate in ensuring that the potential organization being sought will be able to meet any IT-specific search criteria that was set when the transaction was put into motion.

    Goal: To identify a repeatable program plan that IT can leverage when acquiring all or parts of another organization’s IT environment, ensuring customer satisfaction and business continuity

    Discovery & Strategy Prerequisite Checklist

    Before coming into the Discovery & Strategy phase, you should have addressed the following:

    • Understand the business perspective of IT.
    • Know the key stakeholders and have outlined their relationships to the M&A process.
    • Be able to valuate the IT environment and communicate IT's value to the business.
    • Understand the rationale for the company's decisions to pursue an acquisition and the opportunities or pain points the acquisition should address.

    Discovery & Strategy

    Step 2.1

    Establish the M&A Program Plan

    Activities

    • 2.1.1 Create the mission and vision
    • 2.1.2 Identify the guiding principles
    • 2.1.3 Create the future-state operating model
    • 2.1.4 Determine the transition team
    • 2.1.5 Document the M&A governance
    • 2.1.6 Create program metrics

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Outcomes of Step

    Establish an M&A program plan that can be repeated across acquisitions.

    The vision and mission statements clearly articulate IT’s aspirations and purpose

    The IT vision statement communicates a desired future state of the IT organization, whereas the IT mission statement portrays the organization’s reason for being. While each serves its own purpose, they should both be derived from the business context implications for IT.

    Vision Statements

    Mission Statements

    Characteristics

    • Describe a desired future
    • Focus on ends, not means
    • Concise
    • Aspirational
    • Memorable
    • Articulate a reason for existence
    • Focus on how to achieve the vision
    • Concise
    • Easy to grasp
    • Sharply focused
    • Inspirational

    Samples

    To be a trusted advisor and partner in enabling business innovation and growth through an engaged IT workforce. (Source: Business News Daily) IT is a cohesive, proactive, and disciplined team that delivers innovative technology solutions while demonstrating a strong customer-oriented mindset. (Source: Forbes, 2013)

    2.1.1 Create the mission and vision statements

    2 hours

    Input: Business objectives, IT capabilities, Rationale for the transaction

    Output: IT’s mission and vision statements for growth strategies tied to mergers, acquisitions, and divestitures

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create mission and vision statements that reflect IT’s intent and method to support the organization as it pursues a growth strategy.

    1. Review the definitions and characteristics of mission and vision statements.
    2. Brainstorm different versions of the mission and vision statements.
    3. Edit the statements until you get to a single version of each that accurately reflects IT’s role in the growth process.

    Record the results in the M&A Buy Playbook.

    Guiding principles provide a sense of direction

    IT guiding principles are shared, long-lasting beliefs that guide the use of IT in constructing, transforming, and operating the enterprise by informing and restricting IT investment portfolio management, solution development, and procurement decisions.

    A diagram illustrating the place of 'IT guiding principles' in the process of making 'Decisions on the use of IT'. There are four main items, connecting lines naming the type of process in getting from one step to the next, and a line underneath clarifying the questions asked at each step. On the far left, over the question 'What decisions should be made?', is 'Business context and IT implications'. This flows forward to 'IT guiding principles', and they are connected by 'Influence'. Next, over the question 'How should decisions be made?', is the main highlighted section. 'IT guiding principles' flows forward to 'Decisions on the use of IT', and they are connected by 'Guide and inform'. On the far right, over the question 'Who has the accountability and authority to make decisions?', is 'IT policies'. This flows back to 'Decisions on the use of IT', and they are connected by 'Direct and control'.

    IT principles must be carefully constructed to make sure they are adhered to and relevant

    Info-Tech has identified a set of characteristics that IT principles should possess. These characteristics ensure the IT principles are relevant and followed in the organization.

    Approach focused. IT principles should be focused on the approach – how the organization is built, transformed, and operated – as opposed to what needs to be built, which is defined by both functional and non-functional requirements.

    Business relevant. Create IT principles that are specific to the organization. Tie IT principles to the organization’s priorities and strategic aspirations.

    Long lasting. Build IT principles that will withstand the test of time.

    Prescriptive. Inform and direct decision making with actionable IT principles. Avoid truisms, general statements, and observations.

    Verifiable. If compliance can’t be verified, people are less likely to follow the principle.

    Easily Digestible. IT principles must be clearly understood by everyone in IT and by business stakeholders. IT principles aren’t a secret manuscript of the IT team. IT principles should be succinct; wordy principles are hard to understand and remember.

    Followed. Successful IT principles represent a collection of beliefs shared among enterprise stakeholders. IT principles must be continuously communicated to all stakeholders to achieve and maintain buy-in.

    In organizations where formal policy enforcement works well, IT principles should be enforced through appropriate governance processes.

    Consider the example principles below

    IT Principle Name

    IT Principle Statement

    1. Risk Management We will ensure that the organization’s IT Risk Management Register is properly updated to reflect all potential risks and that a plan of action against those risks has been identified.
    2. Transparent Communication We will ensure employees are spoken to with respect and transparency throughout the transaction process.
    3. Integration for Success We will create an integration strategy that enables the organization and clearly communicates the resources required to succeed.
    4. Managed Data We will handle data creation, modification, integration, and use across the enterprise in compliance with our data governance policy.
    5. Establish a single IT Environment We will identify, prioritize, and manage the applications and services that IT provides in order to eliminate redundant technology and maximize the value that users and customers experience.
    6. Compliance With Laws and Regulations We will operate in compliance with all applicable laws and regulations for both our organization and the potentially purchased organization.
    7. Defined Value We will create a plan of action that aligns with the organization’s defined value expectations.
    8. Network Readiness We will ensure that employees and customers have immediate access to the network with minimal or no outages.
    9. Operating to Succeed We will bring all of IT into a central operating model within two years of the transaction.

    2.1.2 Identify the guiding principles

    2 hours

    Input: Business objectives, IT capabilities, Rationale for the transaction, Mission and vision statements

    Output: IT’s guiding principles for growth strategies tied to mergers, acquisitions, and divestitures

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create the guiding principles that will direct the IT organization throughout the growth strategy process.

    1. Review the role of guiding principles and the examples of guiding principles that organizations have used.
    2. Brainstorm different versions of the guiding principles. Each guiding principle should start with the phrase “We will…”
    3. Edit and consolidate the statements until you have a list of approximately eight to ten statements that accurately reflect IT’s role in the growth process.
    4. Review the guiding principles every six months to ensure they continue to support the delivery of the business’ growth strategy goals.

    Record the results in the M&A Buy Playbook.

    Create two IT teams to support the transaction

    IT M&A Transaction Team

    • The IT M&A Transaction Team should consist of the strongest members of the IT team who can be expected to deliver on unusual or additional tasks not asked of them in normal day-to-day operations.
    • The roles selected for this team will have very specific skills sets or deliver on critical integration capabilities, making their involvement in the combination of two or more IT environments paramount.
    • These individuals need to have a history of proving themselves very trustworthy, as they will likely be required to sign an NDA as well.
    • Expect to have to certain duplicate capabilities or roles across the M&A transaction team and operational team.

    IT Operational Team

    • This group is responsible for ensuring the business operations continue.
    • These employees might be those who are newer to the organization but can be counted on to deliver consistent IT services and products.
    • The roles of this team should ensure that end users or external customers remain satisfied.

    Key capabilities to support M&A

    Consider the following capabilities when looking at who should be a part of the M&A transaction team.

    Employees who have a significant role in ensuring that these capabilities are being delivered will be a top priority.

    Infrastructure

    • Systems Integration
    • Data Management

    Business Focus

    • Service-Level Management
    • Enterprise Architecture
    • Stakeholder Management
    • Project Management

    Risk & Security

    • Privacy Management
    • Security Management
    • Risk & Compliance Management

    Build a lasting and scalable operating model

    An operating model is an abstract visualization, used like an architect’s blueprint, that depicts how structures and resources are aligned and integrated to deliver on the organization’s strategy.

    It ensures consistency of all elements in the organizational structure through a clear and coherent blueprint before embarking on detailed organizational design.

    The visual should highlight which capabilities are critical to attaining strategic goals and clearly show the flow of work so that key stakeholders can understand where inputs flow in and outputs flow out of the IT organization.

    As you assess the current operating model, consider the following:

    • Does the operating model contain all the necessary capabilities your IT organization requires to be successful?
    • What capabilities should be duplicated?
    • Are there individuals with the skill set to support those roles? If not, is there a plan to acquire or develop those skills?
    • A dedicated project team strictly focused on M&A is great. However, is it feasible for your organization? If not, what blockers exist?
    A diagram with 'Initiatives' and 'Solutions' on the left and right of an area chart, 'Customer' at the top, the area between them labelled 'Functional Area n', and six horizontal bars labelled 'IT Capability' stacked on top of each other. The 'IT Capability' bars are slightly skewed to the 'Solutions' side of the chart.

    Info-Tech Insight

    Investing time up-front getting the operating model right is critical. This will give you a framework to rationalize future organizational changes, allowing you to be more iterative and allowing your model to change as the business changes.

    2.1.3 Create the future-state operating model

    4 hours

    Input: Current operating model, IT strategy, IT capabilities, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

    Output: Future-state operating model

    Materials: Operating model, Capability overlay, Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to establish what the future-state operating model will be if your organization needs to adjust to support a growth transaction.

    1. Ensuring that all the IT capabilities are identified by the business and IT strategy, document your organization’s current operating model.
    2. Identify what core capabilities would be critical to the buying transaction process and integration. Highlight and make copies of those capabilities in the M&A Buy Playbook.
    3. Arrange the capabilities to clearly show the flow of inputs and outputs. Identify critical stakeholders of the process (such as customers or end users) if that will help the flow.
    4. Ensure the capabilities that will be decentralized are clearly identified. Decentralized capabilities do not exist within the central IT organization but rather in specific lines of businesses or products to better understand needs and deliver on the capability.

    An example operating model is included in the M&A Buy Playbook. This process benefits from strong reference architecture and capability mapping ahead of time.

    Record the results in the M&A Buy Playbook.

    2.1.4 Determine the transition team

    3 hours

    Input: IT capabilities, Future-state operating model, M&A-specific IT capabilities, Business objectives, Rationale for the transaction, Mission and vision statements

    Output: Transition team

    Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a team that will support your IT organization throughout the transaction. Determining which capabilities and therefore which roles will be required ensures that the business will continue to get the operational support it needs.

    1. Based on the outcome of activity 2.1.3, review the capabilities that your organization will require on the transition team. Group capabilities into functional groups containing capabilities that are aligned well with one another because they have similar responsibilities and functionalities.
    2. Replace the capabilities with roles. For example, stakeholder management, requirements gathering, and project management might be one functional group. Project management and stakeholder management might combine to create a project manager role.
    3. Review the examples in the M&A Buy Playbook and identify which roles will be a part of the transition team.

    For more information, see Redesign Your Organizational Structure

    What is governance?

    And why does it matter so much to IT and the M&A process?

    • Governance is the method in which decisions get made, specifically as they impact various resources (time, money, and people).
    • Because M&A is such a highly governed transaction, it is important to document the governance bodies that exist in your organization.
    • This will give insight into what types of governing bodies there are, what decisions they make, and how that will impact IT.
    • For example, funds to support integration need to be discussed, approved, and supplied to IT from a governing body overseeing the acquisition.
    • A highly mature IT organization will have automated governance, while a seemingly non-existent governance process will be considered ad hoc.
    A pyramid with four levels representing the types of governing bodies that are available with differing levels of IT maturity. An arrow beside the pyramid points upward. The bottom of the arrow is labelled 'Traditional (People and document centric)' and the top is labelled 'Adaptive (Data centric)'. Starting at the bottom of the pyramid is level 1 'Ad Hoc Governance', 'Governance that is not well defined or understood within the organization. It occurs out of necessity but often not by the right people'. Level 2 is 'Controlled Governance', 'Governance focused on compliance and decisions driven by hierarchical authority. Levels of authority are defined and often driven by regulatory'. Level 3 is 'Agile Governance', 'Governance that is flexible to support different needs and quick response in the organization. Driven by principles and delegated throughout the company'. At the top of the pyramid is level 4 'Automated Governance', 'Governance that is entrenched and automated into organizational processes and product/service design. Empowered and fully delegated governance to maintain fit and drive organizational success and survival'.

    2.1.5 Document M&A governance

    1-2 hours

    Input: List of governing bodies, Governing body committee profiles, Governance structure

    Output: Documented method on how decisions are made as it relates to the M&A transaction

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine the method in which decisions are made throughout the M&A transaction as it relates to IT. This will require understanding both governing bodies internal to IT and those external to IT.

    1. First, determine the other governance structures within the organization that will impact the decisions made about M&A. List out these bodies or committees.
    2. Create a profile for each committee that looks at the membership, purpose of the committee, decision areas (authority), and the process of inputs and outputs. Ensure IT committees that will have a role in this process are also documented. Consider the benefits realized, risks, and resources required for each.
    3. Organize the committees into a structure, identifying the committees that have a role in defining the strategy, designing and building, and running.

    Record the results in the M&A Buy Playbook.

    Current-state structure map – definitions of tiers

    Strategy: These groups will focus on decisions that directly connect to the strategic direction of the organization.

    Design & Build: The second tier of groups will oversee prioritization of a certain area of governance as well as design and build decisions that feed into strategic decisions.

    Run: The lowest level of governance will be oversight of more-specific initiatives and capabilities within IT.

    Expect tier overlap. Some committees will operate in areas that cover two or three of these governance tiers.

    Measure the IT program’s success in terms of its ability to support the business’ M&A goals

    Upper management will measure IT’s success based on your ability to support the underlying reasons for the M&A. Using business metrics will help assure business stakeholders that IT understands their needs and is working with the business to achieve them.

    Business-Specific Metrics

    • Revenue Growth: Increase in the top line as seen by market expansion, product expansion, etc. by percentage/time.
    • Synergy Extraction: Reduction in costs as determined by the ability to identify and eliminate redundancies over time.
    • Profit Margin Growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs over time.

    IT-Specific Metrics

    • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure over time.
    • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
    • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
    • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
    • Business capability support: Delivering the end state of IT that supports the expected business capabilities and growth.

    Establish your own metrics to gauge the success of IT

    Establish SMART M&A Success Metrics

    S pecific Make sure the objective is clear and detailed.
    M easurable Objectives are measurable if there are specific metrics assigned to measure success. Metrics should be objective.
    A ctionable Objectives become actionable when specific initiatives designed to achieve the objective are identified.
    R ealistic Objectives must be achievable given your current resources or known available resources.
    T ime-Bound An objective without a timeline can be put off indefinitely. Furthermore, measuring success is challenging without a timeline.
    • What should IT consider when looking to identify potential additions, deletions, or modifications that will either add value to the organization or reduce costs/risks?
    • Provide a definition of synergies.
    • IT operational savings and cost reductions due to synergies: Operating expenses, capital expenditures, licenses, contracts, applications, infrastructure.
    • Reduction in IT staff expense and headcount: Decreased budget allocated to IT staff, and ability to identify and remove redundancies in staff.
    • Meeting or improving on IT budget estimates: Delivering successful IT integration on a budget that is the same or lower than the budget estimated during due diligence.
    • Meeting or improving on IT time-to-integration estimates: Delivering successful IT integration on a timeline that is the same or shorter than the timeline estimated during due diligence.
    • Revenue growth: Increase in the top line as a result, as seen by market expansion, product expansion, etc.
    • Synergy extraction: Reduction in costs, as determined by the ability to identify and eliminate redundancies.
    • Profit margin growth: Increase in the bottom line as a result of increased revenue growth and/or decreased costs.

    Metrics for each phase

    1. Proactive

    2. Discovery & Strategy

    3. Valuation & Due Diligence

    4. Execution & Value Realization

    • % Share of business innovation spend from overall IT budget
    • % Critical processes with approved performance goals and metrics
    • % IT initiatives that meet or exceed value expectation defined in business case
    • % IT initiatives aligned with organizational strategic direction
    • % Satisfaction with IT's strategic decision-making abilities
    • $ Estimated business value added through IT-enabled innovation
    • % Overall stakeholder satisfaction with IT
    • % Percent of business leaders that view IT as an Innovator
    • % IT budget as a percent of revenue
    • % Assets that are not allocated
    • % Unallocated software licenses
    • # Obsolete assets
    • % IT spend that can be attributed to the business (chargeback or showback)
    • % Share of CapEx of overall IT budget
    • % Prospective organizations that meet the search criteria
    • $ Total IT cost of ownership (before and after M&A, before and after rationalization)
    • % Business leaders that view IT as a Business Partner
    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target
    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    2.1.6 Create program metrics

    1-2 hours

    Input: IT capabilities, Mission, vision, and guiding principles, Rationale for the acquisition

    Output: Program metrics to support IT throughout the M&A process

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine how IT’s success throughout a growth transaction will be measured and determined.

    1. Document a list of appropriate metrics on the whiteboard. Remember to include metrics that demonstrate the business impact. You can use the sample metrics listed on the previous slide as a starting point.
    2. Set a target and deadline for each metric. This will help the group determine when it is time to evaluate progression.
    3. Establish a baseline for each metric based on information collected within your organization.
    4. Assign an owner for tracking each metric as well as someone to be accountable for performance.

    Record the results in the M&A Buy Playbook.

    Discovery & Strategy

    Step 2.2

    Prepare IT to Engage in the Acquisition

    Activities

    • 2.2.1 Establish the integration strategy
    • 2.2.2 Conduct a RACI
    • 2.2.3 Create the communication plan
    • 2.2.4 Assess the potential organization(s)

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team

    Outcomes of Step

    Identify IT’s plan of action when it comes to the acquisition and align IT’s integration strategy with the business’ M&A strategy.

    Integration strategies

    There are several IT integration strategies that will help you achieve your target technology environment.

    IT Integration Strategies
    • Absorption. Convert the target organization’s strategy, structure, processes, and/or systems to that of the acquiring organization.
    • Best-of-Breed. Pick and choose the most effective people, processes, and technologies to form an efficient operating model.
    • Transformation Retire systems from both organizations and use collective capabilities, data, and processes to create something entirely new.
    • Preservation Retain individual business units that will operate within their own capability. People, processes, and technologies are unchanged.

    The approach IT takes will depend on the business objectives for the M&A.

    • Generally speaking, the integration strategy is well understood and influenced by the frequency of and rationale for acquiring.
    • Based on the initiatives generated by each business process owner, you need to determine the IT integration strategy that will best support the desired target technology environment.

    Key considerations when choosing an IT integration strategy include:

    • What are the main business objectives of the M&A?
    • What are the key synergies expected from the transaction?
    • What IT integration best helps obtain these benefits?
    • What opportunities exist to position the business for sustainable growth?

    Absorption and best-of-breed

    Review highlights and drawbacks of absorption and best-of-breed integration strategies

    Absorption
      Highlights
    • Recommended for businesses striving to reduce costs and drive efficiency gains.
    • Economies of scale realized through consolidation and elimination of redundant applications.
    • Quickest path to a single company operation and systems as well as lower overall IT cost.
      Drawbacks
    • Potential for disruption of the target company’s business operations.
    • Requires significant business process changes.
    • Disregarding the target offerings altogether may lead to inferior system decisions that do not yield sustainable results.
    Best-of-Breed
      Highlights
    • Recommended for businesses looking to expand their market presence or acquire new products. Essentially aligning the two organizations in the same market.
    • Each side has a unique offering but complementing capabilities.
    • Potential for better buy-in from the target because some of their systems are kept, resulting in willingness to
      Drawbacks
    • May take longer to integrate because it tends to present increased complexity that results in higher costs and risks.
    • Requires major integration efforts from both sides of the company. If the target organization is uncooperative, creating the desired technology environment will be difficult.

    Transformation and preservation

    Review highlights and drawbacks of transformation and preservation integration strategies

    Transformation
      Highlights
    • This is the most customized approach, although it is rarely used.
    • It is essential to have an established long-term vision of business capabilities when choosing this path.
    • When executed correctly, this approach presents potential for significant upside and creation of sustainable competitive advantages.
      Drawbacks
    • This approach requires extensive time to implement, and the cost of integration work may be significant.
    • If a new system is created without strategic capabilities, the organizations will not realize long-term benefits.
    • The cost of correcting complexities at later stages in the integration effort may be drastic.
    Preservation
      Highlights
    • This approach is appropriate if the merging organizations will remain fairly independent, if there will be limited or no communication between companies, and if the companies’ market strategies, products, and channels are entirely distinct.
    • Environment can be accomplished quickly and at a low cost.
      Drawbacks
    • Impact to each business is minimal, but there is potential for lost synergies and higher operational costs. This may be uncontrollable if the natures of the two businesses are too different to integrate.
    • Reduced benefits and limited opportunities for IT integration.

    2.2.1 Establish the integration strategy

    1-2 hours

    Input: Business integration strategy, Guiding principles, M&A governance

    Output: IT’s integration strategy

    Materials: Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to determine IT’s approach to integration. The approach might differ slightly from transaction to transaction. However, the business’ approach to transactions should give insight into the general integration strategy IT should adopt.

    1. Make sure you have clearly articulated the business objectives for the M&A, the technology end state for IT, and the magnitude of the overall integration.
    2. Review and discuss the highlights and drawbacks of each type of integration.
    3. Use Info-Tech’s Integration Posture Selection Framework on the next slide to select the integration posture that will appropriately enable the business. Consider these questions during your discussion:
      1. What are the main business objectives of the M&A? What key IT capabilities will need to support business objectives?
      2. What key synergies are expected from the transaction? What opportunities exist to position the business for sustainable growth?
      3. What IT integration best helps obtain these benefits?

    Record the results in the M&A Buy Playbook.

    Integration Posture Selection Framework

    Business M&A Strategy

    Resultant Technology Strategy

    M&A Magnitude (% of Acquirer Assets, Income, or Market Value)

    IT Integration Posture

    A. Horizontal Adopt One Model ‹10% Absorption
    10 to 75% Absorption or Best-of-Breed
    ›75% Best-of-Breed
    B. Vertical Create Links Between Critical Systems Any
    • Preservation (Differentiated Functions)
    • Absorption or Best-of-Breed (Non-Differentiated Functions)
    C. Conglomerate Independent Model Any Preservation
    D. Hybrid: Horizontal & Conglomerate Independent Model Any Preservation

    2.2.2 Conduct a RACI

    1-2 hours

    Input: IT capabilities, Transition team, Integration strategy

    Output: Completed RACI for transition team

    Materials: Reference architecture, Organizational structure, Flip charts/whiteboard, Markers, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to identify the core accountabilities and responsibilities for the roles identified as critical to your transition team. While there might be slight variation from transaction to transaction, ideally each role should be performing certain tasks.

    1. First, identify a list of critical tasks that need to be completed to support the purchase or acquisition. For example:
      • Communicate with the company M&A team.
      • Identify critical IT risks that could impact the organization after the transaction.
      • Identify key artifacts to collect and review during due diligence.
    2. Next, identify at the activity level which role is accountable or responsible for each activity. Enter an A for accountable, R for responsible, or A/R for both.

    Record the results in the M&A Buy Playbook.

    Communication and change

    Prepare key stakeholders for the potential changes

    • Anytime you are starting a project or program that will depend on users and stakeholders to give up their old way of doing things, change will force people to become novices again, leading to lost productivity and added stress.
    • Change management can improve outcomes for any project where you need people to adopt new tools and procedures, comply with new policies, learn new skills and behaviors, or understand and support new processes.
    • M&As move very quickly, and it can be very difficult to keep track of which stakeholders you need to be communicating with and what you should be communicating.
    • Not all organizations embrace or resist change in the same ways. Base your change communications on your organization’s cultural appetite for change in general.
      • Organizations with a low appetite for change will require more direct, assertive communications.
      • Organizations with a high appetite for change are more suited to more open, participatory approaches.

    Three key dimensions determine the appetite for cultural change:

    • Power Distance. Refers to the acceptance that power is distributed unequally throughout the organization.
      In organizations with a high power distance, the unequal power distribution is accepted by the less powerful employees.
    • Individualism. Organizations that score high in individualism have employees who are more independent. Those who score low in individualism fall into the collectivism side, where employees are strongly tied to one another or their groups.
    • Uncertainty Avoidance. Describes the level of acceptance that an organization has toward uncertainty. Those who score high in this area find that their employees do not favor uncertain situations, while those that score low in this area find that their employees are comfortable with change and uncertainty.

    2.2.3 Create the communication plan

    1-2 hours

    Input: IT’s M&A mission, vision, and guiding principles, M&A transition team, IT integration strategy, RACI

    Output: IT’s M&A communication plan

    Materials: Flip charts/whiteboard, Markers, RACI, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a communication plan that IT can leverage throughout the initiative.

    1. Create a structured communication plan that allows for continuous communication with the integration management office, senior management, and the business functional heads.
    2. Outline key topics of communication, with stakeholders, inputs, and outputs for each topic.
    3. Review Info-Tech’s example communication plan in the M&A Buy Playbook and update it with relevant information.
    4. Does this communication plan make sense for your organization? What doesn’t make sense? Adjust the communication guide to suit your organization.

    Record the results in the M&A Buy Playbook.

    Assessing potential organizations

    As soon as you have identified organizations to consider, it’s imperative to assess critical risks. Most IT leaders can attest that they will receive little to no notice when they have to assess the IT organization of a potential purchase. As a result, having a standardized template to quickly gauge the value of the business can be critical.

    Ways to Assess

    1. News: Assess what sort of news has been announced in relation to the organization. Have they had any risk incidents? Has a critical vendor announced working with them?
    2. LinkedIn: Scan through the LinkedIn profiles of employees. This will give you a sense of what platforms they have based on their employees.
    3. Trends: Some industries will have specific solutions that are relevant and popular. Assess what the key players are (if you don’t already know) to determine the solution.
    4. Business Architecture: While this assessment won’t perfect, try to understand the business’ value streams and the critical business and IT capabilities that would be needed to support them.

    2.2.4 Assess the potential organization(s)

    1-2 hours

    Input: Publicized historical risk events, Solutions and vendor contracts likely in the works, Trends

    Output: IT’s valuation of the potential organization(s) for acquisition

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO

    The purpose of this activity is to assess the organization(s) that your organization is considering purchasing.

    1. Complete the Historical Valuation Worksheet in the M&A Buy Playbook to understand the type of IT organization that your company may inherit and need to integrate with.
      • The business likely isn’t looking for in-depth details at this time. However, as the IT leader, it is your responsibility to ensure critical risks are identified and communicated to the business.
    2. Use the information identified to help the business narrow down which organizations should be targeted for the acquisition.

    Record the results in the M&A Buy Playbook.

    By the end of this pre-transaction phase you should:

    Have a program plan for M&As and a repeatable M&A strategy for IT when engaging in growth transactions

    Key outcomes from the Discovery & Strategy phase
    • Be prepared to analyze and recommend potential organizations that the business can acquire or merge with, using a strong program plan that can be repeated across transactions.
    • Create a M&A strategy that accounts for all the necessary elements of a transaction and ensures sufficient governance, capabilities, and metrics exist.
    Key deliverables from the Discovery & Strategy phase
    • Create vision and mission statements
    • Establish guiding principles
    • Create a future-state operating model
    • Identify the key roles for the transaction team
    • Identify and communicate the M&A governance
    • Determine target metrics
    • Identify the M&A operating model
    • Select the integration strategy framework
    • Conduct a RACI for key transaction tasks for the transaction team
    • Document the communication plan

    M&A Buy Blueprint

    Phase 3

    Due Diligence & Preparation

    Phase 1Phase 2

    Phase 3

    Phase 4
    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Drive value with a due diligence charter
    • Identify data room artifacts
    • Assess technical debt
    • Valuate the target IT organization
    • Assess culture
    • Prioritize integration tasks
    • Establish the integration roadmap
    • Identify the needed workforce supply
    • Estimate integration costs
    • Create an employee transition plan
    • Create functional workplans for employees
    • Align project metrics with identified tasks

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team
    • Business leaders
    • Prospective IT organization
    • Transition team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Day 4

    Day 5

    Establish the Transaction FoundationDiscover the Motivation for IntegrationAssess the Target Organization(s)Create the Valuation FrameworkPlan the Integration RoadmapNext Steps and Wrap-Up (offsite)

    Activities

    • 0.1 Identify the rationale for the company's decisions to pursue an acquisition.
    • 0.2 Identify key stakeholders and determine the IT transaction team.
    • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
    • 1.1 Review the business rationale for the acquisition.
    • 1.2 Identify pain points and opportunities tied to the acquisition.
    • 1.3 Establish the integration strategy.
    • 1.4 Create the due diligence charter.
    • 2.1 Create a list of IT artifacts to be reviewed in the data room.
    • 2.2 Conduct a technical debt assessment.
    • 2.3 Assess the current culture and identify the goal culture.
    • 2.4 Identify the needed workforce supply.
    • 3.1 Valuate the target organization’s data.
    • 3.2 Valuate the target organization’s applications.
    • 3.3 Valuate the target organization’s infrastructure.
    • 3.4 Valuate the target organization’s risk and security.
    • 3.5 Combine individual valuations to make a single framework.
    • 4.1 Prioritize integration tasks.
    • 4.2 Establish the integration roadmap.
    • 4.3 Establish and align project metrics with identified tasks.
    • 4.4 Estimate integration costs.
    • 5.1 Complete in-progress deliverables from previous four days.
    • 5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables

    1. IT strategy
    2. IT operating model
    3. IT governance structure
    4. M&A transaction team
    1. Business context implications for IT
    2. Integration strategy
    3. Due diligence charter
    1. Data room artifacts
    2. Technical debt assessment
    3. Culture assessment
    4. Workforce supply identified
    1. IT valuation framework to assess target organization(s)
    1. Integration roadmap and associated resourcing
    1. Acquisition integration strategy for IT

    What is the Due Diligence & Preparation phase?

    Mid-transaction state

    The Due Diligence & Preparation phase during an acquisition is a critical time for IT. If IT fails to proactively participate in this phase, IT will have to merely react to integration expectations set by the business.

    While not all IT organizations are able to participate in this phase, the evolving nature of M&As to be driven by digital and technological capabilities increases the rationale for IT being at the table. Identifying critical IT risks, which will inevitably be business risks, begins during the due diligence phase.

    This is also the opportunity for IT to plan how it will execute the planned integration strategy. Having access to critical information only available in data rooms will further enable IT to successfully plan and execute the acquisition to deliver the value the business is seeking through a growth transaction.

    Goal: To thoroughly evaluate all potential risks associated with the organization(s) being pursued and create a detailed plan for integrating the IT environments

    Due Diligence Prerequisite Checklist

    Before coming into the Due Diligence & Preparation phase, you must have addressed the following:

    • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
    • Identify the key roles for the transaction team.
    • Identify the M&A governance.
    • Determine target metrics.
    • Select an integration strategy framework.
    • Conduct a RACI for key transaction tasks for the transaction team.

    Before coming into the Due Diligence & Preparation phase, we recommend addressing the following:

    • Create vision and mission statements.
    • Establish guiding principles.
    • Create a future-state operating model.
    • Identify the M&A operating model.
    • Document the communication plan.
    • Examine the business perspective of IT.
    • Identify key stakeholders and outline their relationship to the M&A process.
    • Be able to valuate the IT environment and communicate IT’s value to the business.

    The Technology Value Trinity

    Delivery of Business Value & Strategic Needs

    • Digital & Technology Strategy
      The identification of objectives and initiatives necessary to achieve business goals.
    • IT Operating Model
      The model for how IT is organized to deliver on business needs and strategies.
    • Information & Technology Governance
      The governance to ensure the organization and its customers get maximum value from the use of information and technology.

    All three elements of the Technology Value Trinity work in harmony to deliver business value and achieve strategic needs. As one changes, the others need to change as well.

    • Digital and IT Strategy tells you what you need to achieve to be successful.
    • IT Operating Model and Organizational Design is the alignment of resources to deliver on your strategy and priorities.
    • Information & Technology Governance is the confirmation of IT’s goals and strategy, which ensures the alignment of IT and business strategy. It’s the mechanism by which you continuously prioritize work to ensure that what is delivered is in line with the strategy. This oversight evaluates, directs, and monitors the delivery of outcomes to ensure that the use of resources results in the achieving the organization’s goals.

    Too often strategy, operating model and organizational design, and governance are considered separate practices. As a result, “strategic documents” end up being wish lists, and projects continue to be prioritized based on who shouts the loudest – not based on what is in the best interest of the organization.

    Due Diligence & Preparation

    Step 3.1

    Assess the Target Organization

    Activities

    • 3.1.1 Drive value with a due diligence charter
    • 3.1.2 Identify data room artifacts
    • 3.1.3 Assess technical debt
    • 3.1.4 Valuate the target IT organization
    • 3.1.5 Assess culture

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Company M&A team
    • Business leaders
    • Prospective IT organization
    • Transition team

    Outcomes of Step

    This step of the process is when IT should actively evaluate the target organization being pursued for acquisition.

    3.1.1 Drive value with a due diligence charter

    1-2 hours

    Input: Key roles for the transaction team, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

    Output: IT Due Diligence Charter

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to create a charter leveraging the items completed in the previous phase, as listed on the Due Diligence Prerequisite Checklist slide, to gain executive sign-off.

    1. In the IT Due Diligence Charter in the M&A Buy Playbook, complete the aspects of the charter that are relevant for you and your organization.
    2. We recommend including these items in the charter:
      • Communication plan
      • Transition team roles
      • Goals and metrics for the transaction
      • Integration strategy
      • Acquisition RACI
    3. Once the charter has been completed, ensure that business executives agree to the charter and sign off on the plan of action.

    Record the results in the M&A Buy Playbook.

    3.1.2 Identify data room artifacts

    4 hours

    Input: Future-state operating model, M&A governance, Target metrics, Selected integration strategy framework, RACI of key transaction tasks for the transaction team

    Output: List of items to acquire and review in the data room

    Materials: Critical domain lists on following slides, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to create a list of the key artifacts that should be asked for and reviewed during the due diligence process.

    1. Review the lists on the following pages as a starting point. Identify which domains, stakeholders, artifacts, and information should be requested for the data room. This information should be directed to the target organization.
    2. IT leadership may or may not be asked to enter the data room directly. Therefore, it’s important that you clearly identify these artifacts.
    3. List each question or concern, select the associated workstream in the M&A Buy Playbook, and update the status of the information retrieval.
    4. Use the comments section to document your discoveries or concerns.

    Record the results in the M&A Buy Playbook.

    Critical domains

    Understand the key stakeholders and outputs for each domain

    Each critical domain will likely have different stakeholders who know that domain best. Communicate with these stakeholders throughout the M&A process to make sure you are getting accurate information and interpreting it correctly.

    Domain

    Stakeholders

    Key Artifacts

    Key Information to request

    Business
    • Enterprise Architecture
    • Business Relationship Manager
    • Business Process Owners
    • Business capability map
    • Capability map (the M&A team should be taking care of this, but make sure it exists)
    • Business satisfaction with various IT systems and services
    Leadership/IT Executive
    • CIO
    • CTO
    • CISO
    • IT budgets
    • IT capital and operating budgets (from current year and previous year)
    Data & Analytics
    • Chief Data Officer
    • Data Architect
    • Enterprise Architect
    • Master data domains, system of record for each
    • Unstructured data retention requirements
    • Data architecture
    • Master data domains, sources, and storage
    • Data retention requirements
    Applications
    • Applications Manager
    • Application Portfolio Manager
    • Application Architect
    • Applications map
    • Applications inventory
    • Applications architecture
    • Copy of all software license agreements
    • Copy of all software maintenance agreements
    Infrastructure
    • Head of Infrastructure
    • Enterprise Architect
    • Infrastructure Architect
    • Infrastructure Manager
    • Infrastructure map
    • Infrastructure inventory
    • Network architecture (including which data centers host which infrastructure and applications)
    • Inventory (including integration capabilities of vendors, versions, switches, and routers)
    • Copy of all hardware lease or purchase agreements
    • Copy of all hardware maintenance agreements
    • Copy of all outsourcing/external service provider agreements
    • Copy of all service-level agreements for centrally provided, shared services and systems
    Products and Services
    • Product Manager
    • Head of Customer Interactions
    • Product lifecycle
    • Product inventory
    • Customer market strategy

    Critical domains (continued)

    Understand the key stakeholders and outputs for each domain

    Domain

    Stakeholders

    Key Artifacts

    Key Information to request

    Operations
    • Head of Operations
    • Service catalog
    • Service overview
    • Service owners
    • Access policies and procedures
    • Availability and service levels
    • Support policies and procedures
    • Costs and approvals (internal and customer costs)
    IT Processes
    • CIO
    • IT Management
    • VP of IT Governance
    • VP of IT Strategy
    • IT process flow diagram
    • Processes in place and productivity levels (capacity)
    • Critical processes/processes the organization feels they do particularly well
    IT People
    • CIO
    • VP of Human Resources
    • IT organizational chart
    • Competency & capacity assessment
    • IT organizational structure (including resources from external service providers such as contractors) with appropriate job descriptions or roles and responsibilities
    • IT headcount and location
    Security
    • CISO
    • Security Architect
    • Security posture
    • Information security staff
    • Information security service providers
    • Information security tools
    • In-flight information security projects
    Projects
    • Head of Projects
    • Project portfolio
    • List of all future, ongoing, and recently completed projects
    Vendors
    • Head of Vendor Management
    • License inventory
    • Inventory (including what will and will not be transitioning, vendors, versions, number of licenses)

    Assess the target organization’s technical debt

    The other organization could be costly to purchase if not yet modernizing.

    • Consider the potential costs that your business will have to spend to get the other IT organization modernized or even digital.
    • This will be highly affected by your planned integration strategy.
    • A best-of-breed strategy might simply mean there's little to bring over from the other organization’s environment.
    • It’s often challenging to identify a direct financial cost for technical debt. Consider direct costs but also assess categories of impact that can have a long-term effect on your business: lost customer, staff, or business partner goodwill; limited flexibility and resilience; and health, safety, and compliance impacts.
    • Use more objective measures to track subjective impact. For example, consider the number of customers who could be significantly affected by each tech debt in the next quarter.

    Focus on solving the problems you need to address.

    Analyzing technical debt has value in that the analysis can help your organization make better risk management and resource allocation decisions.

    Review these examples of technical debt

    Do you have any of these challenges?

    Applications
    • Inefficient or incomplete code
    • Fragile or obsolete systems of record that limit the implementation of new functionality
    • Out-of-date IDEs or compilers
    • Unsupported applications
    Data & Analytics
    • Data presented via API that does not conform to chosen standards (EDI, NRF-ARTS, etc.)
    • Poor data governance
    • No transformation between OLTP and the data warehouse
    • Heavy use of OLTP for reporting
    • Lack of AI model and decision governance, maintenance
    End-User Computing
    • Aging and slow equipment
    • No configuration management
    • No MDM/UEM
    Security
    • Unpatched/unpatchable systems
    • Legacy firewalls
    • No data classification system
    • “Perimeter” security architecture
    • No documented security incident response
    • No policies, or unenforced policies
    Operations
    • Incomplete, ineffective, or undocumented business continuity and disaster recovery plans
    • Insufficient backups or archiving
    • Inefficient MACD processes
    • Application sprawl with no record of installed applications or licenses
    • No ticketing or ITSM system
    • No change management process
    • No problem management process
    • No event/alert management
    Infrastructure
    • End-of-life/unsupported equipment
    • Aging power or cooling systems
    • Water- or halon-based data center fire suppression systems
    • Out-of-date firmware
    • No DR site
    • Damaged or messy cabling
    • Lack of system redundancy
    • Integrated computers on business equipment (e.g. shop floor equipment, medical equipment) running out-of-date OS/software
    Project & Portfolio Management
    • No project closure process
    • Ineffective project intake process
    • No resource management practices

    “This isn’t a philosophical exercise. Knowing what you want to get out of this analysis informs the type of technical debt you will calculate and the approach you will take.” (Scott Buchholz, CTO, Deloitte Government & Public Services Practice, The Wall Street Journal, 2015)

    3.1.3 Assess technical debt

    1-2 hours

    Input: Participant views on organizational tech debt, Five to ten key technical debts, Business impact scoring scales, Reasonable next-quarter scenarios for each technical debt, Technical debt business impact analysis

    Output: Initial list of tech debt for the target organization

    Materials: Whiteboard, Sticky notes, Technical Debt Business Impact Analysis Tool, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Business leaders, Transition team

    The purpose of this activity is to assess the technical debt of the other IT organization. Taking on unnecessary technical debt is one of the biggest risks to the IT environment

    1. This activity can be completed by leveraging the blueprint Manage Your Technical Debt, specifically the Technical Debt Business Impact Analysis Tool. Complete the following activities in the blueprint:
      • 1.2.1 Identify your technical debt
      • 1.2.2 Select tech debt for your impact analysis
      • 2.2.2 Estimate tech debt impact
      • 2.2.3 Identify the most-critical technical debts
    2. Review examples of technical debt in the previous slide to assist you with this activity.
    3. Document the results from tab 3, Impact Analysis, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.

    Record the results in the M&A Buy Playbook.

    How to valuate an IT environment

    And why it matters so much

    • Valuating the target organization’s IT environment is a critical step to fully understand what it might be worth. Business partners are often not in the position to valuate the IT aspects to the degree that you would be.
    • The business investments in IT can be directly translated to a value amount. Meaning for every $1 invested in IT, the business might be gaining $100 in value back or possibly even loosing $100.
    • Determining, documenting, and communicating this information ensures that the business takes IT’s suggestions seriously and recognizes why investing in IT can be so critical.
    • There are three ways a business or asset can be valuated:
      • Cost Approach: Look at the costs associated with building, purchasing, replacing, and maintaining a given aspect of the business.
      • Market Approach: Look at the relative value of a particular aspect of the business. Relative value can fluctuate and depends on what the markets and consequently society believe that particular element is worth.
      • Discounted Cash Flow Approach: Focus on what the potential value of the business could be or the intrinsic value anticipated due to future profitability.

    The IT valuation conducted during due diligence can have a significant impact on the final financials of the transaction for the business.

    3.1.4 Valuate the target IT organization

    1 day

    Input: Valuation of data, Valuation of applications, Valuation of infrastructure and operations, Valuation of security and risk

    Output: Valuation of target organization’s IT

    Materials: Relevant templates/tools, Capital budget, Operating budget, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Prospective IT organization

    The purpose of this activity is to valuate the other IT organization.

    1. Review each of slides 42 to 45 to generate a valuation of IT’s data, applications, infrastructure, and security and risk. These valuations consider several tangible and intangible factors and result in a final dollar amount. For more information on this activity, review Activity 1.2.1 from the Proactive phase.
    2. Identify financial amounts for each critical area and add the financial output to the summary slide in the M&A Buy Playbook.
    3. Compare this information against your own IT organization’s valuation.
      1. Does it add value to your IT organization?
      2. Is there too much risk to accept if this transaction goes through?

    Info-Tech Insight

    Consistency is key when valuating your IT organization as well as other IT organizations throughout the transaction process.

    Record the results in the M&A Buy Playbook.

    Culture should not be overlooked, especially as it relates to the integration of IT environments

    • There are three types of culture that need to be considered.
    • Most importantly, this transition is an opportunity to change the culture that might exist in your organization’s IT environment.
    • Make a decision on which type of culture you’d like IT to have post-transition.

    Target Organization’s Culture

    The culture that the target organization is currently embracing. Their established and undefined governance practices will lend insight into this.

    Your Organization’s Culture

    The culture that your organization is currently embracing. Examine people’s attitudes and behaviors within IT toward their jobs and the organization.

    Ideal Culture

    What will the future culture of the IT organization be once integration is complete? Are there aspects that your current organization and the target organization embrace that are worth considering?

    Culture categories

    Map the results of the IT Culture Diagnostic to an existing framework

    Competitive
    • Autonomy
    • Confront conflict directly
    • Decisive
    • Competitive
    • Achievement oriented
    • Results oriented
    • High performance expectations
    • Aggressive
    • High pay for good performance
    • Working long hours
    • Having a good reputation
    • Being distinctive/different
    Innovative
    • Adaptable
    • Innovative
    • Quick to take advantage of opportunities
    • Risk taking
    • Opportunities for professional growth
    • Not constrained by rules
    • Tolerant
    • Informal
    • Enthusiastic
    Traditional
    • Stability
    • Reflective
    • Rule oriented
    • Analytical
    • High attention to detail
    • Organized
    • Clear guiding philosophy
    • Security of employment
    • Emphasis on quality
    • Focus on safety
    Cooperative
    • Team oriented
    • Fair
    • Praise for good performance
    • Supportive
    • Calm
    • Developing friends at work
    • Socially responsible

    Culture Considerations

    • What culture category was dominant for each IT organization?
    • Do you share the same dominant category?
    • Is your current dominant culture category the most ideal to have post-integration?

    3.1.5 Assess Culture

    3-4 hours

    Input: Cultural assessments for current IT organization, Cultural assessment for target IT organization

    Output: Goal for IT culture

    Materials: IT Culture Diagnostic, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, IT employees of current organization, IT employees of target organization, Company M&A team

    The purpose of this activity is to assess the different cultures that might exist within the IT environments of both organizations. More importantly, your IT organization can select its desired IT culture for the long term if it does not already exist.

    1. Complete this activity by leveraging the blueprint Fix Your IT Culture, specifically the IT Culture Diagnostic. Fill out the diagnostic for the IT department in your organization:
      1. Answer the 16 questions in tab 2, Diagnostic.
      2. Find out your dominant culture and review recommendations in tab 3, Results.
    2. Document the results from tab 3, Results, in the M&A Buy Playbook if you are trying to record all artifacts related to the transaction in one place.
    3. Repeat the activity for the target organization.
    4. Leverage the information to determine what the goal for the culture of IT will be post-integration if it will differ from the current culture.

    Record the results in the M&A Buy Playbook.

    Due Diligence & Preparation

    Step 3.2

    Prepare to Integrate

    Activities

    • 3.2.1 Prioritize integration tasks
    • 3.2.2 Establish the integration roadmap
    • 3.2.3 Identify the needed workforce supply
    • 3.2.4 Estimate integration costs
    • 3.2.5 Create an employee transition plan
    • 3.2.6 Create functional workplans for employees
    • 3.2.7 Align project metrics with identified tasks

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Transition team
    • Company M&A team

    Outcomes of Step

    Have an established plan of action toward integration across all domains and a strategy toward resources.

    Don’t underestimate the importance of integration preparation

    Integration is the process of combining the various components of one or more organizations into a single organization.

    80% of integration should happen within the first two years. (Source: CIO Dive)

    70% of M&A IT integrations fail due to components that could and should be addressed at the beginning. (Source: The Wall Street Journal, 2019)

    Info-Tech Insight

    Integration is not rationalization. Once the organization has integrated, it can prepare to rationalize the IT environment.

    Integration needs

    Identify your domain needs to support the target technology environment

    Set up a meeting with your IT due diligence team to:

    • Address data, applications, infrastructure, and other domain gaps.
    • Discuss the people and processes necessary to achieve the target technology environment and support M&A business objectives.

    Use this opportunity to:

    • Identify data and application complexities between your organization and the target organization.
    • Identify the IT people and process gaps, redundancies, and initiatives.
    • Determine your infrastructure needs and identify redundancies.
      • Does IT have the infrastructure to support the applications and business capabilities of the resultant enterprise?
      • Identify any gaps between the current infrastructure in both organizations and the infrastructure required in the resultant enterprise.
      • Identify any redundancies.
      • Determine the appropriate IT integration strategies.
    • Document your gaps, redundancies, initiatives, and assumptions to help you track and justify the initiatives that must be undertaken and help estimate the cost of integration.

    Integration implications

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Data & Analytics

    • Consider data sources that might need to be combined (e.g. financials, email lists, internet).
    • Understand where each organization will warehouse its data and how it will be managed in a cost-effective manner.
    • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
    • Analyze whether or not the data types are compatible between companies.
    • Understand the critical data needs and the complexity of integration activities.
    • Consider your reporting and transactional needs. Initially systems may remain separate, but eventually they will need to be merged.
    • Focus on the master data domains that represent the core of your business.
    • Assess the value, size, location, and cleanliness of the target organization’s data sets.
    • Determine the data sets that will be migrated to capture expected synergies and drive core capabilities while addressing how other data sets will be maintained and managed.
    • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
    • Establish interim linkages and common interfaces for applications while major migrations occur.

    Applications

    • Establish whether or not there are certain critical applications that still need to be linked (e.g. email, financials).
    • Leverage the unique strengths and functionalities provided by the applications used by each organization.
    • Confirm that adequate documentation and licensing exists.
    • Decide which critical applications need to be linked versus which need to be kept separate to drive synergies. For example, financial, email, and CRM may need to be linked, while certain applications may remain distinct.
    • Pay particular attention to the extent to which systems relating to customers, products, orders, and shipments need to be integrated.
    • Determine the key capabilities that require support from the applications identified by business process owners.
    • Assess which major applications need to be adopted by both organizations, based on the M&A goals.
    • Establish interim linkages and common interfaces for applications while major migrations occur.
    • Decide which applications to keep and which to terminate. This includes setting timelines for application retirement.
    • Establish interim linkages and common interfaces for applications while major migrations occur.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Infrastructure

    • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
    • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
    • Assess the infrastructure demands created by retaining separate models (e.g. separate domains, voice, network integration).
    • Evaluate whether or not there are redundant data centers that could be consolidated to reduce costs.
    • Evaluate whether certain infrastructure components, such as data centers, can be consolidated to support the new model while also eliminating redundancies. This will help reduce costs.
    • Assess which infrastructure components need to be kept versus which need to be terminated to support the new application portfolio. Keep in mind that increasing the transaction volume on a particular application increases the infrastructure capacity that is required for that application.
    • Extend the network to integrate additional locations.

    IT People & Processes

    • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
    • Consider whether there are redundancies in staffing that could be eliminated.
    • The IT processes of each organization will most likely remain separate.
    • Consider the impact of the target organization on your IT processes.
    • Retain workers from each IT department who possess knowledge of key products, services, and legacy systems.
    • Consider whether there are redundancies in staffing that could be eliminated.
    • Consider how critical IT processes of the target organization fit with your current IT processes.
    • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the common systems.
    • If there is overlap with the IT processes in both organizations, you may wish to map out both processes to get a sense for how they might work together.
    • Assess what processes will be prioritized to support IT strategies.
    • Identify which redundant staff members should be terminated by focusing on the key skills that will be necessary to support the prioritized IT processes.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Leadership/IT Executive

    • Have insight into the goals and direction of the organization’s leadership. Make sure that a communication path has been established to receive information and provide feedback.
    • The decentralized model will require some form of centralization and strong governance processes to enable informed decisions.
    • Ensure that each area can deliver on its needs while not overstepping the goals and direction of the organization.
    • This will help with integration in the sense that front-line employees can see a single organization beginning to form.
    • In this model, there is the opportunity to select elements of each leadership style and strategy that will work for the larger organization.
    • Leadership can provide a single and unified approach to how the strategic goals will be executed.
    • More often than not, this would be the acquiring organization’s strategic direction.

    Vendors

    • Determine which contracts the target organization currently has in place.
    • Having different vendors in place will not be a bad model if it makes sense.
    • Spend time reviewing the contracts and ensuring that each organization has the right contracts to succeed.
    • Identify what redundancies might exist (ERPs, for example) and determine if the vendor would be willing to terminate one contract or another.
    • Through integration, it might be possible to engage in one set of contract negotiations for a single application or technology.
    • Identify whether there are opportunities to combine contracts or if they must remain completely separated until the end of the term.
    • In an effort to capitalize on the contracts working well, reduce the contracts that might be hindering the organization.
    • Speak to the vendor offering the contract.
    • Going forward, ensure the contracts are negotiated to include clauses to allow for easier and more cost-effective integration.

    Integration implications (continued)

    Understand the implications for integration with respect to each target technology environment

    Domain

    Independent Models

    Create Links Between Critical Systems

    Move Key Capabilities to Common Systems

    Adopt One Model

    Security

    • Both organizations would need to have a process for securing their organization.
    • Sharing and accessing information might be more difficult, as each organization would need to keep the other organization separate to ensure the organization remains secure.
    • Creating standard policies and procedures that each organization must adhere to would be critical here (for example, multifactor authentication).
    • Establish a single path of communication between the two organizations, ensuring reliable and secure data and information sharing.
    • Leverage the same solutions to protect the business as a whole from internal and external threats.
    • Identify opportunities where there might be user points of failure that could be addressed early in the process.
    • Determine what method of threat detection and response will best support the business and select that method to apply to the entire organization, both original and newly acquired.

    Projects

    • Projects remain ongoing as they were prior to the integration.
    • Some projects might be made redundant after the initial integration is over.
    • Re-evaluate the projects after integration to ensure they continue to deliver on the business’ strategic direction.
    • Determine which projects are similar to one another and identify opportunities to leverage business needs and solutions for each organization where possible.
    • Review project histories to determine the rationale for and success of projects that could be reused in either organization going forward.
    • Determine which projects should remain ongoing and which projects could wait to be implemented or could be completely stopped.
    • There might be certain modernization projects ongoing that cannot be stopped.
    • However, for all other projects, embrace a single portfolio.
    • Completely reduce or remove all ongoing projects from the one organization and continue with only the projects of the other organization.
    • Add in new projects when they arise as needed.

    3.2.1 Prioritize integration tasks

    2 hours

    Input: Integration tasks, Transition team, M&A RACI

    Output: Prioritized integration list

    Materials: Integration task checklist, Integration roadmap

    Participants: IT executive/CIO, IT senior leadership, Company M&A team

    The purpose of this activity is to prioritize the different integration tasks that your organization has identified as necessary to this transaction. Some tasks might not be relevant for this particular transaction, and others might be critical.

    1. Download the SharePoint or Excel version of the M&A Integration Project Management Tool. Identify which integration tasks you want as part of your project plan. Alter or remove any tasks that are irrelevant to your organization. Add in tasks you think are missing.
    2. When deciding criticality of the task, consider the effect on stakeholders, those who are impacted or influenced in the process of the task, and dependencies (e.g. data strategy needs to be addressed first before you can tackle its dependencies, like data quality).
    3. Feel free to edit the way you measure criticality. The standard tool leverages a three-point scale. At the end, you should have a list of tasks in priority order based on criticality.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Integration checklists

    Prerequisite Checklist
    • Build the project plan for integration and prioritize activities
      • Plan first day
      • Plan first 30/100 days
      • Plan first year
    • Create an organization-aligned IT strategy
    • Identify critical stakeholders
    • Create a communication strategy
    • Understand the rationale for the acquisition or purchase
    • Develop IT's purchasing strategy
    • Determine goal opportunities
    • Create the mission and vision statements
    • Create the guiding principles
    • Create program metrics
    • Consolidate reports from due diligence/data room
    • Conduct culture assessment
    • Create a transaction team
    • Assess workforce demand and supply
    • Plan and communicate potential layoffs
    • Create an employee transition plan
    • Identify the IT investment
    Business
    • Design an enterprise architecture
    • Document your business architecture
    • Identify and assess all of IT's risks
    Leadership/IT Executive
    • Build an IT budget
    • Structure operating budget
    • Structure capital budget
    • Identify the needed workforce demand vs. capacity
    • Establish and monitor key metrics
    • Communicate value realized/cost savings
    Data
    • Confirm data strategy
    • Confirm data governance
    • Data architecture
    • Data sources
    • Data storage (on-premises vs. cloud)
    • Enterprise content management
    • Compatibility of data types between organizations
    • Cleanliness/usability of target organization data sets
    • Identify data sets that need to be combined to capture synergies/drive core capabilities
    • Reporting and analytics capabilities
    Applications
    • Prioritize and address critical applications
      • ERP
      • CRM
      • Email
      • HRIS
      • Financial
      • Sales
      • Risk
      • Security
    • Leverage application rationalization framework to determine applications to keep, terminate, or create
    • Develop method of integrating applications
    • Model critical applications that have dependencies on one another
    • Identify the infrastructure capacity required to support critical applications
    Operations
    • Communicate helpdesk/service desk information
    • Manage sales access to customer data
    • Determine locations and hours of operation
    • Consolidate phone lists and extensions
    • Synchronize email address books

    Integration checklists (continued)

    Infrastructure
    • Determine single network access
    • Manage organization domains
    • Consolidate data centers
    • Compile inventory of vendors, versions, switches, and routers
    • Review hardware lease or purchase agreements
    • Review outsourcing/service provider agreements
    • Review service-level agreements
    • Assess connectivity linkages between locations
    • Plan to migrate to a single email system if necessary
    Vendors
    • Establish a sustainable vendor management office
    • Review vendor landscape
    • Identify warranty options
    • Rationalize vendor services and solutions
    • Identify opportunities to mature the security architecture
    People
    • Design an IT operating model
    • Redesign your IT organizational structure
    • Conduct a RACI
    • Conduct a culture assessment and identify goal IT culture
    • Build an IT employee engagement program
    • Determine critical roles and systems/process/products they support
    • Create a list of employees to be terminated
    • Create employee transition plans
    • Create functional workplans
    Projects
    • Stop duplicate or unnecessary target organization projects
    • Communicate project intake process
    • Prioritize projects
    Products & Services
    • Ensure customer services requirements are met
    • Ensure customer interaction requirements are met
    • Select a solution for product lifecycle management
    Security
    • Conduct a security assessment of target organization
    • Develop accessibility prioritization and schedule
    • Establish an information security strategy
    • Develop a security awareness and training program
    • Develop and manage security governance, risk, and compliance
    • Identify security budget
    • Build a data privacy and classification program
    IT Processes
    • Evaluate current process models
    • Determine productivity/capacity levels of processes
    • Identify processes to be terminated
    • Identify process expectations from target organization
    • Establish a communication plan
    • Develop a change management process
    • Establish/review IT policies

    3.2.2 Establish the integration roadmap

    2 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

    Output: Integration roadmap

    Materials: M&A Integration Project Plan Tool (SharePoint), M&A Integration Project Plan Tool (Excel)

    Participants: IT executive/CIO, IT senior leadership, Transition team, Company M&A team

    The purpose of this activity is to create a roadmap to support IT throughout the integration process. Using the information gathered in previous activities, you can create a roadmap that will ensure a smooth integration.

    1. Leverage our M&A Integration Project Management Tool to track critical elements of the integration project. There are a few options available:
      1. Follow the instructions on the next slide if you are looking to upload our SharePoint project template.
      2. If you cannot or do not want to use SharePoint as your project management solution, download our Excel version of the tool.
        **Remember that this your tool, so customize to your liking.
    2. Identify who will own or be accountable for each of the integration tasks and establish the time frame for when each project should begin and end. This will confirm which tasks should be prioritized.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Integration Project Management Tool (SharePoint Template)

    Follow these instructions to upload our template to your SharePoint environment

    1. Create or use an existing SP site.
    2. Download the M&A Integration Project Plan Tool (SharePoint) .wsp file from the Mergers & Acquisitions: The Buy Blueprint landing page.
    3. To import a template into your SharePoint environment, do the following:
      1. Open PowerShell.
      2. Connect-SPO Service (need to install PowerShell module).
      3. Enter in your tenant admin URL.
      4. Enter in your admin credentials.
      5. Set-SPO Site https://YourDomain.sharepoint.com/sites/YourSiteHe... -DenyAddAndCustomizePages 0
      OR
      1. Turn on both custom script features to allow users to run custom
    4. Screenshot of the 'Custom Script' option for importing a template into your SharePoint environment. Feature description reads 'Control whether users can run custom script on personal sites and self-service created sites. Note: changes to this setting might take up to 24 hours to take effect. For more information, see http://go.microsoft.com/fwlink/?LinkIn=397546'. There are options to prevent or allow users from running custom script on personal/self-service created sites.
    5. Enable the SharePoint Server Standard Site Collection features.
    6. Upload the .wsp file in Solutions Gallery.
    7. Deploy by creating a subsite and select from custom options.
      • Allow or prevent custom script
      • Security considerations of allowing custom script
      • Save, download, and upload a SharePoint site as a template
    8. Refer to Microsoft documentation to understand security considerations and what is and isn’t supported:

    For more information, check out the SharePoint Template: Step-by-Step Deployment Guide.

    Participate in active workforce planning to transition employees

    The chosen IT operating model, primary M&A goals, and any planned changes to business strategy will dramatically impact IT staffing and workforce planning efforts.

    Visualization of the three aspects of 'IT workforce planning', as listed below.

    IT workforce planning

    • Primary M&A goals
      If the goal of the M&A is cost cutting, then workforce planning will be necessary to identify labor redundancies.
    • Changes to business strategy
      If business strategy will change after the merger, then workforce planning will typically be more involved than if business strategy will not change.
    • Integration strategy
      For independent models, workforce planning will typically be unnecessary.
      For connection of essential systems or absorption, workforce planning will likely be an involved, time-consuming process.
    1. Estimate the headcount you will need through the end of the M&A transition period.
    2. Outline the process you will use to assess staff for roles that have more than one candidate.
    3. Review employees in each department to determine the best fit for each role.
    4. Determine whether terminations will happen all together or in waves.

    Info-Tech Insight

    Don’t be a short-term thinker when it comes to workforce planning! IT teams that only consider the headcount needed on day one of the new entity will end up scrambling to find skilled resources to fill workforce gaps later in the transition period.

    3.2.3 Identify the needed workforce supply

    3-4 hours

    Input: IT strategy, Prioritized integration tasks

    Output: A clear indication of how many resources are required for each role and the number of resources that the organization actually has

    Materials: Resource Management Supply-Demand Calculator

    Participants: IT executive/CIO, IT senior leadership, Target organization employees, Company M&A team, Transition team

    The purpose of this activity is to determine the anticipated amount of work that will be required to support projects (like integration), administrative, and keep-the-lights-on activities.

    1. Download the Resource Management Supply-Demand Calculator.
    2. The calculator requires minimal up-front staff participation: You can obtain meaningful results with participation from as few as one person with insight on the distribution of your resources and their average work week or month.
    3. The calculator will yield a report that shows a breakdown of your annual resource supply and demand, as well as the gap between the supply and demand. Further insight on project and non-project supply and demand are provided.
    4. Repeat the tool several times to identify the needs of your IT environment for day one, day 30/100, and year one. Anticipate that these will change over time. Also, do not forget to obtain this information from the target organization. Given that you will be integrating, it’s important to know how many staff they have in which roles.
    5. **For additional information, please review slides starting from slide 44 in Establish Realistic IT Resource Management Practices to see how to use the tool.

    Record the results in the Resource Management Supply-Demand Calculator.

    Resource Supply-Demand Calculator Output Example

    Example of a 'Resource Management Supply-Demand Analysis Report' with charts and tables measuring Annualized Resource Supply and Demand, Resource Capacity Confidence, Project Capacity, and combinations of those metrics.

    Resource Capacity Confidence. This figure is based on your confidence in supply confidence, demand stability, and the supply-demand ratio.

    Importance of estimating integration costs

    Change is the key driver of integration costs

    Integration costs are dependent on the following:
    • Meeting synergy targets – whether that be cost saving or growth related.
      • Employee-related costs, licensing, and reconfiguration fees play a huge part in meeting synergy targets.
    • Adjustments related to compliance or regulations – especially if there are changes to legal entities, reporting requirements, or risk-mitigation standards.
    • Governance or third party–related support required to ensure timelines are met and the integration is a success.
    Integration costs vary by industry type.
    • Certain industries may have integration costs made up of mostly one type, differing from other industries, due to the complexity and different demands of the transaction. For example:
      • Healthcare integration costs are mostly driven by regulatory, safety, and quality standards, as well as consolidation of the research and development function.
      • Energy and Utilities tend to have the lowest integration costs due to most transactions occurring within the same sector rather than as a cross-sector investment. For example, oil and gas acquisitions tend to be for oil fields and rigs (strategic fixed assets), which can easily be added to the buyer’s portfolio.

    Integration costs are more related to the degree of change required than the size of the transaction.

    3.2.4 Estimate integration costs

    3-4 hours

    Input: Integration tasks, Transition team, Valuation of current IT environment, Valuation of target IT environment, Outputs from data room, Technical debt, Employees

    Output: List of anticipated costs required to support IT integration

    Materials: Integration task checklist, Integration roadmap, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to estimate the costs that will be associated with the integration. It’s important to ensure a realistic figure is identified and communicated to the larger M&A team within your company as early in the process as possible. This ensures that the funding required for the transaction is secured and budgeted for in the overarching transaction.

    1. On the associated slide in the M&A Buy Playbook, input:
      • Task
      • Domain
      • Cost type
      • Total cost amount
      • Level of certainty around the cost
    2. Provide a copy of the estimated costs to the company’s M&A team. Also provide any additional information identified earlier to help them understand the importance of those costs.

    Record the results in the M&A Buy Playbook.

    Employee transition planning

    Considering employee impact will be a huge component to ensure successful integration

    • Meet With Leadership
    • Plan Individual and Department Redeployment
    • Plan Individual and Department Layoffs
    • Monitor and Manage Departmental Effectiveness
    • For employees, the transition could mean:
      • Changing from their current role to a new role to meet requirements and expectations throughout the transition.
      • Being laid off because the role they are currently occupying has been made redundant.
    • It is important to plan for what the M&A integration needs will be and what the IT operational needs will be.
    • A lack of foresight into this long-term plan could lead to undue costs and headaches trying to retain critical staff, rehiring positions that were already let go, and keeping redundant employees longer then necessary.

    Info-Tech Insight

    Being transparent throughout the process is critical. Do not hesitate to tell employees the likelihood that their job may be made redundant. This will ensure a high level of trust and credibility for those who remain with the organization after the transaction.

    3.2.5 Create an employee transition plan

    3-4 hours

    Input: IT strategy, IT organizational design, Resource Supply-Demand Calculator output

    Output: Employee transition plans

    Materials: M&A Buy Playbook, Whiteboard, Sticky notes, Markers

    Participants: IT executive/CIO, IT senior leadership, Company M&A team, Transition team

    The purpose of this activity is to create a transition plan for employees.

    1. Transition planning can be done at specific individual levels or more broadly to reflect a single role. Consider these four items in the transition plan:
      • Understand the direction of the employee transitions.
      • Identify employees that will be involved in the transition (moved or laid off).
      • Prepare to meet with employees.
      • Meet with employees.
    2. For each employee that will be facing some sort of change in their regular role, permanent or temporary, create a transition plan.
    3. For additional information on transitioning employees, review the blueprint Streamline Your Workforce During a Pandemic.

    **Note that if someone’s future role is a layoff, then there is no need to record anything for skills needed or method for skill development.

    Record the results in the M&A Buy Playbook.

    3.2.6 Create functional workplans for employees

    3-4 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners

    Output: Employee functional workplans

    Materials: M&A Buy Playbook, Learning and development tools

    Participants: IT executive/CIO, IT senior leadership, IT management team, Company M&A team, Transition team

    The purpose of this activity is to create a functional workplan for the different employees so that they know what their key role and responsibilities are once the transaction occurs.

    1. First complete the transition plan from the previous activity (3.2.5) and the separation roadmap. Have these documents ready to review throughout this process.
    2. Identify the employees who will be transitioning to a new role permanently or temporarily. Creating a functional workplan is especially important for these employees.
    3. Identify the skills these employees need to have to support the separation. Record this in the corresponding slide in the M&A Buy Playbook.
    4. For each employee, identify someone who will be a point of contact for them throughout the transition.

    It is recommended that each employee have a functional workplan. Leverage the IT managers to support this task.

    Record the results in the M&A Buy Playbook.

    Metrics for integration

    Valuation & Due Diligence

    • % Defects discovered in production
    • $ Cost per user for enterprise applications
    • % In-house-built applications vs. enterprise applications
    • % Owners identified for all data domains
    • # IT staff asked to participate in due diligence
    • Change to due diligence
    • IT budget variance
    • Synergy target

    Execution & Value Realization

    • % Satisfaction with the effectiveness of IT capabilities
    • % Overall end-customer satisfaction
    • $ Impact of vendor SLA breaches
    • $ Savings through cost-optimization efforts
    • $ Savings through application rationalization and technology standardization
    • # Key positions empty
    • % Frequency of staff turnover
    • % Emergency changes
    • # Hours of unplanned downtime
    • % Releases that cause downtime
    • % Incidents with identified problem record
    • % Problems with identified root cause
    • # Days from problem identification to root cause fix
    • % Projects that consider IT risk
    • % Incidents due to issues not addressed in the security plan
    • # Average vulnerability remediation time
    • % Application budget spent on new build/buy vs. maintenance (deferred feature implementation, enhancements, bug fixes)
    • # Time (days) to value realization
    • % Projects that realized planned benefits
    • $ IT operational savings and cost reductions that are related to synergies/divestitures
    • % IT staff–related expenses/redundancies
    • # Days spent on IT integration
    • $ Accurate IT budget estimates
    • % Revenue growth directly tied to IT delivery
    • % Profit margin growth

    3.2.7 Align project metrics with identified tasks

    3-4 hours

    Input: Prioritized integration tasks, Employee transition plan, Integration RACI, Costs for activities, Activity owners, M&A goals

    Output: Integration-specific metrics to measure success

    Materials: Roadmap template, M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Transition team

    The purpose of this activity is to understand how to measure the success of the integration project by aligning metrics to each identified task.

    1. Review the M&A goals identified by the business. Your metrics will need to tie back to those business goals.
    2. Identify metrics that align to identified tasks and measure achievement of those goals. For each metric you consider, ask the following questions:
      • What is the main goal or objective that this metric is trying to solve?
      • What does success look like?
      • Does the metric promote the right behavior?
      • Is the metric actionable? What is the story you are trying to tell with this metric?
      • How often will this get measured?
      • Are there any metrics it supports or is supported by?

    Record the results in the M&A Buy Playbook.

    By the end of this mid-transaction phase you should:

    Have successfully evaluated the target organization’s IT environment, escalated the acquisition risks and benefits, and prepared IT for integration.

    Key outcomes from the Due Diligence & Preparation phase
    • Participate in due diligence activities to accurately valuate the target organization(s) and determine if there are critical risks or benefits the current organization should be aware of.
    • Create an integration roadmap that considers the tasks that will need to be completed and the resources required to support integration.
    Key deliverables from the Due Diligence & Preparation phase
    • Establish a due diligence charter
    • Create a list of data room artifacts and engage in due diligence
    • Assess the target organization’s technical debt
    • Valuate the target IT organization
    • Assess and plan for culture
    • Prioritize integration tasks
    • Establish the integration roadmap
    • Identify the needed workforce supply
    • Estimate integration costs
    • Create employee transition plans
    • Create functional workplans for employees
    • Align project metrics with identified tasks

    M&A Buy Blueprint

    Phase 4

    Execution & Value Realization

    Phase 1Phase 2Phase 3

    Phase 4

    • 1.1 Identify Stakeholders and Their Perspective of IT
    • 1.2 Assess IT’s Current Value and Future State
    • 1.3 Drive Innovation and Suggest Growth Opportunities
    • 2.1 Establish the M&A Program Plan
    • 2.2 Prepare IT to Engage in the Acquisition
    • 3.1 Assess the Target Organization
    • 3.2 Prepare to Integrate
    • 4.1 Execute the Transaction
    • 4.2 Reflection and Value Realization

    This phase will walk you through the following activities:

    • Rationalize the IT environment
    • Continually update the project plan
    • Confirm integration costs
    • Review IT’s transaction value
    • Conduct a transaction and integration SWOT
    • Review the playbook and prepare for future transactions

    This phase involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Vendor management team
    • IT transaction team
    • Company M&A team

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Pre-Work

    Day 1

    Day 2

    Day 3

    Engage in Integration

    Day 4

    Establish the Transaction FoundationDiscover the Motivation for IntegrationPlan the Integration RoadmapPrepare Employees for the TransitionEngage in IntegrationAssess the Transaction Outcomes (Must be within 30 days of transaction date)

    Activities

    • 0.1 Understand the rationale for the company's decisions to pursue an acquisition.
    • 0.2 Identify key stakeholders and determine the IT transaction team.
    • 0.3 Gather and evaluate the M&A strategy, future-state operating model, and governance.
    • 1.1 Review the business rationale for the acquisition.
    • 1.2 Identify pain points and opportunities tied to the acquisition.
    • 1.3 Establish the integration strategy.
    • 1.4 Prioritize Integration tasks.
    • 2.1 Establish the integration roadmap.
    • 2.2 Establish and align project metrics with identified tasks.
    • 2.3 Estimate integration costs.
    • 3.1 Assess the current culture and identify the goal culture.
    • 3.2 Identify the needed workforce supply.
    • 3.3 Create an employee transition plan.
    • 3.4 Create functional workplans for employees.
    • I.1 Complete the integration by regularly updating the project plan.
    • I.2 Begin to rationalize the IT environment where possible and necessary.
    • 4.1 Confirm integration costs.
    • 4.2 Review IT’s transaction value.
    • 4.3 Conduct a transaction and integration SWOT.
    • 4.4 Review the playbook and prepare for future transactions.

    Deliverables

    1. IT strategy
    2. IT operating model
    3. IT governance structure
    4. M&A transaction team
    1. Business context implications for IT
    2. Integration strategy
    1. Integration roadmap and associated resourcing
    1. Culture assessment
    2. Workforce supply identified
    3. Employee transition plan
    1. Rationalized IT environment
    2. Updated integration project plan
    1. SWOT of transaction
    2. M&A Buy Playbook refined for future transactions

    What is the Execution & Value Realization phase?

    Post-transaction state

    Once the transaction comes to a close, it’s time for IT to deliver on the critical integration tasks. Set the organization up for success by having an integration roadmap. Retaining critical IT staff throughout this process will also be imperative to the overall transaction success.

    Throughout the integration process, roadblocks will arise and need to be addressed. However, by ensuring that employees, technology, and processes are planned for ahead of the transaction, you as IT will be able to weather those unexpected concerns with greater ease.

    Now that you as an IT leader have engaged in an acquisition, demonstrating the value IT was able to provide to the process is critical to establishing a positive and respected relationship with other senior leaders in the business. Be prepared to identify the positives and communicate this value to advance the business’ perception of IT.

    Goal: To carry out the planned integration activities and deliver the intended value to the business

    Execution Prerequisite Checklist

    Before coming into the Execution & Value Realization phase, you must have addressed the following:

    • Understand the rationale for the company's decisions to pursue an acquisition and what opportunities or pain points the acquisition should alleviate.
    • Identify the key roles for the transaction team.
    • Identify the M&A governance.
    • Determine target metrics and align to project tasks.
    • Select an integration strategy framework.
    • Conduct a RACI for key transaction tasks for the transaction team.
    • Create a list of data room artifacts and engage in due diligence (directly or indirectly).
    • Prioritize integration tasks.
    • Establish the integration roadmap.
    • Identify the needed workforce supply.
    • Create employee transition plans.

    Before coming into the Execution & Value Realization phase, we recommend addressing the following:

    • Create vision and mission statements.
    • Establish guiding principles.
    • Create a future-state operating model.
    • Identify the M&A operating model.
    • Document the communication plan.
    • Examine the business perspective of IT.
    • Identify key stakeholders and outline their relationship to the M&A process.
    • Be able to valuate the IT environment and communicate IT's value to the business.
    • Establish a due diligence charter.
    • Assess the target organization’s technical debt.
    • Valuate the target IT organization.
    • Assess and plan for culture.
    • Estimate integration costs.
    • Create functional workplans for employees.

    Integration checklists

    Prerequisite Checklist
    • Build the project plan for integration and prioritize activities
      • Plan first day
      • Plan first 30/100 days
      • Plan first year
    • Create an organization-aligned IT strategy
    • Identify critical stakeholders
    • Create a communication strategy
    • Understand the rationale for the acquisition or purchase
    • Develop IT's purchasing strategy
    • Determine goal opportunities
    • Create the mission and vision statements
    • Create the guiding principles
    • Create program metrics
    • Consolidate reports from due diligence/data room
    • Conduct culture assessment
    • Create a transaction team
    • Assess workforce demand and supply
    • Plan and communicate potential layoffs
    • Create an employee transition plan
    • Identify the IT investment
    Business
    • Design an enterprise architecture
    • Document your business architecture
    • Identify and assess all of IT's risks
    Leadership/IT Executive
    • Build an IT budget
    • Structure operating budget
    • Structure capital budget
    • Identify the needed workforce demand vs. capacity
    • Establish and monitor key metrics
    • Communicate value realized/cost savings
    Data
    • Confirm data strategy
    • Confirm data governance
    • Data architecture
    • Data sources
    • Data storage (on-premises vs. cloud)
    • Enterprise content management
    • Compatibility of data types between organizations
    • Cleanliness/usability of target organization data sets
    • Identify data sets that need to be combined to capture synergies/drive core capabilities
    • Reporting and analytics capabilities
    Applications
    • Prioritize and address critical applications
      • ERP
      • CRM
      • Email
      • HRIS
      • Financial
      • Sales
      • Risk
      • Security
    • Leverage application rationalization framework to determine applications to keep, terminate, or create
    • Develop method of integrating applications
    • Model critical applications that have dependencies on one another
    • Identify the infrastructure capacity required to support critical applications
    Operations
    • Communicate helpdesk/service desk information
    • Manage sales access to customer data
    • Determine locations and hours of operation
    • Consolidate phone lists and extensions
    • Synchronize email address books

    Integration checklists (continued)

    Infrastructure
    • Determine single network access
    • Manage organization domains
    • Consolidate data centers
    • Compile inventory of vendors, versions, switches, and routers
    • Review hardware lease or purchase agreements
    • Review outsourcing/service provider agreements
    • Review service-level agreements
    • Assess connectivity linkages between locations
    • Plan to migrate to a single email system if necessary
    Vendors
    • Establish a sustainable vendor management office
    • Review vendor landscape
    • Identify warranty options
    • Rationalize vendor services and solutions
    • Identify opportunities to mature the security architecture
    People
    • Design an IT operating model
    • Redesign your IT organizational structure
    • Conduct a RACI
    • Conduct a culture assessment and identify goal IT culture
    • Build an IT employee engagement program
    • Determine critical roles and systems/process/products they support
    • Create a list of employees to be terminated
    • Create employee transition plans
    • Create functional workplans
    Projects
    • Stop duplicate or unnecessary target organization projects
    • Communicate project intake process
    • Prioritize projects
    Products & Services
    • Ensure customer services requirements are met
    • Ensure customer interaction requirements are met
    • Select a solution for product lifecycle management
    Security
    • Conduct a security assessment of target organization
    • Develop accessibility prioritization and schedule
    • Establish an information security strategy
    • Develop a security awareness and training program
    • Develop and manage security governance, risk, and compliance
    • Identify security budget
    • Build a data privacy and classification program
    IT Processes
    • Evaluate current process models
    • Determine productivity/capacity levels of processes
    • Identify processes to be terminated
    • Identify process expectations from target organization
    • Establish a communication plan
    • Develop a change management process
    • Establish/review IT policies

    Execution & Value Realization

    Step 4.1

    Execute the Transaction

    Activities

    • 4.1.1 Rationalize the IT environment
    • 4.1.2 Continually update the project plan

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Vendor management team
    • IT transaction team
    • Company M&A team

    Outcomes of Step

    Successfully execute on the integration and strategize how to rationalize the two (or more) IT environments and update the project plan, strategizing against any roadblocks as they might come.

    Compile –› Assess –› Rationalize

    Access to critical information often does not happen until day one

    • As the transaction comes to a close and the target organization becomes the acquired organization, it’s important to start working on the rationalization of your organization.
    • One of the most important elements will be to have a complete understanding of the acquired organization’s IT environment. Specifically, assess the technology, people, and processes that might exist.
    • This rationalization will be heavily dependent on your planned integration strategy determined in the Discovery & Strategy phase of the process.
    • If your IT organization was not involved until after that phase, then determine whether your organization plans on remaining in its original state, taking on the acquired organization’s state, or forming a best-of-breed state by combining elements.
    • To execute on this, however, a holistic understanding of the new IT environment is required.

    Some Info-Tech resources to support this initiative:

    • Reduce and Manage Your Organization’s Insider Threat Risk
    • Build an Application Rationalization Framework
    • Rationalize Your Collaboration Tools
    • Consolidate IT Asset Management
    • Build Effective Enterprise Integration on the Back of Business Process
    • Consolidate Your Data Centers

    4.1.1 Rationalize the IT environment

    6-12 months

    Input: RACI chart, List of critical applications, List of vendor contracts, List of infrastructure assets, List of data assets

    Output: Rationalized IT environment

    Materials: Software Terms & Conditions Evaluation Tool

    Participants: IT executive/CIO, IT senior leadership, Vendor management

    The purpose of this activity is to rationalize the IT environment to reduce and eliminate redundant technology.

    1. Compile a list of the various applications and vendor contracts from the acquired organization and the original organization.
    2. Determine where there is repetition. Have a member of the vendor management team review those contracts and identify cost-saving opportunities.

    This will not be a quick and easy activity to complete. It will require strong negotiation on the behalf of the vendor management team.

    For additional information and support for this activity, see the blueprint Master Contract Review and Negotiations for Software Agreements.

    4.1.2 Continually update the project plan

    Reoccurring basis following transition

    Input: Prioritized integration tasks, Integration RACI, Activity owners

    Output: Updated integration project plan

    Materials: M&A Integration Project Management Tool

    Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

    The purpose of this activity is to ensure that the project plan is continuously updated as your transaction team continues to execute on the various components outlined in the project plan.

    1. Set a regular cadence for the transaction team to meet, update and review the status of the various integration task items, and strategize how to overcome any roadblocks.
    2. Employ governance best practices in these meetings to ensure decisions can be made effectively and resources allocated strategically.

    Record the updates in the M&A Integration Project Management Tool (SharePoint).

    Record the updates in the M&A Integration Project Management Tool (Excel).

    Execution & Value Realization

    Step 4.2

    Reflection and Value Realization

    Activities

    • 4.2.1 Confirm integration costs
    • 4.2.2 Review IT’s transaction value
    • 4.2.3 Conduct a transaction and integration SWOT
    • 4.2.4 Review the playbook and prepare for future transactions

    This step involves the following participants:

    • IT executive/CIO
    • IT senior leadership
    • Transition team
    • Company M&A team

    Outcomes of Step

    Review the value that IT was able to generate around the transaction and strategize on how to improve future acquisition transactions.

    4.2.1 Confirm integration costs

    3-4 hours

    Input: Integration tasks, Transition team, Previous RACI, Estimated costs

    Output: Actual integration costs

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, IT transaction team, Company M&A team

    The purpose of this activity is to confirm the associated costs around integration. While the integration costs would have been estimated previously, it’s important to confirm the costs that were associated with the integration in order to provide an accurate and up-to-date report to the company’s M&A team.

    1. Taking all the original items identified previously in activity 3.2.4, identify if there were changes in the estimated costs. This can be an increase or a decrease.
    2. Ensure that each cost has a justification for why the cost changed from the original estimation.

    Record the results in the M&A Buy Playbook.

    Track synergy capture through the IT integration

    The ultimate goal of the M&A is to achieve and deliver deal objectives. Early in the M&A, IT must identify, prioritize, and execute upon synergies that deliver value to the business and its shareholders. Continue to measure IT’s contribution toward achieving the organization’s M&A goals throughout the integration by keeping track of cost savings and synergies that have been achieved. When these achievements happen, communicate them and celebrate success.

    1. Define Synergy Metrics: Select metrics to track synergies through the integration.
      1. You can track value by looking at percentages of improvement in process-level metrics depending on the synergies being pursued.
      2. For example, if the synergy being pursued is increasing asset utilization, metrics could range from capacity to revenue generated through increased capacity.
    2. Prioritize Synergistic Initiatives: Estimate the cost and benefit of each initiative's implementation to compare the amount of business value to the cost. The benefits and costs should be illustrated at a high level. Estimating the exact dollar value of fulfilling a synergy can be difficult and misleading.
        Steps
      • Determine the benefits that each initiative is expected to deliver.
      • Determine the high-level costs of implementation (capacity, time, resources, effort).
    3. Track Synergy Captures: Develop a detailed workplan to resource the roadmap and track synergy captures as the initiatives are undertaken.

    Once 80% of the necessary synergies are realized, executive pressure will diminish. However, IT must continue to work toward the technology end state to avoid delayed progression.

    4.2.2 Review IT’s transaction value

    3-4 hours

    Input: Prioritized integration tasks, Integration RACI, Activity owners, M&A company goals

    Output: Transaction value

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO, IT senior leadership, Company's M&A team

    The purpose of this activity is to track how your IT organization performed against the originally identified metrics.

    1. If your organization did not have the opportunity to identify metrics earlier, determine from the company M&A team what those metrics might be. Review activity 3.2.7 for more information on metrics.
    2. Identify whether the metric (which should be used to support a goal) was at, below, or above the original target metric. This is a very critical task for IT to complete because it allows IT to confirm that they were successful engaging in the transaction and that the business can count on them in future transactions.
    3. Be sure to record accurate and relevant information on why the outcomes (good or bad) are supporting the M&A goals that were set out by the business.

    Record the results in the M&A Buy Playbook.

    4.2.3 Conduct a transaction and integration SWOT

    2 hours

    Input: Integration costs, Retention rates, Value IT contributed to the transaction

    Output: Strengths, weaknesses, opportunities, and threats

    Materials: Flip charts, Markers, Sticky notes

    Participants: IT executive/CIO, IT senior leadership, Business transaction team

    The purpose of this activity is to assess the positive and negative elements of the transaction.

    1. Consider the various internal and external elements that could have impacted the outcome of the transaction.
      • Strengths. Internal characteristics that are favorable as they relate to your development environment.
      • Weaknesses Internal characteristics that are unfavorable or need improvement.
      • Opportunities External characteristics that you may use to your advantage.
      • Threats External characteristics that may be potential sources of failure or risk.

    Record the results in the M&A Buy Playbook.

    M&A Buy Playbook review

    With an acquisition complete, your IT organization is now more prepared then ever to support the business through future M&As

    • Now that the transaction is more than 80% complete, take the opportunity to review the key elements that worked well and the opportunities for improvement in future transactions.
    • Critically examine the M&A Buy Playbook your IT organization created and identify what worked well to help the transaction and where your organization could adjust to do better in future transactions.
    • If your organization were to engage in another acquisition under your IT leadership, how would you go about the transaction to make sure the company meets its goals?

    4.2.4 Review the playbook and prepare for future transactions

    4 hours

    Input: Transaction and integration SWOT

    Output: Refined M&A playbook

    Materials: M&A Buy Playbook

    Participants: IT executive/CIO

    The purpose of this activity is to revise the playbook and ensure it is ready to go for future transactions.

    1. Using the outputs from the previous activity, 4.2.3, determine what strengths and opportunities there were that should be leveraged in the next transaction.
    2. Likewise, determine which threats and weaknesses could be avoided in the future transactions.
      Remember, this is your M&A Buy Playbook, and it should reflect the most successful outcome for you in your organization.

    Record the results in the M&A Buy Playbook.

    By the end of this post-transaction phase you should:

    Have completed the integration post-transaction and be fluidly delivering the critical value that the business expected of IT.

    Key outcomes from the Execution & Value Realization phase
    • Ensure the integration tasks are being completed and that any blockers related to the transaction are being removed.
    • Determine where IT was able to realize value for the business and demonstrate IT’s involvement in meeting target goals.
    Key deliverables from the Execution & Value Realization phase
    • Rationalize the IT environment
    • Continually update the project plan for completion
    • Confirm integration costs
    • Review IT’s transaction value
    • Conduct a transaction and integration SWOT
    • Review the playbook and prepare for future transactions

    Summary of Accomplishment

    Problem Solved

    Congratulations, you have completed the M&A Buy Blueprint!

    Rather than reacting to a transaction, you have been proactive in tackling this initiative. You now have a process to fall back on in which you can be an innovative IT leader by suggesting how and why the business should engage in an acquisition. You now have:

    • Created a standardized approach for how your IT organization should address acquisitions.
    • Evaluated the target organizations successfully and established an integration project plan.
    • Delivered on the integration project plan successfully and communicated IT’s transaction value to the business.

    Now that you have done all of this, reflect on what went well and what can be improved in case if you have to do this all again in a future transaction.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information
    workshops@infotech.com 1-888-670-8899

    Research Contributors and Experts

    Ibrahim Abdel-Kader
    Research Analyst | CIO
    Info-Tech Research Group
    Brittany Lutes
    Senior Research Analyst | CIO
    Info-Tech Research Group
    John Annand
    Principal Research Director | Infrastructure
    Info-Tech Research Group
    Scott Bickley
    Principal Research Director | Vendor Management
    Info-Tech Research Group
    Cole Cioran
    Practice Lead | Applications
    Info-Tech Research Group
    Dana Daher
    Research Analyst | Strategy & Innovation
    Info-Tech Research Group
    Eric Dolinar
    Manager | M&A Consulting
    Deloitte Canada
    Christoph Egel
    Director, Solution Design & Deliver
    Cooper Tire & Rubber Company
    Nora Fisher
    Vice President | Executive Services Advisory
    Info-Tech Research Group
    Larry Fretz
    Vice President | Industry
    Info-Tech Research Group

    Research Contributors and Experts

    David Glazer
    Vice President of Analytics
    Kroll
    Jack Hakimian
    Senior Vice President | Workshops and Delivery
    Info-Tech Research Group
    Gord Harrison
    Senior Vice President | Research & Advisory
    Info-Tech Research Group
    Valence Howden
    Principal Research Director | CIO
    Info-Tech Research Group
    Jennifer Jones
    Research Director | Industry
    Info-Tech Research Group
    Nancy McCuaig
    Senior Vice President | Chief Technology and Data Office
    IGM Financial Inc.
    Carlene McCubbin
    Practice Lead | CIO
    Info-Tech Research Group
    Kenneth McGee
    Research Fellow | Strategy & Innovation
    Info-Tech Research Group
    Nayma Naser
    Associate
    Deloitte
    Andy Neill
    Practice Lead | Data & Analytics, Enterprise Architecture
    Info-Tech Research Group

    Research Contributors and Experts

    Rick Pittman
    Vice President | Research
    Info-Tech Research Group
    Rocco Rao
    Research Director | Industry
    Info-Tech Research Group
    Mark Rosa
    Senior Vice President & Chief Information Officer
    Mohegan Gaming and Entertainment
    Tracy-Lynn Reid
    Research Lead | People & Leadership
    Info-Tech Research Group
    Jim Robson
    Senior Vice President | Shared Enterprise Services (retired)
    Great-West Life
    Steven Schmidt
    Senior Managing Partner Advisory | Executive Services
    Info-Tech Research Group
    Nikki Seventikidis
    Senior Manager | Finance Initiative & Continuous Improvement
    CST Consultants Inc.
    Allison Straker
    Research Director | CIO
    Info-Tech Research Group
    Justin Waelz
    Senior Network & Systems Administrator
    Info-Tech Research Group
    Sallie Wright
    Executive Counselor
    Info-Tech Research Group

    Bibliography

    “5 Ways for CIOs to Accelerate Value During Mergers and Acquisitions.” Okta, n.d. Web.

    Altintepe, Hakan. “Mergers and acquisitions speed up digital transformation.” CIO.com, 27 July 2018. Web.

    “America’s elite law firms are booming.” The Economist, 15 July 2021. Web.

    Barbaglia, Pamela, and Joshua Franklin. “Global M&A sets Q1 record as dealmakers shape post-COVID world.” Nasdaq, 1 April 2021. Web.

    Boyce, Paul. “Mergers and Acquisitions Definition: Types, Advantages, and Disadvantages.” BoyceWire, 8 Oct. 2020. Web.

    Bradt, George. “83% Of Mergers Fail -- Leverage A 100-Day Action Plan For Success Instead.” Forbes, 27 Jan. 2015. Web.

    Capgemini. “Mergers and Acquisitions: Get CIOs, IT Leaders Involved Early.” Channel e2e, 19 June 2020. Web.

    Chandra, Sumit, et al. “Make Or Break: The Critical Role Of IT In Post-Merger Integration.” IMAA Institute, 2016. Web.

    Deloitte. “How to Calculate Technical Debt.” The Wall Street Journal, 21 Jan. 2015. Web.

    Ernst & Young. “IT As A Driver Of M&A Success.” IMAA Institute, 2017. Web.

    Fernandes, Nuno. “M&As In 2021: How To Improve The Odds Of A Successful Deal.” Forbes, 23 March 2021. Web.

    “Five steps to a better 'technology fit' in mergers and acquisitions.” BCS, 7 Nov. 2019. Web.

    Fricke, Pierre. “The Biggest Opportunity You’re Missing During an M&Aamp; IT Integration.” Rackspace, 4 Nov. 2020. Web.

    Garrison, David W. “Most Mergers Fail Because People Aren't Boxes.” Forbes, 24 June 2019. Web.

    Harroch, Richard. “What You Need To Know About Mergers & Acquisitions: 12 Key Considerations When Selling Your Company.” Forbes, 27 Aug. 2018. Web.

    Hope, Michele. “M&A Integration: New Ways To Contain The IT Cost Of Mergers, Acquisitions And Migrations.” Iron Mountain, n.d. Web.

    “How Agile Project Management Principles Can Modernize M&A.” Business.com, 13 April 2020. Web.

    Hull, Patrick. “Answer 4 Questions to Get a Great Mission Statement.” Forbes, 10 Jan. 2013. Web.

    Kanter, Rosabeth Moss. “What We Can Learn About Unity from Hostile Takeovers.” Harvard Business Review, 12 Nov. 2020. Web.

    Koller, Tim, et al. “Valuation: Measuring and Managing the Value of Companies, 7th edition.” McKinsey & Company, 2020. Web.

    Labate, John. “M&A Alternatives Take Center Stage: Survey.” The Wall Street Journal, 30 Oct. 2020. Web.

    Lerner, Maya Ber. “How to Calculate ROI on Infrastructure Automation.” DevOps.com, 1 July 2020. Web.

    Loten, Angus. “Companies Without a Tech Plan in M&A Deals Face Higher IT Costs.” The Wall Street Journal, 18 June 2019. Web.

    Low, Jia Jen. “Tackling the tech integration challenge of mergers today” Tech HQ, 6 Jan. 2020. Web.

    Lucas, Suzanne. “5 Reasons Turnover Should Scare You.” Inc. 22 March 2013. Web.

    “M&A Trends Survey: The future of M&A. Deal trends in a changing world.” Deloitte, Oct. 2020. Web.

    Maheshwari, Adi, and Manish Dabas. “Six strategies tech companies are using for successful divesting.” EY, 1 Aug. 2020. Web.

    Majaski, Christina. “Mergers and Acquisitions: What's the Difference?” Investopedia, 30 Apr. 2021.

    “Mergers & Acquisitions: Top 5 Technology Considerations.” Teksetra, 21 Jul. 2020. Web.

    “Mergers Acquisitions M&A Process.” Corporate Finance Institute, n.d. Web.

    “Mergers and acquisitions: A means to gain technology and expertise.” DLA Piper, 2020. Web.

    Nash, Kim S. “CIOs Take Larger Role in Pre-IPO Prep Work.” The Wall Street Journal, 5 March 2015. Web.

    Paszti, Laila. “Canada: Emerging Trends In Information Technology (IT) Mergers And Acquisitions.” Mondaq, 24 Oct. 2019. Web.

    Patel, Kiison. “The 8 Biggest M&A Failures of All Time” Deal Room, 9 Sept. 2021. Web.

    Peek, Sean, and Paula Fernandes. “What Is a Vision Statement?” Business News Daily, 7 May 2020. Web.

    Ravid, Barak. “Tech execs focus on growth amid increasingly competitive M&A market.” EY, 28 April 2021. Web.

    Resch, Scott. “5 Questions with a Mergers & Acquisitions Expert.” CIO, 25 June 2019. Web.

    Salsberg, Brian. “Four tips for estimating one-time M&A integration costs.” EY, 17 Oct. 2019. Web.

    Samuels, Mark. “Mergers and acquisitions: Five ways tech can smooth the way.” ZDNet, 15 Aug. 2018. Web.

    “SAP Divestiture Projects: Options, Approach and Challenges.” Cognizant, May, 2014. Web.

    Steeves, Dave. “7 Rules for Surviving a Merger & Acquisition Technology Integration.” Steeves and Associates, 5 Feb. 2020. Web.

    Tanaszi, Margaret. “Calculating IT Value in Business Terms.” CSO, 27 May 2004. Web.

    “The CIO Playbook. Nine Steps CIOs Must Take For Successful Divestitures.” SNP, 2016. Web.

    “The Role of IT in Supporting Mergers and Acquisitions.” Cognizant, Feb. 2015. Web.

    Torres, Roberto. “M&A playbook: How to prepare for the cost, staff and tech hurdles.” CIO Dive, 14 Nov. 2019. Web.

    “Valuation Methods.” Corporate Finance Institute, n.d. Web.

    Weller, Joe. “The Ultimate Guide to the M&A Process for Buyers and Sellers.” Smartsheet, 16 May 2019. Web.

    DORA - Article 7 — Explained

    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A

    Intro

    While this text is about DORA requirements, it is really about resilient availability of your service. Even if you are not bound to this regulation, maybe you are not a financial services provider, the requirements and tips on how to get there are invaluable to your client satisfaction.

    Legal text

    In order to address and manage ICT risk, financial entities shall use and maintain updated ICT systems, protocols and tools that are:
    (a) appropriate to the magnitude of operations supporting the conduct of their activities, in accordance with the
    proportionality principle as referred to in Article 4;
    (b) reliable;
    (c) equipped with sufficient capacity to accurately process the data necessary for the performance of activities and the timely provision of services, and to deal with peak orders, message or transaction volumes, as needed, including where new technology is introduced;
    (d) technologically resilient in order to adequately deal with additional information processing needs as required under
    stressed market conditions or other adverse situations.

    What do you need to do?

    • Determine what systems you need.
    • Inventory the systems you have.
    • Make sure your systems and applications are sized right for your business
      • and made resilient according to the business functions they support
        in relation to the size of the business functions they support (proportionality)
      • and are reliable, meaning they produce consistent results
      • and are resilient, meaning they can withstand adverse effects where needed 

    How do you do this?

    For requirement (a)

    • Identify the capacity requirements for your services
    • Also identify the capacity requirements in case of serious decapacitating events (Business continuity)
    • Detail your capacity management plan so that you can meet the requirements
    • Test your systems for compliamce with these requirements

    For requirement (b)

    • Show the parts of your IT policy that deals with availability, 
    • Show the technical Disaster recovery plans and their execution reports (ideally over a number of years)
    • Show the availability reports for your systems.
    • Show the vulnerability management reports for your systems (optional)

    For requirement (C)

    • Show the availability reports for your systems: this is really the end-result: if you can show that your systems are available even under heavy load, you have won half the battle.
    • Show the capacity requirements for your systems. This is where you can prove you really thought about demad for your service.
    • Show the capacity monitoring plans, plans and roadmaps and reports for your systems
    •  Show the load testing reports executed on your systems

     For requirement (d)

    • Show the identified attacks scenarios and you defend against them
    •  Show the results of your resilience test plans: talk about High availability, Disaster recovery, and manual workaround or alternative workflows (that is business continuity.)

    Many of these solutions will depend on the the solutions and responses to other DORA requirements.

     

    dora

    Understand the Difference Between Backups and Archives

    • Buy Link or Shortcode: {j2store}506|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Storage & Backup Optimization
    • Parent Category Link: /storage-and-backup-optimization
    • You don’t understand the difference between a backup and an archive or when to use one or the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that was in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?

    Our Advice

    Critical Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks, but recovery and discovery are capabilities the business wants and is willing to pay for.

    Impact and Result

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Understand the Difference Between Backups and Archives Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the Difference Between Backups and Archives

    What is the difference between a backup and a data archive? When should I use one over the other? They are not the same and confusing the two concepts could be expensive.

    • Understand the Difference Between Backups and Archives Storyboard
    [infographic]

    Further reading

    Understand the Difference Between Backups and Archives

    They are not the same, and confusing the two concepts could be expensive

    Analyst Perspective

    Backups and archives are not interchangeable, but they can complement each other.

    Photo of P.J. Ryan, Research Director, Infrastructure & Operations, Info-Tech Research Group.

    Backups and archives are two very different operations that are quite often confused or misplaced. IT and business leaders are tasked with protecting corporate data from a variety of threats. They also must conform to industry, geographical, and legal compliance regulations. Backup solutions keep the data safe from destruction. If you have a backup, why do you also need an archive? Archive solutions hold data for a long period of time and can be searched. If you have an archive, why do you also need a backup solution? Backups and archives used to be the same. Remember when you would keep the DAT tape in the same room as the argon gas fire suppression system for seven years? Now that's just not feasible. Some situations require a creative approach or a combination of backups and archives.

    Understand the difference between archives and backups and you will understand why the two solutions are necessary and beneficial to the business.

    P.J. Ryan
    Research Director, Infrastructure & Operations
    Info-Tech Research Group

    Executive Summary

    Your Challenge
    • You don’t understand the difference between a backup and an archive or when to use one over the other.
    • Data is not constant. It is ever-changing and growing. How do you protect it?
    • You just replaced an application that had been in use since day one, and even though you have a fully functional replacement, you would like to archive that original application just in case.
    • You want to save money, so you use your backup solution to archive data, but you know that is not ideal. What is the correct solution?
    Common Obstacles
    • Storage costs can be expensive, as can some backup and archiving solutions.
    • Unclear requirements definition to decide between backups or archives.
    • Historically, people referred to archiving as tossing something into a box and storing it away indefinitely. Data archiving has a different meaning.
    • Executives want retired applications preserved but do not provide reasons or requirements.
    Info-Tech’s Approach
    • Spend wisely. Why spend money on an archive solution when a backup will suffice? Don’t leave money on the table.
    • Be creative and assess each backup or archive situation carefully. A custom solution may be required.
    • Backup your production data for the purpose of restoring it and adhere to the 3-2-1 rule of backups (Naviko.com).
    • Archive your older data to an alternate storge platform to save space, allow for searchability, and provide retention parameters.

    Info-Tech Insight

    Keep in mind that backups are for recovery while archives are for discovery. Backups and archives are often confused but understanding the differences can result in significant savings of time and money. Backing up and archiving may be considered IT tasks but recovery and discovery are capabilities the business wants and is willing to pay for.

    Archive

    What it IS

    A data archive is an alternate location for your older, infrequently accessed production data. It is indexed and searchable based on keywords. Archives are deleted after a specified period based on your retention policy or compliance directives.

    What it IS NOT

    Archives are not an emergency copy of your production data. They are not any type of copy of your production data. Archives will not help you if you lose your data or accidentally delete a file. Archives are not multiple copies of production data from various recovery points.

    Why use it

    Archives move older data to an alternate location. This frees up storage space for your current data. Archives are indexed and can be searched for historical purposes, compliance reasons, or in the event of a legal matter where specific data must be provided to a legal team.

    Tips & Tricks – Archiving

    • Archiving will move older data to an alternate location. This will free up storage space in the production environment.
    • Archiving solutions index the data to allow for easier searchability. This will aid in common business searches as well as assist with any potential legal searches.
    • Archiving allows companies to hold onto data for historical purposes as well as for specific retention periods in compliance with industry and regional regulations such as SOX, GDPR, FISMA, as well as others (msp360.com).

    Backup

    What it IS

    A backup is a copy of your data from a specific day and time. It is primarily used for recovery or restoration if something happens to the production copy of data. The restore will return the file or folder to the state it was in at the time of the backup.

    Backups occur frequently to ensure the most recent version of data is copied to a safe location.

    A typical backup plan makes a copy of the data every day, once a week, and once a month. The data is stored on tapes, disk, or using cloud storage.

    What it IS NOT

    Backups are not designed for searching or discovery. If you backup your email and must go to that backup in search of all email pertaining to a specific topic, you must restore the full backup and then search for that specific topic or sender. If you kept all the monthly backups for seven years, that will mean repeating that process 84 times to have a conclusive search, assuming you have adequate storage space to restore the email database 84 times.

    Backups do not free up space.

    Why use it

    Backups protect your data in the event of disaster, deletion, or accidental damage. A good backup strategy will include multiple backups on different media and offsite storage of at least one copy.

    Tips & Tricks – Backups

    • Production data should be backed up on a regular basis, ideally once a day or more frequently if possible.
    • Backups are intended to restore data when it gets deleted, over-written, or otherwise compromised. Most restore requests are from the last 24 to 48 hours, so it may be advantageous to keep a backup readily available on disk for a quick restore when needed.
    • Some vendors and industry subject matter experts advocate the use of a 3-2-1 rule when it comes to backups:
      • Keep three copies of your production data
      • In at least two separate locations (some advocate two different formats), and
      • One copy should be offsite (nakivo.com)

    Cold Storage

    • Cold storage refers to a storage option offered by some cloud vendors. In the context of the discussion between backups and archives, it can be an option for a dedicated backup solution for a specific period. Cost is low and the data is protected from destruction.
    • If an app has been replaced and all data transferred to the replacement solution but for some reason the company wishes to hold onto the data, you want a backup, not an archive. Extract the data, convert it into MongoDB or a similar solution, and drop it into cheap cloud storage (cold storage) for less than $5 per TB/month.

    Case Study

    Understanding the difference between archives and backups could save you a lot of time and money

    INDUSTRY: Manufacturing | SOURCE: Info-Tech Research

    Understanding the difference between an archive and a backup was the first step in solving their challenge.

    A leading manufacturing company found themselves in a position where they had to decide between archiving or doing nothing.

    The company had completed several acquisitions and ended up with multiple legacy applications that had been merged or migrated into replacement solutions. These legacy applications were very important to the original companies and although the data they held had been migrated to a replacement solution, executives felt they should hold onto these applications for a period of time, just in case.

    Some of the larger applications were archived using a modern archiving solution, but when it came to the smaller applications, the cost to add them to the archiving solution greatly exceeded the cost to just keep them running and maintain the associated infrastructure.

    A research advisor from Info-Tech Research Group joined a call with the manufacturing company and discussed their situation. The difference between archives and backups was explained and through the course of the conversation it was discovered that the solution was a modified backup. The application data had already been preserved through the migration, so data could be accessed in the production environment. The requirement to keep the legacy application up and running was not necessary but in compliance with the request to keep the information, the data could be exported from the legacy application into a non-sequential database, compressed, and stored in cloud-based cold storage for less than five dollars per terabyte per month. The manufacturing company’s staff realized that they could apply this same approach to several of their legacy applications and save tens of thousands of dollars in the process.

    Understand the Difference Between Backups and Archives

    Backups

    Backups are for recovery. A backup is a snapshot copy of production data at a specific point in time. If the production data is lost, destroyed, or somehow compromised, the data can be restored from the backup.

    Archives

    Archives are for discovery. It is production data that is moved to an alternate location to free up storage space, allow the data to be searchable, and still hold onto the data for historical or compliance purposes.

    Info-Tech Insight

    Archives and backups are not the same, and there is a use case for each. Sometimes minor adjustments may be required to make the use case work. Understanding the basics of backups and archives can lead to significant savings at a monetary and effort level.

    Additional Guidance

    Production data should be backed up.

    The specific backup solution is up to the business.

    Production data that is not frequently accessed should be archived.

    The specific solution to perform and manage the archiving of the data is up to the business

    • Archived data should also be backed up at least once.
    If the app has been replaced and all data transferred, you want a backup not an archive if you want to keep the data.
    • Short term – fence it off.
    • Long term – extract into Mongo then drop it into cheap cloud storage.

    Case Study

    Using tape backups as an archive solution could result in an expensive discovery and retrieval exercise.

    INDUSTRY: Healthcare | SOURCE: Zasio Enterprises Inc.

    “Do not commingle archive data with backup or disaster recovery tapes.”

    A court case in the United States District Court for the District of Nevada involving Guardiola and Renown Health in 2015 is a good example of why using a backup solution to solve an archiving challenge is a bad idea.

    Renown Health used a retention policy that declared any email older than six months of age as inactive and moved that email to a backup tape. Renown Health was ordered by the court to produce emails from a period of time in the past. Renown estimated that it would cost at least $248,000 to produce those emails, based on the effort involved to restore data from each tape and search for the email in question. Renown Health argued that this long and expensive process would result in undue costs.

    The court reviewed the situation and ruled against Renown Health and ordered them to comply with the request (Zasio.com).

    A proper archiving solution would have provided a quick and low-cost method to retrieve the emails in question.

    Backups and archives are complementary to each other

    • Archives are still production data, but the data does not change. A backup is recommended for the archived data, but the frequency of the backups can be lowered.
    • Backups protect you if a disaster strikes by providing a copy of the production data that was compromised or damaged. Archives allow you to access older data that may have just been forgotten, not destroyed or compromised. Archives could also protect you in a legal court case by providing data that is older but may prove your argument in court.

    Archives and backups are not the same.

    Backups copy your data. Archives move your data. Backups facilitate recovery. Archives facilitate discovery.

    Archive Backup
    Definition Move rarely accessed (but still production) data to separate media. Store a copy of frequently used data on a separate media to ensure timely operational recovery.
    Use Case Legal discovery, primary storage reduction, compliance requirements, and audits. Accidental deletion and/or corruption of data, hardware/software failures.
    Method Disk, cloud storage, appliance. Disk, backup appliance, snapshots, cloud.
    Data Older, rarely accessed production data. Current production data.

    Is it a backup or archive?

    • You want to preserve older data for legal and compliance reasons, so you put extra effort into keeping your tape backups safe and secure for seven years. That’s a big mistake that may cost you time and money. You want an archive solution.
    • You replace your older application and migrate all data to the new system, but you want to hold onto the old data, just in case. That’s a backup, not an archive.
    • A long serving senior executive recently left the company. You want to preserve the contents of the executive's laptop in case it is needed in the future. That’s a backup.

    Considerations When Choosing Between Solutions

    1

    Backup or archive?

    2

    What are you protecting?

    3

    Why are you protecting data?

    4

    Solution

    Backup

    Backup and/or archive.
    Additional information required.
    Column 3 may help

    Archive

    Device

    Data

    Application

    Operational Environment

    Operational recovery

    Disaster recovery

    Just in case

    Production storage space reduction

    Retention and preservation

    Governance, risk & compliance

    Backup

    Archive

    Related Info-Tech Research

    Stock image of light grids and flares. Establish an Effective Data Protection Plan

    Give data the attention it deserves by building a strategy that goes beyond backup.

    Stock image of old fuse box switches. Modernize Enterprise Storage

    Current and emerging storage technologies are disrupting the status quo – prepare your infrastructure for the exponential rise in data and its storage requirements.

    Logo for 'Software Reviews' and their information on 'Compare and Evaluate: Data Archiving.'
    Sample of Info-Tech's 'Data Archiving Policy'. Data Archiving Policy

    Bibliography

    “Backup vs. archiving: Know the difference.” Open-E. Accessed 05 Mar 2022.Web.

    G, Denis. “How to build retention policy.” MSP360, Jan 3, 2020. Accessed 10 Mar 2022.

    Ipsen, Adam. “Archive vs Backup: What’s the Difference? A Definition Guide.” BackupAssist, 28 Mar 2017. Accessed 04 Mar 2022.

    Kang, Soo. “Mitigating the expense of E-discovery; Recognizing the difference between back-ups and archived data.” Zasio Enterprises, 08 Oct 2015. Accessed 3 Mar 2022.

    Mayer, Alex. “The 3-2-1 Backup Rule – An Efficient Data Protection Strategy.” Naviko. Accessed 12 Mar 2022.

    “What is Data-Archiving?” Proofpoint. Accessed 07 Mar 2022.

    Master Contract Review and Negotiation for Software Agreements

    • Buy Link or Shortcode: {j2store}170|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Vendor Management
    • Parent Category Link: /vendor-management
    • Internal stakeholders usually have different – and often conflicting – needs and expectations that require careful facilitation and management.
    • Vendors have well-honed negotiating strategies. Without understanding your own position and leverage points, it’s difficult to withstand their persuasive – and sometimes pushy – tactics.
    • Software – and software licensing – is constantly changing, making it difficult to acquire and retain subject matter expertise.

    Our Advice

    Critical Insight

    • Conservatively, it’s possible to save 5% of the overall IT budget through comprehensive software contract review.
    • Focus on the terms and conditions, not just the price.
    • Learning to negotiate is crucial.

    Impact and Result

    • Look at your contract holistically to find cost savings.
    • Guide communication between vendors and your organization for the duration of contract negotiations.
    • Redline the terms and conditions of your software contract.
    • Prioritize crucial terms and conditions to negotiate.

    Master Contract Review and Negotiation for Software Agreements Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to redline and negotiate your software agreement, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Gather requirements

    Build and manage your stakeholder team, then document your business use case.

    • Master Contract Review and Negotiation for Software Agreements – Phase 1: Gather Requirements
    • RASCI Chart
    • Vendor Communication Management Plan
    • Software Business Use Case Template
    • SaaS TCO Calculator

    2. Redline contract

    Redline your proposed software contract.

    • Master Contract Review and Negotiation for Software Agreements – Phase 2: Redline Contract
    • Software Terms & Conditions Evaluation Tool
    • Software Buyer's Checklist

    3. Negotiate contract

    Create a thorough negotiation plan.

    • Master Contract Review and Negotiation for Software Agreements – Phase 3: Negotiate Contract
    • Controlled Vendor Communications Letter
    • Key Vendor Fiscal Year End Calendar
    • Contract Negotiation Tactics Playbook
    [infographic]

    Workshop: Master Contract Review and Negotiation for Software Agreements

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Collect and Review Data

    The Purpose

    Assemble documentation.

    Key Benefits Achieved

    Understand current position before going forward.

    Activities

    1.1 Assemble existing contracts.

    1.2 Document their strategic and tactical objectives.

    1.3 Identify current status of the vendor relationship and any historical context.

    1.4 Clarify goals for ideal future state.

    Outputs

    Business Use Case

    2 Define Business Use Case and Build Stakeholder Team

    The Purpose

    Define business use case and build stakeholder team.

    Key Benefits Achieved

    Create business use case to document functional and nonfunctional requirements.

    Build internal cross-functional stakeholder team to negotiate contract.

    Activities

    2.1 Establish negotiation team and define roles.

    2.2 Write communication plan.

    2.3 Complete business use case.

    Outputs

    RASCI Chart

    Vendor Communication Management Plan

    SaaS TCO Calculator

    Software Business Use Case

    3 Redline Contract

    The Purpose

    Examine terms and conditions and prioritize for negotiation.

    Key Benefits Achieved

    Discover cost savings.

    Improve agreement terms.

    Prioritize terms for negotiation.

    Activities

    3.1 Review general terms and conditions.

    3.2 Review license- and application-specific terms and conditions.

    3.3 Match to business and technical requirements.

    3.4 Redline agreement.

    Outputs

    Software Terms & Conditions Evaluation Tool

    Software Buyer’s Checklist

    4 Build Negotiation Strategy

    The Purpose

    Create a negotiation strategy.

    Key Benefits Achieved

    Establish controlled communication.

    Choose negotiation tactics.

    Plot negotiation timeline.

    Activities

    4.1 Review vendor- and application-specific negotiation tactics.

    4.2 Build negotiation strategy.

    Outputs

    Contract Negotiation Tactics Playbook

    Controlled Vendor Communications Letter

    Key Vendor Fiscal Year End Calendar

    Take Advantage of Big Tech Layoffs

    • Buy Link or Shortcode: {j2store}573|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select

    Tech layoffs have been making the news over the past year, with thousands of Big Tech employees having been laid off. After years of record low unemployment in IT, many leaders are looking to take advantage of these layoffs to fill their talent gaps.

    However, IT leaders need to determine their response – wait and see the impact of the recession on budgets and candidate expectations, or dive in and secure great talent to execute today on strategic needs. This research is designed to help those IT leaders who are looking to take advantage employee effective talents to secure talent.

    • With the impact of the economic slowdown still unknown, the first question IT leaders need to ask is whether now is the time to act.
    • Even with these layoffs, IT unemployment rates are at record lows, with many organizations continuing to struggle to attract talent. While these layoffs have opened a window, IT leaders need to act quickly to secure great talent.

    Our Advice

    Critical Insight

    The “where has the talent gone?” puzzle has been solved. Many tech firms over-hired and were able to outcompete everyone, but it wasn’t sustainable. This correction won’t impact unemployment numbers in the short term – the job force is just in flux right now.

    Impact and Result

    This research is designed to help IT leaders understand the talent market and to provide winning tactics to those looking to take advantage of the layoffs to fill their hiring needs.

    Take Advantage of Big Tech Layoffs Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Take Advantage of Big Tech Layoffs Storyboard – A snapshot of the current talent market in IT and quick tactics IT leaders can employ to improve their hiring process to find and attract tech talent.

    Straightforward tactics you can execute to successfully recruit IT staff impacted by layoffs.

    • Take Advantage of Big Tech Layoffs Storyboard

    2. IT Talent Acquisition Optimization Tool – Use this tool to document the current and future talent acquisition process.

    To hire efficiently, create a clear, consistent talent acquisition process. The IT Talent Acquisition Process Optimization Tool will help to:

  • Map out the current talent acquisition workflow
  • Identify areas of opportunity and potential gaps in the current process
    • IT Talent Acquisition Optimization Tool
    [infographic]

    Further reading

    Take Advantage of Big Tech Layoffs

    Simple tactics to secure the right talent in times of economic uncertainty.

    Why are the layoffs making the news?

    After three years of record low unemployment rates in IT and organizations struggling to hire IT talent into their organization, the window appears to be opening with tens of thousands layoffs from Big Tech employers.

    Big brand organizations such as Microsoft, Alphabet, Amazon, Twitter, Netflix, and Meta have been hitting major newswires, but these layoffs aren't exclusive to the big names. We've also seen smaller high-growth tech organizations following suit. In fact, in 2022, it's estimated that there were more than 160,997 layoffs across over 1,045 tech organizations. This trend has continued into 2023. By mid-February 2023, there were already 108,754 employees laid off at 385 tech companies (Layoffs.fyi).(1)

    While some of these layoffs have been openly connected to economic slowdown, others are pointing to the layoffs being a correction for over-hiring during the pandemic. It is also important to note that many of these workers were not IT employees, as these organizations also saw cuts across other areas of the business such as sales, marketing, recruitment, and operations.

    (1)This global database is constantly being updated, and these numbers are changing on an ongoing basis. For up-to-date statistics, see https://layoffs.fyi

    While tech layoffs have been making the news, so far many of these layoffs have been a correction to over-hiring, with most employees laid off finding work, if they want it, within three months.

    IT leaders need to determine their response – wait and see the impact of the recession on budgets and candidate expectations or dive in and secure great talent to execute today on strategic needs.

    This research is designed to help IT leaders understand the talent market and provide winning strategies to those looking to take advantage of the layoffs to fill their hiring needs.

    Three key drivers for Big Tech layoffs

    Economic uncertainty

    Globally, economists are predicting an economic slowdown, though there is not a consistent prediction on the impact. We have seen an increase in interest rates and inflation, as well as reduced investment budgets.

    Over-hiring during the pandemic

    High growth and demand for digital technologies and services during the early pandemic led to over-hiring in the tech industry. Many organizations overestimated the future demand and had to rebalance staffing as a result.

    New automation investments

    Many tech organizations that have conducted layoffs are still in a growth mindset. This is demonstrated though new tech investments by these companies in products like chatbots and RPA to semi-automate processes to reduce the need for certain roles.

    Despite layoffs, the labor market remains competitive

    There were at least 160,997 layoffs from more than 1,045 tech companies last year (2022). (Layoffs.fyi reported as of Feb 21/2023)

    But just because Big Tech is laying people off doesn't mean the IT job market has cooled.

    Between January and October 2022 technology- focused job postings rose 25% compared to the same period in 2021, and there were more than 375,000 tech jobs posted in October of 2022.
    (Dice: Tech Jobs Report.)

    Info-Tech Insight

    The "where has the talent gone?" puzzle has been solved. Many tech firms over-hired and were able to outcompete everyone, but it wasn't sustainable. This correction won't impact unemployment numbers in the short term – the job force is just in flux right now.

    So far, many of the layoffs have been a market correction

    Tech Layoffs Since COVID-19

    This is an image of a combo line graph plotting the number of tech layoffs from Q1 2020 to Q4 2022.

    Source: Layoffs.fyi - Tech Layoff Tracker and Startup Layoff Lists

    Tech Companies Layoffs vs. Early Pandemic Hiring # of People

    This is an image of a bar graph plotting Tech Companies Layoffs vs. Early Pandemic Hiring # of People

    Source: Yahoo Finance. Q4 '19 to Q3 '22

    Tech Layoffs between 2020 Q3- 2022 Q1 remained very low across the sector. In fact, outside of the initial increase at the start of the pandemic, layoffs have remained at historic low levels of around 1% (HBR, 2023). While the layoffs look significant in isolation, when you compare these numbers to pandemic hiring and growth for these organizations, the figures are relatively small.

    The first question IT leaders need to ask is whether now is the time to act

    The big gamble many CIOs face is whether to strike now to secure talent or to wait to better understand the impact of the recession. While two-thirds of IT professionals are still expecting their budgets to increase in 2023, CIOs must account for the impact of inflation and the recession on their IT budgets and staffing decisions (see Info-Tech's CEO-CIO Alignment Program).

    Ultimately, while unemployment is low today, it's common to see unemployment numbers drop right before a recession. If that is the case, then we will see more talent entering the market, possibly at more competitive salaries. But organizations that wait to hire risk not having the staff they need to execute on their strategy and finding themselves in a hiring freeze. CIOs need to decide on how to approach the economic uncertainty and where to place their bets.

    Looking ahead to 2023, how do you anticipate your IT spending will change compared to spending in 2022?

    This is an image of anticipated changes to IT spending compared to 2022 for the following categories: Decrease of more than 30%; Decrease between 16-30%; Decrease between 6-15%; Decrease between 1-5%; No Change; Increase between 1-5%; Increase between 6-15%; Increase between 16-30%; Increase of more than 30%

    Info-Tech's CEO-CIO Alignment Program

    Organizations ready to take advantage will need to act fast when layoffs happen

    Organizations looking to fill hiring needs or grow their IT/digital organization will need to be strategic and efficient when it comes to recruitment. Regardless of the number of layoffs, it continues to be an employee market when it comes to IT roles.

    While it is likely that the recession will impact unemployment rates, so far, the market remains hot, and the number of open roles continues to grow. This means that organizations that want to take advantage need to act quickly when news hits.

    Leaders not only need to compete with other organizations for talent, but the other challenge hiring organizations will need to compete with is that many in tech received generous severance packages and will be considering taking time off. To take advantage, leaders need to establish a plan and a clear employee value proposition to entice these highly skilled workers to get off the bench.

    Why you need to act fast:

    • Unemployment rates remain low:
      • Tech unemployment's rates in the US dropped to 1.5% in January 2023 (CompTIA), compared to overall unemployment which is at 3.4% in the US as of January 2023 (Yahoo Finance). While the layoffs look significant, we can see that many workers have been rehired into the labor market.
    • Long time-to-hire results in lost candidates:
      • According to Info-Tech's IT Talent Trend Report, 58% of IT leaders report time-to-hire is longer than two months. This timing increases for tech roles which require unique skills or higher seniority. IT leaders who can increase the timeline for their requirement process are much more likely to be able to take advantage of tech layoffs.

    IT must take a leading role in IT recruitment to take advantage of layoffs

    A personal connection is the differentiator when it comes to talent acquisition

    There is a statistically significant relationship between IT leadership involvement in talent acquisition and the effectiveness of this process in the IT department. The more involved they are, the higher the effectiveness.(1)

    More IT leadership involvement

    An image of two upward facing arrows. The left arrow is faded purple, and the right arrow is dark purple.

    Higher recruitment effectiveness

    Involved leaders see shorter times to hire

    There is a statistically significant relationship between IT leadership involvement in the talent acquisition process and time to fill vacant positions. The more involved they are, the shorter the time to hire.(2)

    Involved leaders are an integral part of effective IT departments

    There is a statistically significant relationship between IT leadership involvement in talent acquisition and overall IT department effectiveness. Those that are more involved have higher levels of effectiveness.(3)

    Increased IT Leadership in Recruitment Is Directly Correlated to Recruitment Effectiveness.

    This is an image of a combo bar graph plotting Overall Effectiveness for IT leadership involvement in recruitment.

    Focus your layoff recruitment strategy on critical and strategic roles

    If you are ready to take advantage of tech layoffs, focus hiring on critical and strategic roles, rather than your operational backfills. Roles related to security, cloud migration, data and analytics, and digital transformation are more likely to be shielded from budget cuts and are logical areas to focus on when looking to recruit from Big Tech organizations.

    Additionally, within the IT talent market, scarcity is focused in areas with specialized skill sets, such as security and architecture, which are dynamic and evolving faster than other skill sets. When looking to recruit in these areas, it's critical that you have a targeted recruitment approach; this is why tech layoffs represent a strong opportunity to secure talent in these specialized areas.

    ROLES DIFFICULT TO FILL

    An image of a bar graph plotting roles by difficulty to fill.

    Info-Tech Talent Trends 2022 Survey

    Four quick tactics to take advantage of Big Tech layoffs

    TALENT ACQUISITION PROCESS TO TAKE ADVANTAGE OF LAYOFFS

    This is an image of the talent acquisition process to take advantage of layoffs. It involves the following four steps: 1 Prepare organization and job ads for recruitment.  2 Actively track and scan for layoff activity.  3 Prioritize and screen candidates using salary benchmarks and keywords.  4 Eliminate all unnecessary hiring process steps.

    Guided Implementation

    What does a typical GI on this topic look like?

    Step 1 Step 2 Step 3 Step 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: IT job ad review.

    Call #4: Identify screening and sourcing opportunities.

    Call #5: Review your IT talent acquisition process.

    Call #3: Employee value proposition review.

    Call #7: Refine your talent acquisition process.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    Tactics to take advantage of tech layoffs

    Activities

    1.1 Spot check your employee value proposition
    1.2 Update job advertisements
    1.3 Document your talent acquisition process
    1.4 Refine your talent acquisition process

    This step involves the following participants:

    • IT executive leadership
    • IT hiring manager
    • Human resources
    • Marketing/public relations

    Outcomes of this step

    Streamlined talent acquisition process tailored to take advantage of tech layoffs.

    This is an image of the talent acquisition process to take advantage of layoffs. It involves the following fo steps: 1 Prepare organization and job ads for recrtment.  2 Actively track and scan for layoff aivity.  3 Prioritize and screen candidates using salary benchmarks and kwords.  4 Eliminate all unnecessary hiring process steps.

    Requisition: update job ads and secure approval to hire

    Critical steps:

    1. Ensure you have secured budget and hiring approval.
    2. Identify an IT recruitment partner within the IT organization who will be accountable for working with HR throughout the process and who will actively track and scan for recruitment opportunities.
    3. Update your IT job descriptions.
    4. Spot check your employee value proposition (EVP) to appeal to targeted candidates (Exercise 1.1).
    5. Write employee job ads for relevant skills and minimum viable experience (Exercise 1.2).
    6. Work with HR to develop your candidate outreach messages – ensure that your outreach is empathetic, aligns with your EVP, and focuses on welcoming them to apply to a role.

    The approval process to activate a requisition can be one of the longest stages in the talent acquisition process. Ensure all your roles are up to date and approved so you can trigger outreach as soon as news hits; otherwise, you'll be late before you've even begun.

    Your employee value proposition (EVP) is a key tool for attracting and retaining talent

    Any updates to your EVP need to be a genuine reflection of the employee experience at your organization – and should resonate internally and externally.

    Internal (retention) perspective: These characteristics help to retain new and existing talent by ensuring that new hires' expectations are met and that the EVP is experienced throughout the organization.

    External (attraction) perspective: These characteristics help to attract talent and are targeted so the right candidates are motivated to join, while those who aren't a good fit will self-select out.

    McLean & Company's Employee Value Proposition Framework

    This is an image of McLean & Company's Employee Value Proposition Framework.  It is divided into Retain and Attract.  under Retain, are the following three headings: Aligned; Accurate; Aspirational.  Under Attract are: Compelling; Clear; Comprehensive.

    Source: McLean & Company

    1.1 Spot check your EVP

    1-3 hours

    1. Review your existing IT employee value proposition. If you do not have an EVP, see Info-Tech's comprehensive research Improve the IT Recruitment Process to draft a new EVP.
    2. Invite a representative group of employees to participate in a working group to improve your employee value proposition. Ask each participant to brainstorm the top five things they value most about working at the organization.
    3. Consider the following categories: work environment, career advancement, benefits, and ESG and diversity impact. Brainstorm as a group if there is anything unique your organization offers with regard to these categories.
    4. Compare your notes to your existing EVP, identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the categories above. Remove any statements that no longer speak to who you are as an organization or what you offer.

    Input

    • Existing employee value proposition
    • Employee Engagement Surveys (If Available)

    Output

    • Updated employee value proposition

    Materials

    • Whiteboard/flip charts
    • Job ad template

    Participants

    • Representative group of internal employees.
    • HR
    • Marketing/PR (if possible)

    Four critical factors considered by today's job seeker

    1. Be specific about remote work policies: Include verbiage about whether there is an option to work hybrid or remote. 81% of job seekers stated that whether a job is remote, hybrid, or in-person was a top factor in whether they'd accept an offer (Benefits Canada, 2022).
    2. Career advancement and stability: "37% of Gen Z employees and 25% of millennial employees are currently looking for a job that offers career progression transparency — or, in other words, a job with clear opportunities for growth. This is significantly higher than our findings for older generations Gen X (18%) and baby boomers (7%)," (Lattice, 2021).
    3. Unique benefits: Consider your unique benefits – it's not the Big Tech "fun perks" like slides and ping pong that drive interest. Employees are increasingly looking for roles with long-term benefits programs. 90% of job seekers consider higher pension contributions to be a key factor, and 85% are considering bonuses/profit sharing" (Benefits Canada, 2022). Candidates may accept lower total compensation in exchange for flexibility, culture, work/life balance that was lacking in the start-up scene or the mega-vendors' fast-paced world.
    4. ESG and diversity impact: Include details of how the candidate will make a societal impact through their role, and how the company is acting on climate and sustainability. "Nearly two in five [Gen Z's and millennials] say they have rejected a job or assignment because it did not align with their values," (Deloitte Global, 2022).

    Update or establish job ads for candidate outreach

    Take the time up front to update your IT job descriptions and to write effective job advertisements. A job advertisement is an external-facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP. A job description informs a job ad, it doesn't replace it.
    When updating job descriptions and job ads, it's critical that your requirements are an accurate representation of what you need in the position. For the job ads especially, focus on the minimum requirements for the role, highlight your employee value proposition, and ensure that they are using inclusive language.
    Don't be lulled into using a job description as a posting when there's a time crunch to fill a position – use your preparation time to complete this key step.

    Three tips to consider when building a job ad

    Include the minimum desired requirements

    Include the required skills, responsibilities, and certifications required. Instead of looking for a unicorn, look for what you need and a demonstrated ability to learn. 70% of business executives say they are getting creative about sourcing for skills rather than just considering job experience (Deloitte Insights, 2022).

    Strategically include certifications

    When including certifications, ensure you have validated the process to be certified – i.e. if you are hiring for a role with 3-5 years' experience, ensure that the certification does not take 5-10 years of experience be eligible.

    Use inclusive language

    Consider having a review group within your IT organization to ensure the language is inclusive, that the responsibilities don't read as overly complex, and that it is an accurate representation of the organization's culture.

    1.2 Update or build job ads

    1-3 hours

    1. Begin with a copy of the job ad you are looking to fill, if you haven't begun to draft the role, start with Info-Tech's Job Description Library and Info-Tech's Job Ad Template.
    2. Review the job accountabilities, rank each responsibility based on its importance and volume of work. Determine if there are any responsibilities that are uncommon to be executed by the role and remove unnecessary responsibilities.
    3. For each of the job accountabilities, identify if there is a level of experience, knowledge or competency that would be the minimum bar for a candidate. Remove technical skills, specific technologies, and competencies that aren't directly relevant to the role, responsibilities or values.
    4. Review the education and requirements, and ensure that any certification or educational background is truly needed or suggested.
    5. Use the checklist on the following tab to review and update your job ad.

    Input

    • Job description
    • Employee value proposition
    • Job ad template

    Output

    • Completed job ad

    Materials

    • Whiteboard/flip charts
    • Web share

    Participants

    • Representative group of internal employees.
    • HR
    • Marketing/PR (if possible)

    1.2 Job ad checklist:

    A job ad needs to be two things: effective and inclusive.

    Effective

    The job ad does include:

    The organization's logo.
    Description of the organization.
    Information about benefits.
    A link to the organization's website and social media platforms.
    Steps in the application process and what candidates can expect.

    The job ad:

    Paints an accurate picture of key aspects of the role.
    Tells a story to show potential candidates how the role and organization will fit into their career path (outlines potential career paths, growth opportunities, training, etc.).
    Does not contain too many details and tasks that would overwhelm applicants.
    Highlights the employer brand in a manner that conveys the EVP and markets the organization to attract potential applicants.
    Includes creative design or formatting to make the ad stand out.
    The job ad speaks to the audience by using targeted language (e.g. using creative language when recruiting for a creative role).
    The job ad has been reviewed by HR, Marketing, PR.

    Inclusive

    The job ad does NOT include:

    Industry jargon or abbreviations that are not spelled out.
    Personality characteristics and unnecessary adjectives that would deter qualified candidates (e.g. extroverted, aggressive, competitive).
    A list of specific academic disciplines or schools, GPA requirements, or inflated degree requirements.

    The job ad:

    Uses gender-neutral language and does not contain terms that indicate traits that are typically associated with a specific gender.
    Can be viewed and applications can be completed on mobile devices.
    Focuses on results, day-to-day requirements, competencies, and transferrable skills.
    Includes design that is accessible (e.g. alternative text is provided for images, clear posting structure with headings, color is not used to convey information).

    Sourcing: Set up news trackers and review layoff source lists

    • Set up news and social media trackers to track layoff updates, and ensure you have an IT staff member on standby to complete a more detailed opportunity analysis when layoffs happen.
    • Use layoff source lists such as Layoffs.fyi to actively track organizations that have laid people off, noting the industry, location, and numbers in order to identify potential candidates. Limit your future analysis to locations that would be geographically possible to hire from.
    • Review open-source lists of laid-off employees to quickly identify potential candidates for your organization.
    • Many organizations that have completed layoffs have established outplacement programs to help laid-off staff find new roles. Set a plan in motion with HR to reach out to organizations once a layoff has occurred to understand their layoff support program.

    The key to successful sourcing is for IT to take an active role in identifying which organizations impacted by layoffs would be a good fit, and to quickly respond by searching open-source lists and LinkedIn to reach out potential candidates.

    Consider leveraging open-source lists

    Layoffs.fyi has been tracking and reporting on layoffs since the start of COVID-19. While they are not an official source of information, the site has more than a million views per month and is a strong starting point for IT leaders looking to source candidates from tech layoffs beyond the big organizations that are making the news.

    The site offers a view of companies with layoffs by location, industry, and the source of the info. Additionally, it often lists the names and contact information of laid-off employees, which you can leverage to start your deeper LinkedIn outreach or candidate screening.

    This is an image of two screenshots of open source lists from Layoffs.fyi

    Screenshots from Layoffs.fyi.

    Screening: Prioritize by considering salary benchmarks and keywords

    • Determine a set of consistent pre-screening questions to leverage while screening candidates, which every candidate must answer, including knockout questions.
    • Prioritize by going for salary ranges you can afford: It is important to be aware of what companies are paying within the tech arena, so you know if your salary bands are within a competitive range.
    • Pre-screen resumes using appropriate keywords that are critical for the role, and widen the terms if you do not have enough candidates. Given the pool you are looking to recruit from, consider removing criteria specifically related to education or certifications; instead, prioritize skills and on-the-job experience.

    Screening is one of the most time-consuming stages of the TA process. For each open position, it can take 23 hours to screen resumes (Toolbox, 2021). In fact, 52% of TA leaders believe that screening candidates from a large pool of applicants is the hardest part of recruitment (Ideal, 2021).

    Compensation comparison reports

    Keep in mind that the market may be shifting rapidly as layoffs proliferate, so what the data shows, particularly on free-to-use sites with little data-checking, may not be current and may be overstated. Info-Tech does not provide salary analysis; however, there are publicly available reports and online websites with self-reported data.

    This list contains several market data sources for the tech industry, which may be a good starting point for comparison. Info-Tech is not affiliated with or endorsing any of these market data sources.

    Aon Global Cyber Security Compensation and Talent Survey
    Aon – Radford Surveys Radford Global Technology Survey
    Culpepper Comprehensive Compensation Survey Solution for Technology-Focused Companies
    Modis 2022 IT Compensation Guide
    Motion Recruitment 2023 Tech Salary Guide
    Mondo 2022 Salary Guide for roles & jobs across the technology, creative & digital marketing industries.
    Willis Towers Watson Willis Towers Watson Data Services - Artificial Intelligence and Digital Talent
    Willis Towers Watson 2022 Artificial Intelligence and Digital Talent Survey Report - Canada
    Willis Towers Watson 2022 Artificial Intelligence and Digital Talent Survey Report - U.S.
    Michael Page Salary Guide 2022 for the Greater Toronto Area Technology Industry
    Willis Towers Watson Willis Towers Watson Data Services - Tech, Media, and Gaming
    Willis Towers Watson 2022 Tech, Media and Gaming Executive Survey Report - Canada
    Willis Towers Watson 2022 Tech, Media and Gaming Middle Management, Professional and Support Survey Report - Canada
    Willis Towers Watson 2022 Tech, Media and Gaming Executive Survey Report - U.S.
    Willis Towers Watson 2022 Tech, Media and Gaming Middle Management, Professional and Support Survey Report - U.S.

    Work with your HR partner to streamline your talent acquisition process

    A slow talent acquisition process presents multiple risks to your ability to recruit. Candidates are likely having multiple hiring conversations, and you could lose a good candidate just by being slower than another organization. Additionally, long hiring processes are also an indicator of a high level of bureaucracy in an organization, which may turn off tech candidates who are used to faster-paced decision making.

    Reducing your time-to-hire needs to be a strategic priority, and companies that manage to do this are reaping the benefits: There is a statistically significant relationship between time to fill vacant positions and overall IT department effectiveness. The shorter the time to fill a position, the higher the effectiveness (Bika, 2019).

    Key Considerations for Optimizing your Talent Acquisition Process

    Key Considerations for Optimizing your Talent Acquisition Process

    Review the end-to-end experience

    50%

    of job seekers surveyed had "declined a job offer due to poor [candidate] experience," (Echevarria, 2020).

    Reduce the time to hire

    55%

    "of candidates believe that it should take one to two weeks from the first interview to being offered the job," (Duszyński, 2021).

    Be clear on Timelines

    83%

    "of candidates say it would greatly improve the overall experience if employers provided a clear timeline of the hiring process," (Miller, n.d.).

    Time to hire: Identify solutions to drive efficient hiring

    1. Document all steps between screening and hiring and remove any unnecessary steps.
    2. Create clearly defined interview guides to ensure consistent questioning by interviewers.
    3. Enable hiring managers to schedule their own interviews.
    4. Determine who needs to approve an offer. Streamline the number of approvals, if possible.
    5. Eliminate unnecessary background checks. Many companies have eliminated reference checks, for example, after determining that it was it was not adding value to their decision.
    6. Identify and track key metrics across your talent acquisition process.

    It is critical to partner with your HR department on optimizing this process, as they are typically the process owners and will have deep knowledge of the rationale for decisions. Together, you can identify some opportunities to streamline the process and improve the time to hire.

    4.1 Document your TA process

    1-3 hours

    1. If you have a documented talent acquisition process, begin with that; if not, open the IT Talent Acquisition Process Optimization Tool and map the stages of the talent acquisition process with your HR leader. Stages are the top level in the process (e.g. requisition, sourcing, screening).
    2. Identify all the stakeholders involved in IT talent acquisition and document these in the tool.
    3. Next, identify the steps required for each stage. These are more detailed actions that together will complete the stage (e.g. enter requisition into ATS, intake meeting). Ask subject matter experts to add steps to their portion of the process and document these in the cells.
    4. For each step in the stage, record the time required and the number of people who are involved.

    Input

    • Existing talent acquisition (TA) process document
    • Any TA process metrics
    • Info-Tech's Talent Acquisition Process Optimization Tool

    Output

    • Documented TA process

    Materials

    • Info-Tech's Talent Acquisition Process Optimization Tool
    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • HR
    • IT leaders
    • Hiring manager

    Download the IT Talent Acquisition Process Optimization Tool

    Example of steps in each stage of the TA process

    Activities

    Requisition

    Source

    Screen

    Interview & Assess

    Offer

    Background Check

    Vacancy identified Posted on website Resumes screened in system Interviews scheduled Offer letter drafted Reference checks conducted
    Requisition submitted Posted on job boards Resume screened by recruited First round interviews Offer letter sent Medical checks conducted
    Requisition approved Identification of layoff sources Resumed reviewed by hiring manager Assessment Negotiations Other background checks conducted
    Job description updated Review layoff source lists Screening calls Second round interview First date confirmed
    Job ad updated Screening questions developed Candidates selected
    Intake meeting

    4.2 Refine your TA process

    1-3 hours

    1. Collectively identify any:
      1. Inconsistent applications: Activities that are done differently by different participants.
      2. Bottlenecks: A place in the process where activity is constrained and holds up next steps.
      3. Errors: When a mistake occurs requiring extra time, resources, or rework.
      4. Lack of value: An activity that adds little to no value (often a legacy activity).
    2. Work with HR to identify any proposed solutions to improve consistency, reduce bottlenecks, errors, or eliminate steps that lack value. Document your proposed solutions in tab 3 of the IT Talent Acquisition Optimization Tool.
    3. Identify any new steps needed that would drive greater efficiency, including the tactics suggested in this research. Document any proposed solutions in tab 3.
    4. For each proposed solution, evaluate the general level of effort and impact required to move forward with that solution and select the appropriate classification from the drop-down.
    5. Determine if you will move forward with the proposed solution at this time. Update the TA workflow with your decisions.

    Input

    • Existing talent acquisition (TA) process document
    • Any TA process metrics
    • Info-Tech's Talent Acquisition Process Optimization Tool

    Output

    • Documented TA process

    Materials

    • Info-Tech's Talent Acquisition Process Optimization Tool
    • Whiteboard/flip charts
    • Sticky notes

    Participants

    • HR
    • IT leaders
    • Hiring manager

    Use Info-Tech's IT Talent Acquisition Optimization Tool to document current challenges & target solutions.

    Map your process and identify opportunities to streamline

    This is an image of the talent aquisitions workflow page from Info-Tech's Map your process and identify opportunities to streamline

    Brainstorm and select solutions to improve your process

    This is an image of the Effort Analysis page from Info-Tech's Brainstorm and select solutions to improve your process

    Key considerations when optimizing your process

    • Put yourself in each stakeholder's shoes (candidate, HR, hiring manager). Think through what they need from the process.
    • Challenge assumptions and norms. It can be tempting to get caught up in "how we do it today." Think beyond how it is today.
    • Question timing of activities and events. Identify if they are occurring when they need to.
    • Rebalance work to align with priorities. Identify if work can be redistributed or condensed to use time more efficiently.
    • Distinguish when consistency will add value and when there should be process flexibility.
    • Question the value. For each activity, ask "What value does this activity add?"

    Select metrics to measure Talent Acquisition process improvement

    METRICS INFORMATION
    Metric Definition Calculation
    Average applicants per posting The average number of applicants received per post. Number of applications / Number of postings
    Average number of interviews for open job positions Average number of interviews for open job positions. Total number of interviews / Total number of open job positions
    Average external time to fill Average number of calendar days from when the requisition is issued to when a candidate accepts the position from outside the organization. External days to fill / External candidates
    Pipeline throughput Percentage of candidates advancing through to the next stage. (Number of candidates in chosen stage / Number of candidates in preceding stage) * 100
    External offer acceptance rate Percentage of job offers extended to external candidates that were accepted. (Number of job offers that are accepted / Number of job offers extended) * 100
    Percentage of target group hired The percentage of a target group that was hired. Number of FTE hired / Target number of FTE to be hired
    Average time to hire Average number of calendar days between first contact with the candidate and when they accept the offer. Sum of number of days between first contact and offer acceptance / External candidates
    Quality of hire Percentage of new hires achieving a satisfactory appraisal at their first assessment. New hires who achieve a satisfactory rating at their first appraisal / Total number of new hires
    Vacancy rate Percentage of positions being actively recruited for at the end of the reporting period. Count of vacant positions / (Headcount + Vacant positions)

    Bibliography

    "81% of Employees Factoring Hybrid Work Into Job Search: Survey." BenefitsCanada.com, 16 June 2022.
    Andre, Louie. "40 Notable Candidate Experience Statistics: 2023 Job Application Trends & Challenges." Financesonline.Com, 15 Mar. 2023.
    Bika, Nikoletta. "Key Hiring Metrics: Useful Benchmarks for Tech Roles." Recruiting Resources: How to Recruit and Hire Better, 10 Jan. 2019.
    "Bureau of Labor Statistics Labor Market Revisions Contribute to Conflicting Signals in Latest Tech Employment Data, CompTIA Analysis Finds." CompTIA, 3 Feb. 2023. Press release.
    Byrnes, Amy. "ICIMS Insights Workforce Report: Time to Press the Reset Button?" ICIMS | The Leading Cloud Recruiting Software, 1 Dec. 2022.
    Cantrell, Sue, et al. "The Skills-Based Organization: A New Operating Model for Work and the Workforce." Deloitte Insights, 8 Sept. 2022.
    deBara, Deanna. "Top Findings from Lattice's Career Progression Survey." Lattice, 13 Sept. 2021. Accessed 16 Feb. 2023.
    Duszyński, Maciej. "Candidate Experience Statistics (Survey of 1,000+ Americans)." Zety, 14 Oct. 2019.
    Duszyński, Maciej. "Candidate Experience Statistics." Zety, 2021.
    Echevarria, Desiree. "2020 Candidate Experience Report." Career Plug, 17 Mar. 2021.
    Ghosh, Prarthana. "Candidate Screening and Selection Process: The Complete Guide for 2021." Spiceworks, 26 Feb. 2021. Accessed 22 Jun. 2021
    "Introduction - Dice Tech Job Report: Tech Hiring Trends by Location, Industry, Role and Skill." Accessed 16 Feb. 2023.
    Lee, Roger. "Tech Layoff Tracker and Startup Layoff Lists." Layoffs.fyi. Accessed 16 Feb. 2023.
    Miller, Kandace. "Candidate Experience And Engagement Metrics You Should Be Tracking." ConveyIQ, n.d. Accessed 16 Feb. 2023.
    Min, Ji-A. "Resume Screening: A How-To Guide for Recruiters." Ideal, 15 Mar. 2021. Web.
    Palmeri, Shelby. "2023 Candidate Experience Research: Strategies for Recruiting." CareerPlug, 6 Feb. 2023.
    Semenova, Alexandra. "Jobs Report: U.S. Economy Adds 517,000 Jobs in January, Unemployment Rate Falls to 3.4% as Labor Market Stuns." Yahoo!Finance, 3 Feb. 2023.
    Sozzi, Brian. "Big Tech Layoffs: What Companies Such as Amazon and Meta Have in Common." Yahoo!News, 6 Feb. 2023.
    Tarki, Atta. "Despite Layoffs, It's Still a Workers' Labor Market." Harvard Business Review, 30 Jan. 2023.
    The Deloitte Global 2022 Gen Z and Millennial Survey. Deloitte Global, 2022. Accessed 16 Feb. 2023.
    "Uncover the Employee Value Proposition." McLean & Company, 21 Jun. 2022. Accessed 22 Feb. 2023.

    Maintain an Organized Portfolio

    • Buy Link or Shortcode: {j2store}432|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $3,059 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • All too often, the portfolio of programs and projects looks more like a random heap than a strategically organized and balanced collection of investments that will drive the business forward.
    • Portfolio managers know that with the right kind of information and the right level of process maturity they can get better results through the portfolio; however, organizations often assume (falsely) that the required level of maturity is out of reach from their current state and perpetually delay improvements.

    Our Advice

    Critical Insight

    • The information needed to define clear and usable criteria for organizing the portfolio of programs and projects already exists. Portfolio managers only need to identify the sources of that information and institute processes for regularly reviewing that information in order to define those criteria.
    • Once a portfolio manager has a clear idea of the goals and constraints that shape what ought to be included (or removed) from the portfolio and once these have been translated into clear and usable portfolio criteria, basic portfolio management processes can be instituted to ensure that these criteria are used consistently throughout the various stages of the project lifecycle.
    • Portfolio management frameworks and processes do not need to be built from scratch. Well-known frameworks – such as the one outlined in COBIT 5 APO05 – can be instituted in a way that will allow even low-maturity organizations to start organizing their portfolio.
    • Organizations do not need to grow into portfolio management frameworks to get the benefits of an organized portfolio; instead, they can grow within such frameworks.

    Impact and Result

    • An organized portfolio will ensure that the projects and programs included in it are strategically aligned and can actually be executed within the finite constraints of budgetary and human resource capacity.
    • Portfolio managers are better empowered to make decisions about which projects should be included in the portfolio (and when) and are better empowered to make the very tough decisions about which projects should be removed from the portfolio (i.e. cancelled).
    • Building and maturing a portfolio management framework will more fully integrate the PMO into the broader IT management and governance frameworks, making it a more integral part of strategic decisions and a better business partner in the long run.

    Maintain an Organized Portfolio Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should maintain an organized portfolio of programs and projects, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the current state of the portfolio and PPM processes

    Analyze the current mix of programs and projects in your portfolio and assess the maturity of your current PPM processes.

    • Maintain an Organized Portfolio – Phase 1: Assess the Current State of the Portfolio and PPM Processes
    • Project Portfolio Organizer
    • COBIT APO05 (Manage Portfolio) Alignment Workbook

    2. Enhance portfolio organization through improved PPM criteria and processes

    Enhance and optimize your portfolio management processes to ensure portfolio criteria are clearly defined and consistently applied across the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    • Maintain an Organized Portfolio – Phase 2: Enhance Portfolio Organization Through Improved PPM Criteria and Processes
    • Portfolio Management Standard Operating Procedures

    3. Implement improved portfolio management practices

    Implement your portfolio management improvement initiatives to ensure long-term sustainable adoption of new PPM practices.

    • Maintain an Organized Portfolio – Phase 3: Implement Improved Portfolio Management Practices
    • Portfolio Management Improvement Roadmap Tool
    [infographic]

    Workshop: Maintain an Organized Portfolio

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess Portfolio Mix and Portfolio Process Current State

    The Purpose

    Analyze the current mix of the portfolio to determine how to better organize it according to organizational goals and constraints.

    Assess which PPM processes need to be enhanced to better organize the portfolio.

    Key Benefits Achieved

    An analysis of the existing portfolio of projects (highlighting areas of concern).

    An analysis of the maturity of current PPM processes and their ability to support the maintenance of an organized portfolio.

    Activities

    1.1 Pre-work: Prepare a complete project list.

    1.2 Define existing portfolio categories, criteria, and targets.

    1.3 Analyze the current portfolio mix.

    1.4 Identify areas of concern with current portfolio mix.

    1.5 Review the six COBIT sub-processes for portfolio management (APO05.01-06).

    1.6 Assess the degree to which these sub-processes have been currently achieved at the organization.

    1.7 Assess the degree to which portfolio-supporting IT governance and management processes exist.

    1.8 Perform a gap analysis.

    Outputs

    Analysis of the current portfolio mix

    Assessment of COBIT alignment and gap analysis.

    2 Define Portfolio Target Mix, Criteria, and Roadmap

    The Purpose

    Define clear and usable portfolio criteria.

    Record/design portfolio management processes that will support the consistent use of portfolio criteria at all stages of the project lifecycle.

    Key Benefits Achieved

    Clearly defined and usable portfolio criteria.

    A portfolio management framework that supports the consistent use of the portfolio criteria across all stages of the project lifecycle.

    Activities

    2.1 Identify determinants of the portfolio mix, criteria, and constraints.

    2.2 Define the target mix, portfolio criteria, and portfolio metrics.

    2.3 Identify sources of funding and resourcing.

    2.4 Review and record the portfolio criteria based upon the goals and constraints.

    2.5 Create a PPM improvement roadmap.

    Outputs

    Portfolio criteria

    Portfolio metrics for intake, monitoring, closure, termination, reprioritization, and benefits tracking

    Portfolio Management Improvement Roadmap

    3 Design Improved Portfolio Sub-Processes

    The Purpose

    Ensure that the portfolio criteria are used to guide decision making at each stage of the project lifecycle when making decisions about which projects to include or remove from the portfolio.

    Key Benefits Achieved

    Processes that support decision making based upon the portfolio criteria.

    Processes that ensure the portfolio remains consistently organized according to the portfolio criteria.

    Activities

    3.1 Ensure that the metrics used for each sub-process are based upon the standard portfolio criteria.

    3.2 Establish the roles, accountabilities, and responsibilities for each sub-process needing improvement.

    3.3 Outline the workflow for each sub-process needing improvement.

    Outputs

    A RACI chart for each sub-process

    A workflow for each sub-process

    4 Change Impact Analysis and Stakeholder Engagement Plan

    The Purpose

    Ensure that the portfolio management improvement initiatives are sustainably adopted in the long term.

    Key Benefits Achieved

    Stakeholder engagement.

    Sustainable long-term adoption of the improved portfolio management practices.

    Activities

    4.1 Conduct a change impact analysis.

    4.2 Create a stakeholder engagement plan.

    Outputs

    Change Impact Analysis

    Stakeholder Engagement Plan

    Completed Portfolio Management SOP

    2020 Applications Priorities Report

    • Buy Link or Shortcode: {j2store}159|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization
    • Although IT may have time to look at trends, it does not have the capacity to analyze the trends and turn them into initiatives.
    • IT does not have time to parse trends for initiatives that are relevant to them.
    • The business complains that if IT does not pursue trends the organization will get left behind by cutting-edge competitors. At the same time, when IT pursues trends, the business feels that IT is unable to deal with the basic issues.

    Our Advice

    Critical Insight

    • Take advantage of a trend by first understanding why it is happening and how it is actionable. Build momentum now. Breaking a trend into bite-sized initiatives and building them into your IT foundations enables the organization to maintain pace with competitors and make the technological leap.
    • The concepts of shadow IT and governance are critical. As it becomes easier for the business to purchase its own applications, it will be essential for IT to embrace this form of user empowerment. With a diminished focus on vendor selection, IT will drive the most value by directing its energy toward data and integration governance.

    Impact and Result

    • Determine how to explore, adopt, and optimize the technology and practice initiatives in this report by understanding which core objective(s) each initiative serves:
      • Optimize the effectiveness of the IT organization.
      • Boost the productivity of the enterprise.
      • Enable business growth through technology.

    2020 Applications Priorities Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief for a summary of the priorities and themes that an IT organization should focus on this year.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Read the 2020 Applications Priorities Report

    Use Info-Tech's 2020 Applications Priorities Report to learn about the five initiatives that IT should prioritize for the coming year.

    • 2020 Applications Priorities Report Storyboard
    [infographic]

    Develop Your Value-First Business Process Automation Strategy

    • Buy Link or Shortcode: {j2store}236|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Optimization
    • Parent Category Link: /optimization

    Business process automation (BPA) has gained momentum, especially as pilots result in positive outcomes such as improved customer experience, efficiencies, and cost savings. Stakeholders want to invest more in BPA solutions and scale initial successes across different business and IT functions.

    But it’s critical to get it right and not fall into the hype so that the costs don’t outweigh the benefits.

    Ultimately, all BPA initiatives should align with a common vision.

    Build the right BPA strategy – smarter, not faster

    Organizations should adopt a methodical approach to growing their BPA, taking cost, talent availability, and goals into account.

    1. Recognize the true value of automation. Successful BPA improves more than cost savings and revenue generation. Employee satisfaction, organizational reputation, brand, and better-performing products and services are other sought-after benefits.
    2. Consider all relevant factors as you build a strategy. Take into account the impact BPA initiatives will have on users, risk and change appetites, customer satisfaction, and business priorities.
    3. Mature your practice as you scale your BPA technologies. Develop skills, resources, and governance practices as you scale your automation tools. Deploy BPA with quality in mind, then continuously monitor, review, and maintain the automation for success.
    4. Learn from your initial automations. Maximize what you learn from your minimum viable automations (MVA) and use that knowledge to build and scale your automation implementation across the organization.

    Develop Your Value-First Business Process Automation Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Business Process Automation Strategy Deck – A step-by-step document that walks you through how to position business process automation as a key capability and assess the organization’s readiness for its adoption.

    This blueprint helps you develop a strategy justify the scaling and maturing of your business process automation (BPA) practices and capabilities to fulfill your business priorities.

    • Develop Your Value-First Business Process Automation Strategy – Phases 1-4

    2. Business Process Automation Strategy Template – A template to help you build a clear and compelling strategy document for stakeholders.

    Document your business process automation strategy in the language your stakeholders understand. Tailor this document to fit your BPA objectives and initiatives.

    • Business Process Automation Strategy Template

    3. Business Process Automation Maturity Assessment Tool – A tool to help gauge the maturity of your BPA practice.

    Evaluate the maturity of the key capabilities of your BPA practice to determine its readiness to support complex and scaled BPA solutions.

    • Business Process Automation Maturity Assessment Tool

    Infographic

    Workshop: Develop Your Value-First Business Process Automation Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Context

    The Purpose

    Understand the business priorities and your stakeholders' needs that are driving your business process automation initiatives while abiding by the risk and change appetite of your organization.

    Key Benefits Achieved

    Translate business priorities to the context of business process automation.

    Arrive at a common definition of business value.

    Come to an understanding of the needs, concerns, and problems of BPA stakeholders.

    Discover organizational risk and change tolerance and appetite.

    Activities

    1.1 Set the Business Context

    1.2 Understand Your Stakeholder Needs

    1.3 Build Your Risk & Change Profile

    Outputs

    Business problem, priorities, and business value definition

    Customer and end-user assessment (e.g. personas, customer journey)

    Risk and change profile

    2 Define Your BPA Objectives and Opportunities

    The Purpose

    Set reasonable and achievable expectations for your BPA initiatives and practices, and select the right BPA opportunities to meet these expectations.

    Key Benefits Achieved

    Align BPA objectives and metrics to your business priorities.

    Create guiding principles that support your organization’s and team’s culture.

    Define a vision of your target-state BPA practice

    Create a list of BPA opportunities that will help build your practice and meet business priorities.

    Activities

    2.1 Define Your BPA Expectations

    2.2 List Your Guiding Principles

    2.3 Envision Your BPA Target State

    2.4 Build Your Opportunity Backlog

    Outputs

    BPA problem statement, objectives, and metrics

    BPA guiding principles

    Desired scaled BPA target state

    Prioritized BPA opportunities

    3 Assess Your BPA Maturity

    The Purpose

    Evaluate the current state of your BPA practice and its readiness to support scaled and complex BPA solutions.

    Key Benefits Achieved

    List key capabilities to implement and optimize to meet the target state of your BPA practice.

    Brainstorm solutions to address the gaps in your BPA capabilities.

    Activities

    3.1 Assess Your BPA Maturity

    Outputs

    BPA maturity assessment

    4 Roadmap Your BPA Initiatives

    The Purpose

    Identify high-priority key initiatives to support your BPA objectives and goals, and establish the starting point of your BPA strategy.

    Key Benefits Achieved

    Create an achievable roadmap of BPA initiatives designed to deliver good practices and valuable automations.

    Perform a risk assessment of your BPA initiatives and create mitigations for high-priority risks.

    Find the starting point in the development of your BPA strategy.

    Activities

    4.1 Roadmap Your BPA Initiatives

    4.2 Assess and Mitigate Your Risks

    4.3 Complete Your BPA Strategy

    Outputs

    List of BPA initiatives and roadmap

    BPA initiative risk assessment

    Initial draft of your BPA strategy

    Improve Your IT Recruitment Process

    • Buy Link or Shortcode: {j2store}578|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Attract & Select
    • Parent Category Link: /attract-and-select

    Business and IT leaders aiming to recruit and select the best talent need to:

    • Get involved in the talent acquisition process at key moments.
    • Market their organization to top talent through an authentic employer brand.
    • Create engaging and accurate job ads.
    • Leverage purposeful sourcing for anticipated talent needs.
    • Effectively assess candidates with a strong interview process.
    • Set up new employees for success.

    Our Advice

    Critical Insight

    To create a great candidate experience, IT departments must be involved in the process at key points, recruitment and selection is not a job for HR alone!

    Impact and Result

    • Use this how-to guide to articulate an authentic (employee value proposition) EVP and employer brand.
    • Perform an analysis of current sourcing methods and build an action plan to get IT involved.
    • Create an effective and engaging job ad to insure the right people are applying.
    • Train hiring managers to effectively deliver interviews that correctly assess candidate suitability.
    • Get links to in-depth Info-Tech resources and tools.

    Improve Your IT Recruitment Process Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Improve Your IT Recruitment Process – A guide to help you attract and select the best talent.

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    • Improve Your IT Recruitment Process Capstone Deck

    2. Improve Your IT Recruitment Process Workbook – A tool to document your action plans.

    Use this tool in conjunction with the Improve you IT Recruitment Process to document your action plans

    • Improve Your IT Recruitment Process Workbook

    3. Interview Guide Template – A template to organize interview questions and their rating scales, take notes during the interview, and ensure all interviews follow a similar structure.

    To get useful information from an interview, the interviewer should be focused on what candidates are saying and how they are saying it, not on what the next question will be, what probes to ask, or how they will score the responses. This Interview Guide Template will help interviewers stay focused and collect good information about candidates.

    • Interview Guide Template

    4. IT Behavioral Interview Question Library – A tool that contains a complete list of sample questions aligned with core, leadership, and IT competencies.

    Hiring managers can choose from a comprehensive collection of core, functional, and leadership competency-based behavioral interview questions.

    • IT Behavioral Interview Question Library

    5. Job Ad Template – A template to allow complete documentation of the characteristics, responsibilities, and requirements for a given job posting in IT.

    Use this template to develop a well-written job posting that will attract the star candidates and, in turn, deflect submission of irrelevant applications by those unqualified.

    • Job Ad Template

    6. Idea Catalog – A tool to evaluate virtual TA solutions.

    The most innovative technology isn’t necessarily the right solution. Review talent acquisition (TA) solutions and evaluate the purpose each option serves in addressing critical challenges and replacing critical in-person activities.

    • Idea Catalog: Adapt the Talent Acquisition Process to a Virtual Environment
    [infographic]

    Workshop: Improve Your IT Recruitment Process

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Employee Value Proposition and Employer Branding

    The Purpose

    Establish the employee value proposition (EVP) and employer brand.

    Key Benefits Achieved

    Have a well-defined EVP that you communicate through your employer brand.

    Activities

    1.1 Gather feedback.

    1.2 Build key messages.

    1.3 Assess employer brand.

    Outputs

    Content and themes surrounding the EVP

    Draft EVP and supporting statements

    A clearer understanding of the current employer brand and how it could be improved

    2 Job Ads and Sourcing

    The Purpose

    Develop job postings and build a strong sourcing program.

    Key Benefits Achieved

    Create the framework for an effective job posting and analyze existing sourcing methods.

    Activities

    2.1 Review and update your job ads.

    2.2 Review the effectiveness of existing sourcing programs.

    2.3 Review job ads and sourcing methods for bias.

    Outputs

    Updated job ad

    Low usage sourcing methods identified for development

    Minimize bias present in ads and sourcing methods

    3 Effective Interviewing

    The Purpose

    Create a high-quality interview process to improve candidate assessment.

    Key Benefits Achieved

    Training on being an effective interviewer.

    Activities

    3.1 Create an ideal candidate scorecard.

    3.2 Map out your interview process.

    3.3 Practice behavioral interviews.

    Outputs

    Ideal candidate persona

    Finalized interview and assessment process

    Practice interviews

    4 Onboarding and Action Plan

    The Purpose

    Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

    Key Benefits Achieved

    Evaluation of current onboarding practice.

    Activities

    4.1 Evaluate and redesign the onboarding program.

    Outputs

    Determine new onboarding activities to fill identified gaps.

    Further reading

    Improve Your IT Recruitment Process

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    Own the IT recruitment process

    Train your IT department to get involved in the recruitment process to attract and select the best talent.

    Follow this blueprint to:

    • Define and communicate the unique benefits of working for your organization to potential candidates through a strong employer brand.
    • Learn best practices around creating effective job postings.
    • Target your job posting efforts on the areas with the greatest ROI.
    • Create and deliver an effective, seamless, and positive interview and offer process for candidates.
    • Acclimate new hires and set them up for success.

    Get involved at key moments of the candidate experience to have the biggest impact


    Employee Value Proposition (EVP) and Employer Brand



    Job Postings and a Strong Sourcing Program

    Effective Interviewing

    Onboarding: Setting up New Hires For Success

    Awareness Research Application Screening Interview and Assessment Follow Up Onboarding

    RECRUIT QUALITY STAFF

    Hiring talent is critical to organizational success

    Talent is a priority for the entire organization:

    Respondents rated “recruitment” as the top issue facing organizations today (McLean & Company 2022 HR Trends Report).

    37% of IT departments are outsourcing roles to fill internal skill shortages (Info-Tech Talent Trends 2022 Survey).

    Yet bad hires are alarmingly common:

    Hiring is one of the least successful business processes, with three-quarters of managers reporting that they have made a bad hire (Robert Half, 2021).

    48% of survey respondents stated improving the quality of hires was the top recruiting priority for 2021 (Jobvite, 2021).

    Workshop overview

    Prework

    Day 1

    Day 2

    Day 3

    Day 4

    Post work

    Current Process and Job Descriptions Documented

    Establish the Employee Value Proposition (EVP) and Employer Brand

    Develop Job Postings and Build a Strong Sourcing Program

    Effective Interviewing

    Onboarding and Action Planning

    Putting the Action Plan Into Action!

    Activities

    • Recruitment Process Mapped Out and Stakeholders Identified
    • Prepare a JD and JP for Four Priority Jobs
    • Collect Information on Where Your Best Candidates Are Coming From

    1.1 Introduce the Concept of an EVP

    1.2 Brainstorm Unique Benefits of Working at Your Organization

    1.2 Employer Brand Introduction

    2.1 What Makes an Attractive Job Posting

    2.2 Create the Framework for Job Posting

    2.3 Improve the Sourcing Process

    2.4 Review Process for Bias

    3.1 Creating an Interview Process

    3.2 Selecting Interview Questions

    3.3 Avoiding Bias During Interviews

    3.4 Practice Interviews

    4.1 Why Onboarding Matters

    4.2 Acclimatize New Hires and Set Them Up for Success

    4.3 Action Plan

    5.1 Review Outputs and Select Priorities

    5.2 Consult With HR and Senior Management to Get Buy-In

    5.3 Plan to Avoid Relapse Behaviors

    Deliverables

    1. EVP draft completed
    2. Employer brand action plan
    1. Organization-specific job posting framework
    2. Sourcing Plan Template for four priority jobs
    3. Sourcing action plan
    1. Completed Interview Guide Template
    2. Managers practice a panel interview
    1. Onboarding best practices
    2. Action plan

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Develop a strong employee value proposition

    What is an employee value proposition?

    And what are the key components?

    The employee value proposition is your opportunity to showcase the unique benefits and opportunities of working at your organization, allowing you to attract a wider pool of candidates.

    AN EMPLOYEE VALUE PROPOSITION IS:

    AN EMPLOYEE VALUE PROPOSITION IS NOT:

    • An authentic representation of the employee experience
    • Aligned with organizational culture
    • Fundamental to all stages of the employee lifecycle
    • A guide to help investment in programs and policies
    • Short and succinct
    • What the employee can do for you
    • A list of programs and policies
    • An annual project

    THE FOUR KEY COMPONENTS OF AN EMPLOYEE VALUE PROPOSITION

    Rewards

    Organizational Elements

    Working Conditions

    Day-to-Day Job Elements

    • Compensation
    • Health Benefits
    • Retirement Benefits
    • Vacation
    • Culture
    • Customer Focus
    • Organization Potential
    • Department Relationships
    • Senior Management Relationships
    • Work/Life Balance
    • Working Environment
    • Employee Empowerment
    • Development
    • Rewards & Recognition
    • Co-Worker Relationships
    • Manager Relationships

    Creating a compelling EVP that presents a picture of your employee experience, with a focus on diversity, will attract a wide pool of diverse candidates to your team. This can lead to many internal and external benefits for your organization.

    How to collect information on your EVP

    Existing Employee Value Proposition: If your organization or IT department has an existing employee value proposition, rather than starting from scratch, we recommend leveraging that and moving to the testing phase to see if the EVP still resonates with staff and external parties.

    Employee Engagement Results: If your organization does an employee engagement survey, review the results to identify the areas in which the IT organization is performing well. Identify and document any key comment themes in the report around why employees enjoy working for the organization or what makes your IT department a great place to work.

    Social Media Sites. Prepare for the good, the bad, and the ugly. Social media websites like Glassdoor and Indeed make it easier for employees to share their experiences at an organization honestly and candidly. While postings on these sites won’t relate exclusively to the IT department, they do invite participants to identify their department in the organization. You can search these to identify any positive things people are saying about working for the organization and potentially opportunities for improvement (which you can use as a starting point in the retention section of this report).

    1.1 Gather feedback

    1. Download the Improve Your IT Recruitment Workbook.
    2. On tab 1.1, brainstorm the top five things you value most about working at the organization. Ask yourself what would fall in each category and identify any key themes. Be sure to take note of any specific quotes you have.
    3. Brainstorm limitations that the organization currently has in each of those areas.

    Download the Recruitment Workbook

    Input

    Output
    • Employee opinions
    • Employee responses to four EVP components
    • Content for EVP

    Materials

    Participants

    • Recruitment Workbook
    • Diverse employees
    • Different departments
    • Different role levels

    1.2 Build key messages

    1. Go to tab 1.2 in your workbook
    2. Identify themes from activity 1.1 that would be considered current strengths of you organization.
    3. Identify themes from activity 1.2 that are aspirational elements of your organization.
    4. Identify up to four key statements to focus on for the EVP, ensuring that your EVP speaks to at least one of the five categories above.
    5. Integrate these into one overall statement.

    Examples below.

    Input

    Output
    • Feedback from focus groups
    • EVP and supporting statements

    Materials

    Participants

    • Workbook handout
    • Pen and paper for documenting responses
    • IT leadership team

    Sample EVPs

    Shopify

    “We’re Shopify. Our mission is to make commerce better for everyone – but we’re not the workplace for everyone. We thrive on change, operate on trust, and leverage the diverse perspectives of people on our team in everything we do. We solve problems at a rapid pace. In short, we get shit done.”

    Bettercloud

    “At Bettercloud, we have a smart, ambitious team dedicated to delighting our customers. Our culture of ownership and transparency empowers our team to achieve goals they didn’t think possible. For all those on board, it’s going to be a challenging and rewarding journey – and we’re just getting started.”

    Ellevest

    “As a team member at Ellevest, you can expect to make a difference through your work, to have a direct impact on the achievement of a very meaningful mission, to significantly advance your career trajectory, and to have room for fun and fulfillment in your daily life. We know that achieving a mission as critical as ours requires incredible talent and teamwork, and team is the most important thing to us.”

    Sources: Built In, 2021; Workology, 2022

    Ensure your EVP resonates with employees and prospects

    Test your EVP with internal and external audiences.

    INTERNAL TEST REVOLVES AROUND THE 3A’s

    EXTERNAL TEST REVOLVES AROUND THE 3C’s

    ALIGNED: The EVP is in line with the organization’s purpose, vision, values, and processes. Ensure policies and programs are aligned with the organization’s EVP.

    CLEAR: The EVP is straightforward, simple, and easy to understand. Without a clear message in the market, even the best intentioned EVPs can be lost in confusion.

    ACCURATE: The EVP is clear and compelling, supported by proof points. It captures the true employee experience, which matches the organization’s communication and message in the market.

    COMPELLING: The EVP emphasizes the value created for employees and is a strong motivator to join this organization. A strong EVP will be effective in drawing in external candidates. The message will resonate with them and attract them to your organization.

    ASPIRATIONAL: The EVP inspires both individuals and the IT organization as a whole. Identify and invest in the areas that are sure to generate the highest returns for employees.

    COMPREHENSIVE: The EVP provides enough information for the potential employee to understand the true employee experience and to self-assess whether they are a good fit for your organization. If the EVP lacks depth, the potential employee may have a hard time understanding the benefits and rewards of working for your organization.

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Market your EVP to potential candidates: Employer Brand

    Employer brand includes how you market the EVP internally and externally – consistency is key

    The employer brand is the perception internal and external stakeholders hold of the organization and exists whether it has been curated or not. Curating the employer brand involves marketing the organization and employee experience. Grounding your employer brand in your EVP enables you to communicate and market an accurate portrayal of your organization and employee experience and make you desirable to both current and potential employees.

    The image contains a picture of several shapes. There is a trapezoid that is labelled EVP, and has a an arrow pointing to the text beside it. There is also an arrowing pointing down from it to another trapezoid that is labelled Employer Brand.

    The unique offering an employer provides to employees in return for their effort, motivating them to join or remain at the organization.

    The perception internal and external stakeholders hold of the organization.

    Alignment between the EVP, employer brand, and corporate brand is the ideal branding package. An in-sync marketing strategy ensures stakeholders perceive and experience the brand the same way, creating brand ambassadors.

    The image contains three circles that are connected. The circles are labelled: EVP, Employer Brand, Corporate Brand.

    Ensure your branding material creates a connection

    How you present your employer brand is just as important as the content. Ideally, you want the viewer to connect with and personalize the material for the message to have staying power. Use Marketing’s expertise to help craft impactful promotional materials to engage and excite the viewer.

    Visuals

    Images are often the first thing viewers notice. Use visuals that connect to your employer brand to engage the viewer’s attention and increase the likelihood that your message will resonate. However, if there are too many visuals this may detract from your content – balance is key!

    Language

    Wordsmithing is often the most difficult aspect of marketing. Your message should be accurate, informative, and engaging. Work with Marketing to ensure your wording is clever and succinct – the more concise, the better.

    Composition

    Integrate visuals and language to complete your marketing package. Ensure that the text and images are balanced to draw in the viewer.

    Case Study: Using culture to drive your talent pool

    This case study is happening in real time. Please check back to learn more as Goddard continues to recruit for the position.

    Recruiting at NASA

    Goddard Space Center is the largest of NASA’s space centers with approximately 11,000 employees. It is currently recruiting for a senior technical role for commercial launches. The position requires consulting and working with external partners and vendors.

    NASA is a highly desirable employer due to its strong culture of inclusivity, belonging, teamwork, learning, and growth. Its culture is anchored by a compelling vision, “For the betterment of Humankind,” and amplified by a strong leadership team that actively lives their mission and vision daily.

    Firsthand lists NASA as #1 on the 50 most prestigious internships for 2022.

    Rural location and no flexible work options add to the complexity of recruiting

    The position is in a rural area of Eastern Shore Virginia with a population of approximately 60,000 people, which translates to a small pool of candidates. Any hire from outside the area will be expected to relocate as the senior technician must be onsite to support launches twice a month. Financial relocation support is not offered and the position is a two-year assignment with the option of extension that could eventually become permanent.

    The image contains a picture of Steve Thornton.

    “Looking for a Talent Unicorn: a qualified, experienced candidate with both leadership skills and deep technical expertise that can grow and learn with emerging technologies.”

    Steve Thornton

    Acting Division Chief, Solutions Division, Goddard Space Flight Center, NASA

    Case Study: Using culture to drive your talent pool

    A good brand overcomes challenges.

    Culture takes the lead in NASA's job postings, which attract a high number of candidates. Postings begin with a link to a short video on working at NASA, its history, and how it lives its vision. The video highlights NASA's diversity of perspectives, career development, and learning opportunities.

    NASA's company brand and employer brand are tightly intertwined, providing a consistent view of the organization.

    The employer vision is presented in the best place to reach NASA's ideal candidate: usajobs.gov, the official website of the United States Government and the “go-to” for government job listings. NASA also extends its postings to other generic job sites as well as LinkedIn and professional associations.

    The image contains a picture of Robert Leahy.

    Interview with Robert Leahy

    Chief Information Officer, Goddard Space Flight Center, NASA

    2.1 Assess your organization’s employer brand

    1. Go to tab 2.1 in the Improve Your IT Recruitment Workbook.
    2. Put yourself in the shoes of someone on the outside looking in. If they were to look up your organization, what impression would they be given about what is like to work there?
    3. Run a Google search on your organization with key words “jobs,” “culture,” and “working environment” to see what a potential candidate would see when they begin researching your organization.
    4. You can use sites like:

    • Glassdoor
    • Indeed company pages
    • LinkedIn company pages
    • Social media
    • Your own website
  • Identify what your organization is doing well and record that under the “Continue” box in your workbook.
  • Record anything your organization should stop doing under the “Stop” box.
  • Brainstorm some ideas that your organization should think about implementing to improve the employer brand under the “Start” Box.
  • Input Output
    • Existing branding material on the internet
    • A clearer understanding of the current employer brand and how it could be improved
    Materials Participants
    • Workbook handout
    • Senior IT Leaders

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    The way you position the organization impacts who is likely to apply to posted positions.

    Create engaging job ads to attract talent to the organization

    We have a job description; can I just post that on Indeed?

    A job description is an internal document that includes sections such as general job information, major responsibilities, key relationships, qualifications, and competencies. It communicates job expectations to incumbents and key job data to HR programs.

    A job ad is an externally facing document that advertises a position with the intent of attracting job applicants. It contains key elements from the job description as well as information on the organization and its EVP.

    Write an Effective Job Ad

    • Ensure that your job ad speaks to the audience you are targeting through the language you use.
      • E.g. If you are hiring for a creative role, use creative language and formatting. If you are writing for students, emphasize growth opportunities.
    • Highlight the organization’s EVP.
    • Paint an accurate picture of key aspects of the role but avoid the nitty gritty as it may overwhelm applicants.
    • Link to your organization’s website and social media platforms so applicants can easily find more information.

    A job description informs a job ad, it doesn’t replace it. Don’t be lulled into using a job description as a posting when there’s a time crunch to fill a position. Refer to job postings as job advertisements to reinforce that their purpose is to attract attention and talent.

    An effective job posting contains the following elements:

    Position Title
    • Clearly defined job titles are important for screening applicants as this is one of the first things the candidate will read.
    • Indicating the earnings range that the position pays cuts out time spent on reviewing candidates who may never accept the position and saves them from applying to a job that doesn’t match what they are looking for.
    Company
    • Provide a brief description of the organization including the products or services it offers, the corporate culture, and any training and career development programs.
    Summary Description
    • Describe briefly why the position exists. In other words, what is the position's primary purpose? The statement should include the overall results the job is intended to produce and some of the key means by which the position achieves these results.
    Responsibilities
    • Use bullet points to list the fundamental accountabilities of the position. Candidates want to know what they will be doing on a day-to-day basis.
    • Begin each responsibility or accountability statement with an action word and follow with a brief phrase to describe what is done to accomplish the function.
    Position Characteristics
    • Give examples of key problems and thinking challenges encountered by the position. Describe the type of analysis or creativity required to resolve these problems.
    • Provide examples of final decision-making authority. The examples should reflect the constraints placed on the position by people, policies, and/or procedures.
    Position Requirements
    • List all formal education and certifications required.
    • List all knowledge and experience required.
    • List all personal attributes required.
    Work Conditions
    • List all work conditions that the employee must accommodate. This could include any sensory, physical, or mental requirements of the position or any special conditions of employment, such as hours.
    Process to Apply
    • Include the methods in which the organization wants to receive applications and contact information of who will receive the applications.

    Bottom Line: A truly successful job posting ferrets out those hidden stars that may be over cautious and filters out hundreds of applications from the woefully under qualified.

    The do’s and don’ts of an inclusive job ad

    DON’T overlook the power of words. Avoid phrases like “strong English language skills” as this may deter non-native English speakers from applying and a “clean-shaven” requirement can exclude candidates whose faith requires them to maintain facial hair.

    DON’T post a long requirements list. A study showed that the average jobseeker spends only 49.7 seconds reviewing a listing before deciding it's not a fit.*

    DON’T present a toxic work culture; phrases such as “work hard, play hard” can put off many candidates and play into the “bro- culture” stereotype in tech.

    Position Title: Senior Lorem Ipsum

    Salary Band: $XXX to $XXX

    Diversity is a core value at ACME Inc. We believe that diversity and inclusion is our strength, and we’re passionate about building an environment where all employees are valued and can perform at their best.

    As a … you will …

    Our ideal candidate ….

    Required Education and Experience

    • Bachelor’s degree in …
    • Minimum five (5) years …

    Required Skills

    Preferred Skills

    At ACME Inc. you will find …

    DO promote pay equity by being up front and honest about salary expectations.

    DO emphasize your organization’s commitment to diversity and an inclusive workplace by adding an equity statement.

    DO limit your requirements to “must haves” or at least showcase them first before the “nice-to-haves.”

    DO involve current employees or members of your employee resource groups when creating job descriptions to ensure that they ask for what you really need.

    DO focus on company values and criteria that are important to the job, not just what’s always been done.

    *Source: Ladders, 2013

    Before posting the job ad complete the DEI job posting validation checklist

    Does the job posting highlight your organization’s EVP

    Does the job posting avoid words that might discourage women, people of color, and other members of underrepresented groups from applying?

    Has the position description been carefully reviewed and revised to reflect current and future expectations for the position, rather than expectations informed by the persons who have previously held the job?

    Has the hiring committee eliminated any unnecessary job skills or requirements (college degree, years or type of previous experience, etc.) that might negatively impact recruitment of underrepresented groups?

    Has the hiring committee posted the job in places (job boards, websites, colleges, etc.) where applicants from underrepresented groups will be able to easily view or access it?

    Have members of the hiring committee attended job fairs or other events hosted by underrepresented groups?

    Has the hiring committee asked current employees from underrepresented groups to spread the word about the position?

    Has the hiring committee worked with the marketing team to ensure that people from diverse groups are featured in the organization’s website, publications, and social media?

    es the job description clearly demonstrate the organization’s and leadership’s commitment to DEI?

    *Source: Recruit and Retain People of Color in IT

    3.1 Review and update your job ads

    1. Download the Job Ad Template.
    2. Look online or ask HR for an example of a current job advertisement you are using.
    • If you don’t have one, you can use a job description as a starting point.
  • Review all the elements of the job ad and make sure they align with the list on the previous slide, adding or changing, as necessary. Your job ad should be no more than two pages long.
  • Using the tools on the previous two slides, review your first draft to ensure the job posting is free of language or elements that will discourage diverse candidates from applying.
  • Review your job advertisement with HR to get feedback or to use as a template going forward.
  • Input Output
    • Existing job ad or job description
    • Updated job ad
    Materials Participants
    • Job ad or job description
    • Job Ad Template
    • Hiring Managers

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    Focus on key programs and tactics to improve the effectiveness of your sourcing approach.

    Get involved with sourcing to get your job ad seen

    To meet growing expectations, organizations need to change the way they source

    Social Media

    Social media has trained candidates to expect:

    • Organizations to stay in touch and keep track of them.
    • A personalized candidate experience.
    • To understand organizational culture and a day in the life.

    While the focus on the candidate experience is important throughout the talent acquisition process, social media, technology, and values have made it a critical component of sourcing.

    Technology

    Candidates expect to be able to access job ads from all platforms.

    • Today, close to 90% of candidates use a mobile platform to job hunt (SmartRecruiters, 2022).
    • However, only 36% of organizations are optimizing their job postings for mobile. (The Undercover Recruiter, 2021)

    Job ads must be clear, concise, and easily viewed on a mobile device.

    Candidate Values

    Job candidate’s values are changing.

    • There is a growing focus on work/life balance, purpose, innovation, and career development. Organizations need to understand candidate values and highlight how the EVP aligns with these interests.

    Authenticity remains important.

    • Clearly and accurately represent your organization and its culture.

    Focus on key programs and tactics to improve the effectiveness of your sourcing approach

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    Take advantage of your current talent with an internal talent mobility program

    What is it?

    Positioning the right talent in the right place, at the right time, for the right reasons, and supporting them appropriately.

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    ITM program benefits:

    1. Retention
    2. Provide opportunities to develop professionally, whether in the current role or through promotions/lateral moves. Keep strong performers and high-potential employees committed to the organization.

    3. Close Skills Gap
    4. Address rapid change, knowledge drain due to retiring Baby Boomers, and frustration associated with time to hire or time to productivity.

    5. Cost/Time Savings
    6. Reduce spend on talent acquisition, severance, time to productivity, and onboarding.

    7. Employee Engagement
    8. Increase motivation and productivity by providing increased growth and development opportunities.

    9. EVP
    10. Align with the organization’s offering and what is important to the employees from a development perspective.

    11. Employee & Leadership Development
    12. Support and develop employees from all levels and job functions.

    Leverage social media to identify and connect with talent

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? The widely accessible electronic tools that enable anyone to publish and access information, collaborate on common efforts, and build relationships.

    Learning to use social media effectively is key to sourcing the right talent.

    • Today, 92% of organizations leverage social media for talent acquisition.
    • 80% of employers find passive candidates through social media – second only to referrals.
    • 86% percent of job seekers used social media for their most recent job search.
    (Ku, 2021)

    Benefits of social media:

    • Provides access to candidates who may not know the organization.
    • Taps extended networks.
    • Facilitates consistent communication with candidates and talent in pipelines.
    • Personalizes the candidate experience.
    • Provides access to extensive data.

    Challenges of social media:

    With the proliferation of social media and use by most organizations, social media platforms have become overcrowded. As a result:

    • Organizations are directly and very apparently competing for talent with competitors.
    • Users are bombarded with information and are tuning out.

    “It is all about how we can get someone’s attention and get them to respond. People are becoming jaded.”

    – Katrina Collier, Social Recruiting Expert, The Searchologist

    Reap the rewards of an employee referral program

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? Employees recommend qualified candidates. If the referral is hired, the referring employee typically receives some sort of reward.

    Benefits of an employee referral program:

    1. Lower Recruiting Costs
    2. 55% of organizations report that hiring a referral is less expensive that a non-referred candidate (Clutch, 2020).

    3. Decreased time to fill
    4. The average recruiting lifecycle for an employee referral is 29 days, compared with 55 days for a non referral (Betterup, 2022).

    5. Decreased turnover
    6. 46% percent of employees who were referred stay at their organization for a least one year, compared to 33% of career site hires (Betterup, 2022).

    7. Increased quality of hire
    8. High performers are more likely to refer other high performers to an organization (The University of Chicago Press, 2019).

    Avoid the Like Me Bias: Continually evaluate the diversity of candidates sourced from the employee referral program. Unless your workforce is already diverse, referrals can hinder diversity because employees tend to recommend people like themselves.

    Tap into your network of former employees

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? An alumni referral program is a formalized way to maintain ongoing relationships with former employees of the organization.

    Successful organizations use an alumni program:

    • 98% of the F500 have some sort of Alumni program (LinkedIn, 2019).

    Benefits of an alumni program:

    1. Branding
    • Alumni are regarded as credible sources of information. They can be a valuable resource for disseminating and promoting the employer brand.
  • Source of talent
    • Boomerang employees are doubly valuable as they understand the organization and also have developed skills and industry experience.
      • Recover some of the cost of turnover and cost per hire with a pool of prequalified candidates who will more quickly reach full productivity.
  • Referral potential
    • Developing a robust alumni network provides access to a larger network through referrals.
    • Alumni already know what is required to be successful in the organization so they can refer more suitable candidates.

    Make use of a campus recruiting program

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    What is it? A formalized means of attracting and hiring individuals who are about to graduate from schools, colleges, or universities.

    Almost 70% of companies are looking to employ new college graduates every year (HR Shelf, 2022).

    Campus recruitment benefits:

    • Increases employer brand awareness among talent entering the workforce.
    • Provides the opportunity to interact with large groups of potential candidates at one time.
    • Presents the opportunity to identify and connect with high-quality talent before they graduate and are actively looking for positions.
    • Offers access to a highly diverse audience.

    Info-Tech Insight

    Target schools that align with your culture and needs. Do not just focus on the most prestigious schools: they are likely more costly, have more intense competition, and may not actually provide the right talent.

    Identify opportunities to integrate non-traditional techniques

    Internal Talent Mobility (ITM) Program

    Social Media Program

    Employee Referral Program

    Alumni Program

    Campus Recruiting Program

    Other Sourcing Tactics

    1. Professional industry associations
    • Tap into candidates who have the necessary competencies.

    5. Not-for-profit intermediaries

    • Partner with not-for-profits to tap into candidates in training or mentorship programs.
    • Example:
      • Year Up (General)
      • Bankwork$ (Banking)
      • Youth Build (Construction)
      • iFoster (Grocery)

    American Expresscreated a boot camp for software engineers in partnership with Year Up and Gateway Community College to increase entry-level IT hires.

    Results:

    • Annually hire 80-100 interns from Year Up.
    • Improved conversion rates: 72% of Year Up interns versus 60% of traditional interns.
    • Increased retention: 44 (Year Up) versus 18 months (traditional).
    (HBR, 2016)

    2. Special interest groups

    • Use for niche role sourcing.
    • Find highly specialized talent.
    • Drive diversity (Women in Project Management).

    6. Gamification

    • Attract curiosity and reaffirm innovation at your organization.
    • Communicate the EVP.
    3. Customers
    • Access those engaged with the organization.
    • Add the employer brand to existing messaging.

    PwC (Hungary) created Multiploy, a two-day game that allows students to virtually experience working in accounting or consulting at the organization.

    Results:

    • 78% of students said they wanted to work for PwC.
    • 92% indicated they had a more positive view of the firm.
    • Increase in the number of job applicants.
    (Zielinski, 2015)

    4. Exit interviews

    • Ask exiting employees “where should we recruit someone to replace you?”
    • Leverage their knowledge to glean insight into where to find talent.

    Partner with other organizational functions to build skills and leverage existing knowledge

    Use knowledge that already exists in the organization to improve talent sourcing capabilities.

    Marketing

    HR

    Marketing knows how to:

    • Build attention-grabbing content.
    • Use social media platforms effectively.
    • Effectively promote a brand.
    • Use creative methods to connect with people.

    HR knows how to:

    • Organize recruitment activities.
    • Identify the capabilities of various technologies available to support sourcing.
    • Solve issues that may arise along the way

    To successfully partner with other departments in your organization:

    • Acknowledge that they are busy. Like IT, they have multiple competing priorities.
    • Present your needs and prioritize them. Create a list of what you are looking for and then be willing to just pick your top need. Work with the other department to decide what needs can and cannot be met.
    • Present the business case. Emphasize how partnering is mutually beneficial. For example, illustrate to Marketing that promoting a strong brand with candidates will improve the organization’s overall reputation because often, candidates are customers.
    • Be reasonable and patient. You are asking for help, so be moderate in your expectations and flexible in working with your partner.

    Info-Tech Insight

    Encourage your team to seek out, and learn from, employees in different divisions. Training sessions with the teams may not always be possible but one-on-one chats can be just as effective and may be better received.

    5.1 Review the effectiveness of existing sourcing programs

    1. As a group review the description of each program as defined on previous slides. Ensure that everyone understands the definitions.
    2. In your workbook, look for the cell Internal Talent Mobility under the title; you will find five rows with the following
    • This program is formally structured and documented.
    • This program is consistently applied across the organization.
    • Talent is sourced this way on an ad hoc basis.
    • Our organization currently does not source talent this way.
    • There are metrics in place to assess the effectiveness of this program.
  • Ask everyone in the group if they agree with the statement for each column; once everyone has had a chance to answer each of the questions, discuss any discrepancies which exist.
  • After coming to a consensus, record the answers.
  • Repeat this process for the other four sourcing programs (social media, employee referral program, alumni network program, and campus recruiting program).
  • InputOutput
    • Existing knowledge on sourcing approach
    • Low usage sourcing methods identified for development
    MaterialsParticipants
    • Workbook
    • Hiring Managers

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Enhance Your Recruitment Strategies

    Interviews are the most often used yet poorly executed hiring tool.

    Create a high-quality interview process to improve candidate assessment

    Everyone believes they’re a great interviewer; self-assess your techniques, and “get real” to get better

    If you…

    • Believe everything the candidate says.
    • Ask mostly hypothetical questions: "What would you do in a situation where…"
    • Ask gimmicky questions: "If you were a vegetable, what vegetable would you be?"
    • Ask only traditional interview questions: "What are your top three strengths?”
    • Submit to a first impression bias.
    • Have not defined what you are looking for before the interview.
    • Ignore your gut feeling in an attempt to be objective.
    • Find yourself loving a candidate because they are just like you.
    • Use too few or too many interviewers in the process.
    • Do not ask questions to determine the motivational fit of the candidate.
    • Talk more than the interviewee.
    • Only plan and prepare for the interview immediately before it starts.

    …then stop. Use this research!

    Most interviewers are not effective, resulting in many poor hiring decisions, which is costly and counter-productive

    Most interviewers are not effective…

    • 82% of organizations don’t believe they hire highly talented people (Trost, 2022).
    • Approximately 76% of managers and HR representatives that McLean & Company interviewed agreed that the majority of interviewers are not very effective.
    • 66% of hiring managers come to regret their interview-based hiring decisions (DDI, 2021).

    …because, although everyone knows interviewing is a priority, most don’t make it one.

    • Interviewing is often considered an extra task in addition to an employee’s day-to-day responsibilities, and these other responsibilities take precedence.
    • It takes time to effectively design, prepare for, and conduct an interview.
    • Employees would rather spend this time on tasks they consider to be an immediate priority.

    Even those interviewers who are good at interviewing, may not be good enough.

    • Even a good interviewer can be fooled by a great interviewee.
    • Some interviewees talk the talk, but don’t walk the walk. They have great interviewing abilities but not the skills required to be successful in the specific position for which they are interviewing.
    • Even if the interviewer is well trained and prepared to conduct a strong interview, they can get caught up with an interviewee that seems very impressive on the surface, and end up making a bad hire.

    Preparing the Perfect Interview

    Step 5: Define decision rights

    Establish decision-making authority and veto power to mitigate post-interview conflicts over who has final say over a candidate’s status.

    Follow these steps to create a positive interview experience for all involved.

    Step 1: Define the ideal candidate profile; determine the attributes of the ideal candidate and their relative importance

    Define the attributes of the ideal candidate…

    Ideal candidate = Ability to do the job + Motivation to do the job + Fit

    Competencies

    • Education
    • Credentials
    • Technical skills
    • Career path
    • Salary expectations
    • Passion
    • Potential
    • Personality
    • Managerial style/preference

    Experiences

    • Years of service
    • Specific projects
    • Industry

    Data for these come from:

    • Interviews
    • Personality tests
    • Gut instinct or intuition

    Data for these come from:

    • Resumes
    • Interviews
    • Exercises and tests
    • References

    Caution: Evaluating for “organizational or cultural fit” can lead to interviewers falling into the trap of the “like me” bias, and excluding diverse candidates.

    …then determine the importance of the attributes.

    Non-negotiable = absolutely required for the job!

    Usually attributes that are hard to train, such as writing skills, or expensive to acquire after hire, such as higher education or specific technical skills.

    An Asset

    Usually attributes that can be trained, such as computer skills. It’s a bonus if the new hire has it.

    Nice-to-have

    Attributes that aren’t necessary for the job but beneficial. These could help in breaking final decision ties.

    Deal Breakers: Also discuss and decide on any deal breakers that would automatically exclude a candidate.

    The job description is not enough; meet with stakeholders to define and come to a consensus on the ideal candidate profile

    Definition of the Ideal Candidate

    • The Hiring Manager has a plan for the new hire and knows the criteria that will best fulfill that mandate.
    • The Executive team may have specific directives for what the ideal candidate should look like, depending on the level and critical nature of the position.
    • Industry standards, which are defined by regulatory bodies, are available for some positions. Use these to identify skills and abilities needed for the job.
    • Competitor information such as job descriptions and job reviews could provide useful data about a similar role in other organizations.
    • Exit interviews can offer insight into the most challenging aspects of the job and identify skills or abilities needed for success.
    • Current employees who hold the same or a similar position can explain the nuances of the day-to-day job and what attributes are most needed on the team.

    “The hardest work is accurately defining what kind of person is going to best perform this job. What are their virtues? If you’ve all that defined, the rest is not so tough.”

    – VP, Financial Services

    Use a scorecard to document the ideal candidate profile and help you select a superstar

    1. Download the Workbook and go to tab 6.1.
    2. Document the desired attributes for each category of assessment: Competencies, Experiences, Fit, and Motivation. You can find an Attribute Library on the next tab.
    3. Rank each attribute by level of priority: Required, Asset, or Nice-to-Have.
    4. Identify deal breakers that would automatically disqualify a candidate from moving forward.
    InputOutput
    • Job description
    • Stakeholder input
    • Ideal candidate persona
    MaterialsParticipants
    • Workbook
    • Hiring Managers

    To identify questions for screening interviews, use the Screening Interview Template

    A screening interview conducted by phone should have a set of common questions to identify qualified candidates for in-person interviews.

    The Screening Interview Template will help you develop a screening interview by providing:

    • Common screening questions that can be modified based on organizational needs and interview length.
    • Establishing an interview team.
    • A questionnaire format so that the same questions are asked of all candidates and responses can be recorded.

    Once completed, this template will help you or HR staff conduct candidate screening interviews with ease and consistency. Always do screening interviews over the phone or via video to save time and money.

    Info-Tech Insight

    Determine the goal of the screening interview – do you want to evaluate technical skills, communication skills, attitude, etc.? – and create questions based on this goal. If evaluating technical skill, have someone with technical competency conduct the interview.

    The image contains screenshots of the Screening Interview Template.

    Step 2: Choose interview types and techniques that best assess the ideal candidate attributes listed on the position scorecard

    There is no best interview type or technique for assessing candidates, but there could be a wrong one depending on the organization and job opening.

    • Understanding common interviewing techniques and types will help inform your own interviewing strategy and interview development.
    • Each interview technique and type has its own strengths and weakness and can be better suited for a particular organizational environment, type of job, or characteristic being assessed.
    The image contains a diagram to demonstrate the similarities and differences of Interview Technique and Interview Type. There is a Venn Diagram, the right circle is labelled: Interview Technique, and the right is: Interview Type. There is a double sided arrow below that has the following text: Unstructure, Semi-Structured, and Structured.

    Unstructured: A traditional method of interviewing that involves no constraints on the questions asked, no requirements for standardization, and a subjective assessment of the candidate. This format is the most prone to bias.

    Semi-Structured: A blend of structured and unstructured, where the interviewer will ask a small list of similar questions to all candidates along with some questions pertaining to the resume.

    Structured: An interview consisting of a standardized set of job-relevant questions and a scoring guide. The goal is to reduce interviewer bias and to help make an objective and valid decision about the best candidate.

    No matter which interview types or techniques you use, aim for it to be as structured as possible to increase its validity

    The validity of the interview increases as the degree of interview structure increases.

    Components of a highly structured interview include:

    1. Interview questions are derived from a job analysis (they are job related).
    2. Interview questions are standardized (all applicants are asked the same questions).
    3. Prompting, follow-up questioning, probing, and/or elaboration on questions are limited. Try to identify all prompts, follow-ups, and probes beforehand and include them in the interview guide so that all candidates get the same level of prompting and probing.
    4. Interview questions focus on behaviors or work samples rather than opinions or self-evaluations.
    5. Interviewer access to ancillary information (e.g. resumes, letters of reference, test scores, transcripts) is controlled. Sometimes limiting access to these documents can limit interviewer biases.
    6. Questions from the candidate are not allowed until after the interview. This allows the interviewer to stay on track and not go off the protocol.
    7. Each answer is rated during the interview using a rating scale tailored to the question (this is preferable to rating dimensions at the end of the interview and certainly preferable to just making an overall rating or ranking at the end).
    8. Rating scales are “anchored” with behavioral examples to illustrate scale points (e.g. examples of a “1,” “3,” or “5” answer).
    9. Total interview score is obtained by summing across scores for each of the questions.

    The more of these components your interview has, the more structured it is, and the more valid it will be.

    Step 3: Prepare interview questions to assess the attributes you are looking for in a candidate

    The purpose of interviewing is to assess, not just listen. Questions are what help you do this.

    Preparing questions in advance allows you to:

    • Match each question to a position requirement (included in your scorecard) to ensure that you assess all required attributes. Everything assessed should be job relevant!
    • Determine each question’s weighting, if applicable.
    • Give each candidate a chance to speak to all their job-relevant attributes.
    • Keep records should an unselected candidate decide to contest the decision.

    If you don’t prepare in advance:

    • You’ll be distracted thinking about what you are going to ask next and not be fully listening.
    • You likely won’t ask the same questions of all candidates, which impacts the ability to compare across candidates and doesn’t provide a fair process for everyone.
    • You likely won’t ask the questions you need to elicit the information needed to make the right decision.
    • You could ask illegal questions (see Acquire the Right Hires with Effective Interviewing for a list of questions not to ask in an interview).

    Use the Interview Question Planning Guide tab in the Candidate Interview Strategy and Planning Guide to prepare your interview questions.

    Use these tips to draft interview questions:

    • Use job analysis output, in particular the critical incident technique, to develop structured interview questions.
    • Search online or in books for example interview questions for the target position to inform interview question development. Just remember that candidates access these too, so be sure to ask for specific examples, include probing questions, and adapt or modify questions to change them.
    • Situational questions: The situation should be described in sufficient detail to allow an applicant to visualize it accurately and be followed by “what would you do?” Scoring anchors should reflect effective, typical, and ineffective behaviors.
    • Behavioral questions: Should assess a behavioral dimension (e.g. meeting deadlines) and apply to a variety of situations that share the underlying dimension (e.g. at work or school). Scoring anchors should be applicable to a variety of situations and reflect effective, typical, and ineffective behavior.

    Conduct an effective screening interview by listening to non-verbal cues and probing

    Follow these steps to conduct an effective screening interview:

    Introduce yourself and ask if now is a good time to talk. (Before calling, prepare your sales pitch on the organization and the position.)

    You want to catch candidates off guard so that they don’t have time to prepare scripted answers; however, you must be courteous to their schedule.

    Provide an overview of the position, then start asking pre-set questions. Take a lot of notes.

    It is important to provide candidates with as much information as possible about the position – they are deciding whether they are interested in the role as much as you are deciding whether they are suitable.

    Listen to how the questions are answered. Ask follow-up questions when appropriate and especially if the candidate seems to be holding something back.

    If there are long pauses or the candidate’s voice changes, there may be something they aren’t telling you that you should know.

    Be alert to inconsistencies between the resume and answers to the questions and address them.

    It’s important to get to the bottom of issues before the in-person interview. If dates, titles, responsibilities, etc. seem to be inconsistent, ask more questions.

    Ask candidates about their salary expectations.

    It’s important to ensure alignment of the salary expectations early on. If the expectations are much higher than the range, and the candidate doesn’t seem to be open to the lower range, there is no point interviewing them. This would be a waste of everyone’s time.

    Answer the applicant’s questions and conclude the interview.

    Wait until after the interview to rate the applicant.

    Don’t allow yourself to judge throughout the interview, or it could skew questions. Rate the applicant once the interview is complete.

    When you have a shortlist of candidates to invite to an in-person interview, use the Candidate Communication Template to guide you through proper phone and email communications.

    Don’t just prepare top-level interview questions; also prepare probing questions to probe to gain depth and clarity

    Use probing to drill down on what candidates say as much as possible and go beyond textbook answers.

    Question (traditional): “What would you identify as your greatest strength?”

    Answer: Ability to work on a team.

    Top-level interview questions set the stage for probing.

    Your interview script should contain the top two levels of questions in the pyramid and a few probes that you will likely need to ask. You can then drill down further depending on the candidate’s answers.

    Follow-Up Question:

    “Can you outline a particular example when you were able to exercise your teamwork skills to reach a team goal?”

    Probing questions start with asking what, when, who, why, and how, and gain insight into a candidate’s thought process, experiences, and successes.

    Probing Level 1:

    Probe around the what, how, who, when, and where. “How did you accomplish that?”

    How to develop probes? By anticipating the kinds of responses that candidates from different backgrounds or with different levels of experience are likely to give as a response to an interview question. Probes should provide a clear understanding of the situation, the behavior, and the outcome so that the response can be accurately scored. Common probes include:

    • What did you do? What was the outcome?
    • When did this take place (and how long did it take)?
    • Who was involved?
    • Were you leading or being led?
    • How did you accomplish what you did?
    • Why did you take those steps?

    Tailor probes to the candidate’s answers to evoke meaningful and insightful responses.

    Probing Level 2:

    Allow for some creativity.

    “What would you do differently if you were to do it again?”

    Conduct effective interviews and assessments

    Mitigate inherent biases of assessors by integrating formal assessments with objective anchors and clear criteria to create a more inclusive process.

    Consider leveraging behavioral interview questions in your interview to reduce bias.

    • In the past, companies were pushing the boundaries of the conventional interview, using unconventional questions to find top talent, e.g. “what color is your personality?” The logic was that the best people are the ones who don’t necessarily show perfectly on a resume, and they were intent on finding the best.
    • However, many companies have stopped using these questions after extensive statistical analysis revealed there was no correlation between candidates’ ability to answer them and their future performance on the job.
    • Asking behavioral interview questions based on the competency needs of the role is the best way to uncover if the candidates will be able to execute on the job.

    Assessments are created by people that have biases. This often means that assessments can be biased, especially with preferences towards a Western perspective. Even if the same assessments are administered, the questions will be interpreted differently by candidates with varying cultural backgrounds and lived experiences. If assessments do not account for this, it ultimately leads to favoring the answers of certain demographic groups, often ones similar to those who developed the assessment.

    Creating an interview question scorecard

    Attribute you are evaluating

    Probing questions prepared

    Area to take notes

    The image contains a screenshot of an Interview question scorecard.

    Exact question you will ask

    Place to record score

    Anchored scale with definitions of a poor, ok and great answer

    Step 4: Assemble an interview team

    HR and the direct reporting supervisor should always be part of the interview. Make a good impression with a good interview team.

    The must-haves:

    • The Future Manager should always be involved in the process. They should be comfortable with the new hire’s competencies and fit.
    • Human Resources should always be involved in the process – they maintain consistency, legality, and standardization. It’s their job to know the rules and follow them. HR may coordinate and maintain policy standards and/or join in assessing the candidate.
    • There should always be more than just one interviewer, even if it is not at the same time. This helps keep the process objective, allows for different opinions, and gives the interviewee exposure to multiple individuals in the company. But, try to limit the number of panel members to four or less.

    “At the end of the day, it’s the supervisor that has to live with the person, so any decision that does not involve the supervisor is a very flawed process.” – VP, Financial Services

    The nice-to-haves:

    • Future colleagues can offer benefits to both the interviewee and the colleague by:
      • Giving the candidate some insight into what their day-to-day job would be.
      • Relaxing the candidate; allowing for a less formal, less intimidating conversation.
      • Introducing potential teammates for a position that is highly collaborative.
      • Offering the interviewer an excellent professional development opportunity – a chance to present their understanding of what they do.
    • Executives should take part in interviewing for executive hiring, individuals that will report to an executive, or for positions that are extremely important. Executive time is scarce and expensive, so only use it when absolutely necessary.

    Record the interview team details in the Candidate Interview Strategy and Planning Guide template.

    Assign interviewers roles inside and outside the actual interview

    Define Interview Process Roles

    Who Should… Contact candidates to schedule interviews or communicate decisions?

    Who Should… Be responsible for candidate welcomes, walk-outs, and hand-offs between interviews?

    Who Should… Define and communicate each stakeholder’s role?

    Who Should… Chair the preparation and debrief meetings and play the role of the referee when trying to reach a consensus?

    Define Interview Roles

    • Set a role for each interviewer so they know what to focus on and where they fit into the process (e.g. Interviewer A will assess fit). Don’t ad hoc the process and allow everyone to interview based on their own ideas.
    • Consider interviewer qualifications and the impact of the new employee on each interviewer, when deciding the roles of each interviewer (i.e. who will interview for competency and who will interview for fit).
      • For example, managers may be most impacted by technical competencies and should be the interviewer to evaluate the candidate for technical competency.

    “Unless you’ve got roles within the panel really detailed and agreed upon, for example, who is going to take the lead on what area of questions, you end up with a situation where nobody is in charge or accountable for the final interview assessment." – VP, Financial Services

    Info-Tech Insight

    Try a Two Lens Assessment: One interviewer assesses the candidate as a project leader while another assesses them as a people leader for a question such as “Give me an example of when you exercised your leadership skills with a junior team member.”

    Step 5: Set decision rights in stone and communicate them in advance to manage stakeholder expectations and limit conflict

    All interviewers must understand their decision-making authority prior to the interview. Misunderstandings can lead to resentment and conflict.

    It is typical and acceptable that you, as the direct reporting manager, should have veto power, as do some executives.

    Veto Power

    Direct Supervisor or Manager

    Decision Makers: Must Have Consensus

    Other Stakeholders

    Direct Supervisor’s Boss

    Direct Supervisor

    Contributes Opinion

    HR Representative

    Peer

    After the preliminary interview, HR should not be involved in making the decision unless they have a solid understanding of the position.

    Peers can make an unfair assessment due to perceived competition with a candidate. Additionally, if a peer doesn’t want a candidate to be hired and the direct supervisor does hire the candidate, the peer may hold resentment against that candidate and set the team up for conflict.

    The decision should rest on those who will interact with the candidate on a daily basis and who manage the team or department that the candidate will be joining.

    The decisions being made can include whether or not to move a candidate onto the next phase of the hiring process or a final hiring decision. Deciding decision rights in advance defines accountability for an effective interview process.

    Create your interview team, assessments, and objective anchor scale

    1. Download the Behavioral Interview Question Library as a reference.
    2. On tab 9 of your workbook, document all the members of the team and their respective roles in the interview process. Fill in the decision-making authority section to ensure every team member is held accountable to their assigned tasks and understands how their input will be used.
    3. For each required attribute in the Ideal Candidate Scorecard, chose one to two questions from the library that can properly evaluate that attribute.
    4. Copy and paste the questions and probing questions into the Interview Guide Template.
    5. Create an objective anchor scale and clearly define what a poor, ok, and great answer to each question is.

    Download the Behavioral Interview Question Library

    Input Output
    • List of possible team members
    • Ideal Candidate Scorecard
    • Finalized hiring panel
    • Finalized interview and assessment process
    Materials Participants
    • IT Behavioral Interview Question Library
    • Workbook
    • Interview Guide Template
    • IT leadership team
    • IT staff members

    Conduct an effective, professional, and organized in-person interview

    Give candidates a warm, genuine greeting. Introduce them to other interviewers present. Offer a drink. Make small talk.

    “There are some real advantages to creating a comfortable climate for the candidate; the obvious respect for the individual, but people really let their guard down.”

    – HR Director, Financial Services

    Give the candidate an overview of the process, length, and what to expect of the interview. Indicate to the candidate that notes will be taken during the interview.

    If shorter than an hour, you probably aren’t probing enough or even asking the right questions. It also looks bad to candidates if the interview is over quickly.

    Start with the first question in the interview guide and make notes directly on the interview guide (written or typed) for each question.

    Take lots of notes! You think you’ll remember what was said, but you won’t. It also adds transparency and helps with documentation.

    Ask the questions in the order presented for interview consistency. Probe and clarify as needed (see next slide).

    Keep control of the interview by curtailing any irrelevant or long-winded responses.

    After all interview questions are complete, ask candidates if there was anything about their qualifications that was missed that they want to highlight.

    Lets you know they understand the job and gives them the feeling they’ve put everything on the table.

    Ask if the candidate has any questions. Respond to the questions asked.

    Answer candidate questions honestly because fit works both ways. Ensure candidates leave with a better sense of the job, expectations, and organizational culture.

    Review the compensation structure for the position and provide a realistic preview of the job and organization.

    Provide each candidate with a fair chance by maintaining a consistent interview process.

    Tell interviewees what happens next in the process, the expected time frame, and how they will be informed of the outcome. Escort them out and thank them for the interview.

    The subsequent slides provide additional detail on these eight steps to conducting an effective interview.

    Avoid these common biases and mistakes

    Common Biases

    Like-me effect: An often-unconscious preference for, and unfairly positive evaluation of, a candidate based on shared interests, personalities, and experiences, etc.

    Status effect: Overrating candidates based on the prestige of previously held positions, titles, or schools attended.

    Recency bias: Placing greater emphasis on interviews held closer to the decision-making date.

    Contrast effect: Rating candidates relative to those who precede or follow them during the interview process, rather than against previously determined data.

    Solution

    Assess candidates by using existing competency-based criteria.

    Common Mistakes

    Negative tone: Starting the interview on a negative or stressful note may derail an otherwise promising candidate.

    Poor interview management: Letting the candidate digress may leave some questions unanswered and reduce the interview value.

    Reliance of first impressions: Basing decisions on first impressions undermines the objectivity of competency-based selection.

    Failure to ask probing questions: Accepting general answers without asking follow-up questions reduces the evidentiary value of the interview.

    Solution

    Follow the structured interview process you designed and practiced.

    Ask the questions in the order presented in the interview guide, and probe and clarify as needed

    Do...

    Don’t…

    Take control of the interview by politely interrupting to clarify points or keep the interviewee on topic.

    Use probing to drill down on responses and ask for clarification. Ask who, what, when, why, and how.

    Be cognizant of confidentiality issues. Ask for a sample of work from a past position.

    Focus on knowledge or information gaps from previous interviews that need to be addressed in the interview.

    Ensure each member of a panel interview speaks in turn and the lead is given due respect to moderate.

    Be mean when probing. Intimidation actually works against you and is stressful for candidates. When you’re friendly, candidates will actually open up more.

    Interrupt or undermine other panel members. Their comments and questions are just as valid as yours are, and treating others unprofessionally gives a bad impression to the candidate.

    Ask illegal questions. Questions about things like religion, disability, and marital and family status are off limits.

    When listening to candidate responses, watch for tone, body language, and red flags

    Do...

    While listening to responses, also watch out for red and yellow flags.

    Listen to how candidates talk about their previous bosses – you want it to be mainly positive. If their discussion of past bosses reflects a strong sense of self-entitlement or a consistent theme of victimization, this could be a theme in their behavior and make them hard to work with.

    Red Flag

    A concern about something that would keep you from hiring the person.

    Yellow Flag

    A concern that needs to be addressed, but wouldn’t keep you from hiring the person.

    Pay attention to body language and tone. They can tell you a lot about candidate motivation and interest.

    Listen to what candidates want to improve. It’s an opportunity to talk about development and advancement opportunities in the organization.

    Not all candidates have red flags, but it is important to keep them in mind to identify potential issues with the candidate before they are hired.

    Don’t…

    Talk too much! You are there to listen. Candidates should do about 80% of the talking so you can adequately evaluate them. Be friendly, but ensure to spend the time allotted assessing, not chatting.

    If you talk too much, you may end up hiring a weak candidate because you didn’t perceive weaknesses or not hire a strong candidate because you didn’t identify strengths.

    What if you think you sense a red or yellow flag?

    Following the interview, immediately discuss the situation with others involved in the recruitment process or those familiar with the position, such as HR, another hiring manager, or a current employee in the role. They can help evaluate if it’s truly a matter of concern.

    Increase hiring success: Give candidates a positive perception of the organization in the interview

    Great candidates want to work at great organizations.

    When the interviewer makes a positive impression on a candidate and provides a positive impression of the organization it carries forward after they are hired.

    In addition, better candidates can be referred over the course of time due to higher quality networking.

    As much as choosing the right candidate is important to you, make sure the right candidate wants to choose you and work for your organization.

    The image contains a screenshot of a graph to demonstrate the percent of successful hires relates strongly to interviewers giving candidates a positive perception of the organization.

    Interview advice seems like common sense, but it’s often not heeded, resulting in poor interviews

    Don’t…

    Believe everything candidates say. Most candidates embellish and exaggerate to find the answers they think you want. Use probing to drill down to specifics and take them off their game.

    Ask gimmicky questions like “what color is your soul?” Responses to these questions won’t give you any information about the job. Candidates don’t like them either!

    Focus too much on the resume. If the candidate is smart, they’ve tailored it to match the job posting, so of course the person sounds perfect for the job. Read it in advance, highlight specific things you want to ask, then ignore it.

    Oversell the job or organization. Obviously you want to give candidates a positive impression, but don’t go overboard because this could lead to unhappy hires who don’t receive what you sold them. Candidates need to evaluate fit just as much as you.

    Get distracted by a candidate’s qualifications and focus only on their ability to do the job. Just because they are qualified does not mean they have the attitude or personality to fit the job or culture.

    Show emotion at any physical handicap. You can’t discriminate based on physical disability, so protect the organization by not drawing attention to it. Even if you don’t say anything, your facial expression may.

    Bring a bad day or excess baggage into the interview, or be abrupt, rushed, or uninterested in the interview. This is rude behavior and will leave a negative impression with candidates, which could impact your chances of hiring them.

    Submit to first impression bias because you’ll spend the rest of the interview trying to validate your first impression, wasting your time and the candidate’s. Remain as objective as possible and stick to the interview guide to stay focused on the task at hand.

    “To the candidate, if you are meeting person #3 and you’re hearing questions that person #1 and #2 asked, the company doesn’t look too hot or organized.” – President, Recruiting Firm

    Practice behavioral interviews

    1. In groups of at least three:
    • Assign one person to act as the manager conducting the interview, a second person to act as the candidate, and a third to observe.
    • The observer will provide feedback to the manager at the end of the role play based on the information you just learned.
    • Observers – please give feedback on the probing questions and body language.
  • Managers, select an interview question from the list your group put together during the previous exercise. Take a few minutes to think about potential probing questions you could follow up with to dig for more information.
  • Candidates, try to act like a real candidate. Please don’t make it super easy on the managers – but don’t make it impossible either!
  • Once the question has been asked and answered:
    • How did it go?
    • Were you able to get the candidate to speak in specifics rather than generalities? What tips do you have for others?
    • What didn’t go so well? Any surprises?
    • What would you do differently next time?
    • If this was a real hiring situation, would the information you got from just that one question help you make a hiring decision for the role?
  • Now switch roles and select a new interview question to use for this round. Repeat until everyone has had a chance to practice.
  • Input Output
    • Interview questions and scorecard
    • Practice interviews
    Materials Participants
    • IT Behavioral Interview Question Library
    • Workbook
    • Hiring Manager
    • Interview Panel Members

    Download the Behavioral Interview Question Library

    Record best practices, effective questions, and candidate insights for future use and current strategy

    Results and insights gained from evaluations need to be recorded and assessed to gain value from them going forward.

    • To optimize evaluation, all feedback should be forwarded to a central point so that the information can be shared with all stakeholders. HR can serve in this role.
    • Peer evaluations should be shared shortly after the interview. Immediate feedback that represents all the positive and negative responses is instructional for interviewers to consider right away.
    • HR can take a proactive approach to sharing information and analyzing and improving the interview process in order to collaborate with hiring departments for better talent management.
    • Collecting information about effective and ineffective interview questions will guide future interview revision and development efforts.

    Evaluations Can Inform Strategic Planning and Professional Development

    Strategic Planning

    • Survey data can be used to inform strategic planning initiatives in recruiting.
    • Use the information to build a case to the executive team for training, public relations initiatives, or better candidate management systems.

    Professional Development

    • Survey data from all evaluations should be used to inform future professional development initiatives.
    • Interview areas where all team members show weaknesses should be training priorities.
    • Individual weaknesses should be integrated into each professional development plan.

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Develop a Comprehensive Onboarding Plan

    Drive employee engagement and retention with a robust program that acclimates, guides, and develops new hires.

    Onboarding should pick up where candidate experience leaves off

    Do not confuse onboarding with orientation

    Onboarding ≠ Orientation

    Onboarding is more than just orientation. Orientation is typically a few days of completing paperwork, reading manuals, and learning about the company’s history, strategic goals, and culture. By contrast, onboarding is three to twelve months dedicated to welcoming, acclimating, guiding, and developing new employees – with the ideal duration reflecting the time to productivity for the role.

    A traditional orientation approach provides insufficient focus on the organizational identification, socialization, and job clarity that a new hire requires. This is a missed opportunity to build engagement, drive productivity, and increase organizational commitment. This can result in early disengagement and premature departure.

    Effective onboarding positively impacts the organization and bottom line

    Over the long term, effective onboarding has a positive impact on revenue and decreases costs.

    The benefits of onboarding:

    • Save money and frustration
      • Shorten processing time, reduce administrative costs, and improve compliance.
    • Boost revenue
      • Help new employees become productive faster – also reduce the strain on existing employees who would normally be overseeing them or covering a performance shortfall.
    • Drive engagement and reduce turnover
      • Quickly acclimate new hires to your organization’s environment, culture, and values.
    • Reinforce culture and employer brand
      • Ensure that new hires feel a connection to the organization’s culture.

    Onboarding drives new hire engagement from day one

    The image contains a graph to demonstrate the increase in overall engagement in relation to onboarding.

    When building an onboarding program, retain the core aims: acclimate, guide, and develop

    The image contains a picture of a circle with a smaller circle inside it, and a smaller circle inside that one. The smallest circle is labelled Acclimate, the medium sized circle is labelled Guide, and the biggest circle is labelled Develop.

    Help new hires feel connected to the organization by clearly articulating the mission, vision, values, and what the company does. Help them understand the business model, the industry, and who their competitors are. Help them feel connected to their new team members by providing opportunities for socialization and a support network.

    Help put new hires on the path to high performance by clearly outlining their role in the organization and how their performance will be evaluated.

    Help new hires receive the experience and training they require to become high performers by helping them build needed competencies.

    We recommend a three-to-twelve-month onboarding program, with the performance management aspect of onboarding extending out to meet the standard organizational performance management cycle.

    Info-Tech Insight

    The length of the onboarding program should align with the average time to productivity for the role(s). Consider the complexity of the role, the industry, and the level of the new hire when determining program length.

    For example, call center workers who are selling a straight-forward product may only require a three-month onboarding, while senior leaders may require a year-long program.

    Watch for signs that you aren’t effectively acclimating, guiding, and developing new hires

    Our primary and secondary research identified the following as the most commonly stated reasons why employees leave organizations prematurely. These issues will be addressed throughout the next section.

    Acclimate

    Guide

    Develop

    • Onboarding experience is misaligned from the employer’s brand.
    • Socialization and/or integration into the existing culture is left to the employee.
    • Key role expectations or role usefulness is not clearly communicated.
    • Company strategy is unclear.
    • Opportunities for advancement are unclear.
    • Coaching, counseling, and/or support from co-workers and/or management is lacking.
    • The organization fails to demonstrate that it cares about the new employee’s needs.

    “Onboarding is often seen as an entry-level HR function. It needs to rise in importance because it’s the first impression of the organization and can be much more powerful than we sometimes give it credit for. It should be a culture building and branding program.” – Doris Sims, SPHR, The Succession Consultant, and Author, Creative Onboarding Programs

    Use the onboarding tabs in the workbook to evaluate and redesign the onboarding program

    1. On tab 10, brainstorm challenges that face the organization's current onboarding program. Identify if they fall into the "acclimate," "guide," or "develop" category. Next, record the potential impact of this challenge on the overall effectiveness of the onboarding program.
    2. On tab 11, record each existing onboarding activity. Then, identify if that activity will be kept or if it should be retired. Next, document if the activity fell into the "acclimate," "guide," or "develop" category.
    3. On tab 12, document gaps that currently exist in the onboarding program. Modify the timeline along the side of the tab to ensure it reflects the timeline you have identified.
    4. On tab 13, document the activities that will occur in the new onboarding program. This should be a combination of current activities that you want to retain and new activities that will be added to address the gaps noted on tab 12. For each activity, identify if it will fall in the acclimate, guide, or develop section. Add any additional notes. Before moving on, make sure that there are no categories that have no activities (e.g. no guide activities).
    Input Output
    • Existing onboarding activities
    • Determine new onboarding activities
    • Map out onboarding responsibilities
    Materials Participants
    • Workbook
    • Hiring Managers
    • HR

    Review the administrative aspects of onboarding and determine how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Some paperwork cannot be completed digitally (e.g. I-9 form in the US).

    Where possible, complete forms with digital signatures (e.g. DocuSign). Where not possible, begin the process earlier and mail required forms to employees to sign and return, or scan and email for the employee to print and return.

    Required compliance training material is not available virtually.

    Seek online training options where possible. Determine the most-critical training needs and prioritize the replication of materials in audio/video format (e.g. recorded lecture) and distribute virtually.

    Employees may not have access to their equipment immediately due to shipping or supply issues.

    Delay employee start dates until you can set them up with the proper equipment and access needed to do their job.

    New hires can’t get answers to their questions about benefits information and setup.

    Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

    Info-Tech Insight

    One of the biggest challenges for remote new hires is the inability to casually ask questions or have conversations without feeling like they’re interrupting. Until they have a chance to get settled, providing formal opportunities for questions can help address this.

    Review how company information is shared during onboarding and how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Key company information such as organizational history, charts, or the vision, mission, and values cannot be clearly learned by employees on their own.

    Have the new hire’s manager call to walk through the important company information to provide a personal touch and allow the new hire to ask questions and get to know their new manager.

    Keeping new hires up to date on crisis communications is important, but too much information may overwhelm them or cause unnecessary stress.

    Sharing the future of the organization is a critical part of the company information stage of onboarding and the ever-changing nature of the COVID-19 crisis is informing many organizations’ future right now. Be honest but avoid over-sharing plans that may change.

    New hires can’t get answers to their questions about benefits information and setup.

    Schedule a meeting with an HR representative or benefits vendor to explain how benefits will work and how to navigate employee self-service or other tools and resources related to their benefits.

    Review the socialization aspects of onboarding and determine how to address the challenges

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Team introductions via a team lunch or welcome event are typically done in person.

    Provide managers with a calendar of typical socialization events in the first few weeks of onboarding and provide instructions and ideas for how to schedule replacement events over videoconferencing.

    New hires may not have a point of contact for informal questions or needs if their peers aren’t around them to help.

    If it doesn’t already exist, create a virtual buddy program and provide instructions for managers to select a buddy from the new hire’s team. Explain that their role is to field informal questions about the company, team, and anything else and that they should book weekly meetings with the new hire to stay in touch.

    New hires will not have an opportunity to learn or become a part of the informal decision-making networks at the organization.

    Hiring managers should consider key network connections that new hires will need by going through their own internal network and asking other team members for recommendations.

    New hires will not be able to casually meet people around the office.

    Provide the employee with a list of key contacts for them to reach out to and book informal virtual coffee chats to introduce themselves.

    Adapt the Guide phase of onboarding to a virtual environment

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Sample challenges

    Potential solutions

    Performance management (PM) processes have been paused given the current crisis.

    Communicate to managers that new hires still need to be onboarded to the organization’s performance management process and that goals and feedback need to be introduced and the review process outlined even if it’s not currently happening.

    Goals and expectations differ or have been reprioritized during the crisis.

    Ask managers to explain the current situation at the organization and any temporary changes to goals and expectations as a result of new hires.

    Remote workers often require more-frequent feedback than is mandated in current PM processes.

    Revamp PM processes to include daily or bi-weekly touchpoints for managers to provide feedback and coaching for new hires for at least their first six months.

    Managers will not be able to monitor new hire work as effectively as usual.

    Ensure there is a formal approach for how employees will keep their managers updated on what they're working on and how it's going, for example, daily scrums or task-tracking software.

    For more information on adapting performance management to a virtual environment, see Info-Tech’s Performance Management for Emergency Work-From-Home research.

    Take an inventory of training and development in the onboarding process and select critical activities

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Categorize the different types of formal and informal training in the onboarding process into the following three categories. For departmental and individual training, speak to managers to understand what is required on a department and role basis:

    Organizational

    Departmental

    Individual

    For example:

    • Employee self-service overview
    • Health and safety/compliance training
    • Core competencies

    For example:

    • Software training (e.g. Salesforce)
    • Job shadowing to learn how to work equipment or to learn processes

    For example:

    • Mentoring
    • External courses
    • Support to work toward a certification

    In a crisis, not every training can be translated to a virtual environment in the short term. It’s also important to focus on critical learning activities versus the non-critical. Prioritize the training activities by examining the learning outcomes of each and asking:

    • What organizational training does every employee need to be a productive member of the organization?
    • What departmental or individual training do new hires need to be successful in their role?

    Lower priority or non-critical activities can be used to fill gaps in onboarding schedules or as extra activities to be completed if the new hire finds themselves with unexpected downtime to fill.

    Determine how onboarding training will be delivered virtually

    The image contains tabs, three main large tabs are labelled: Acclimate, Guide, and Develop. There are smaller tabs in between that are in relation to the three main ones.

    Who will facilitate virtual training sessions?

    • For large onboarding cohorts, consider live delivery via web conferencing where possible. This will create a more engaging training program and will allow new hires to interact with and ask questions of the presenter.
    • For individual new hires or small cohorts, have senior leaders or key personnel from across the organization record different trainings that are relevant for their role.
      • For example, training sessions about organizational culture can be delivered by the CEO or other senior leader, while sales training could be delivered by a sales executive.

      If there is a lack of resources, expertise, or time, outsource digital training to a content provider or through your LMS.

    What existing or free tools can be leveraged to immediately support digital training?

    • Laptops and PowerPoint to record training sessions that are typically delivered in-person
    • YouTube/Vimeo to host recorded lecture-format training
    • Company intranet to host links and files needed to complete training
    • Web conferencing software to host live training/orientation sessions (e.g. Webex)
    • LMS to host and track completion of learning content

    Want to learn more?

    Recruit IT Talent

    • Improve candidate experience to hire top IT talent.

    Recruit and Retain More Women in IT

    • Gender diversity is directly correlated to IT performance.

    Recruit and Retain People of Color in IT

    • Good business, not just good philanthropy.

    Adapt Your Onboarding Process to a Virtual Environment

    • Develop short-term solutions with a long-term outlook to quickly bring in new talent.

    Bibliography

    2021 Recruiter Nation Report. Survey Analysis, Jobvite, 2021. Web.

    “5 Global Stats Shaping Recruiting Trends.” The Undercover Recruiter, 2022. Web.

    Barr, Tavis, Raicho Bojilov, and Lalith Munasinghe. "Referrals and Search Efficiency: Who Learns What and When?" The University of Chicago Press, Journal of Labor Economics, vol. 37, no. 4, Oct. 2019. Web.

    “How to grow your team better, faster with an employee referral program.” Betterup, 10 Jan. 2022. Web.

    “Employee Value Proposition: How 25 Companies Define Their EVP.” Built In, 2021. Web.

    Global Leadership Forecast 2021. Survey Report, DDI World, 2021. Web.

    “Connecting Unemployed Youth with Organizations That Need Talent.” Harvard Business Review, 3 November 2016. Web.

    Ku, Daniel. “Social Recruiting: Everything You Need To Know for 2022.” PostBeyond, 26 November 2021. Web.

    Ladders Staff. “Shedding light on the job search.” Ladders, 20 May 2013. Web.

    Merin. “Campus Recruitment – Meaning, Benefits & Challenges.” HR Shelf, 1 February 2022. Web.

    Mobile Recruiting. Smart Recruiters, 2020. Accessed March 2022.

    Roddy, Seamus. “5 Employee Referral Program Strategies to Hire Top Talent.” Clutch, 22 April 2020. Web.

    Sinclair, James. “What The F*dge: That's Your Stranger Recruiting Budget?” LinkedIn, 11 November 2019. Web.

    “Ten Employer Examples of EVPs.” Workology, 2022. Web

    “The Higher Cost of a Bad Hire.” Robert Half, 15 March 2021. Accessed March 2022.

    Trost, Katy. “Hiring with a 90% Success Rate.” Katy Trost, Medium, 8 August 2022. Web.

    “Using Social Media for Talent Acquisition.” SHRM, 20 Sept. 2017. Web.

    Become a Transformational CIO

    • Buy Link or Shortcode: {j2store}86|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • Business transformations are happening, but CIOs are often involved only when it comes time to implement change. This makes it difficult for the CIO to be perceived as an organizational leader.
    • CIOs find it difficult to juggle operational activities, strategic initiatives, and involvement in business transformation.
    • CIOs don’t always have the IT organization structured and mobilized in a manner that facilitates the identification of transformation opportunities, and the planning for and the implementation of organization-wide change.

    Our Advice

    Critical Insight

    • Don’t take an ad hoc approach to transformation.
    • You’re not in it alone.
    • Your legacy matters

    Impact and Result

    • Elevate your stature as a business leader.
    • Empower the IT organization to act with a business mind first, and technology second.
    • Create a high-powered IT organization that is focused on driving lasting change, improving client experiences, and encouraging collaboration across the entire enterprise.
    • Generate opportunities for organizational growth, as manifested through revenue growth, profit growth, new market entry, new product development, etc.

    Become a Transformational CIO Research & Tools

    Start here – read the Executive Brief

    Read our Executive Brief to find out why you should undergo an evolution in your role as a business leader, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Are you ready to lead transformation?

    Determine whether you are ready to focus your attention on evolving your role.

    • Become a Transformational CIO – Phase 1: Are You Ready to Lead Transformation?

    2. Build business partnerships

    Create a plan to establish key business partnerships and position IT as a co-leader of transformation.

    • Become a Transformational CIO – Phase 2: Build Business Partnerships
    • Partnership Strategy Template

    3. Develop the capability to transform

    Mobilize the IT organization and prepare for the new mandate.

    • Become a Transformational CIO – Phase 3: Develop the Capability to Transform
    • Transformation Capability Assessment

    4. Shift IT’s focus to the customer

    Align IT with the business through a direct, concentrated focus on the customer.

    • Become a Transformational CIO – Phase 4: Shift IT’s Focus to the Customer
    • Transformational CIO Value Stream Map Template
    • Transformational CIO Business Capability Map Template

    5. Adopt a transformational approach to leadership

    Determine the key behaviors necessary for transformation success and delegate effectively to make room for new responsibilities.

    • Become a Transformational CIO – Phase 5: Adopt a Transformational Approach to Leadership
    • Office of the CIO Template

    6. Sustain the transformational capability

    Track the key success metrics that will help you manage transformation effectively.

    • Become a Transformational CIO – Phase 6: Sustain the Transformational Capability
    • Transformation Dashboard
    [infographic]

    Workshop: Become a Transformational CIO

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Determine Readiness to Become a Transformational CIO

    The Purpose

    Understand stakeholder and executive perception of the CIO’s performance and leadership.

    Determine whether the CIO is ready to lead transformation.

    Key Benefits Achieved

    Decision to evolve role or address areas of improvement as a pre-requisite to becoming a transformational CIO.

    Activities

    1.1 Select data collection techniques.

    1.2 Conduct diagnostic programs.

    1.3 Review results and define readiness.

    Outputs

    Select stakeholder and executive perception of the CIO

    Decision as to whether to proceed with the role evolution

    2 Build Business Partnerships

    The Purpose

    Identify potential business partners and create a plan to establish key partnerships.

    Key Benefits Achieved

    An actionable set of initiatives that will help the CIO create valuable partnerships with internal or external business stakeholders.

    Activities

    2.1 Identify potential business partners.

    2.2 Evaluate and prioritize list of potential partners.

    2.3 Create a plan to establish the target partnerships.

    Outputs

    Partnership strategy

    3 Establish IT’s Ability to Transform

    The Purpose

    Make the case and plan for the development of key capabilities that will enable the IT organization to handle transformation.

    Key Benefits Achieved

    A maturity assessment of critical capabilities.

    A plan to address maturity gaps in preparation for a transformational mandate.

    Activities

    3.1 Define transformation as a capability.

    3.2 Assess the current and target transformation capability maturity.

    3.3 Develop a roadmap to address gaps.

    Outputs

    Transformation capability assessment

    Roadmap to develop the transformation capability

    4 Shift IT’s Focus to the Customer

    The Purpose

    Gain an understanding of the end customer of the organization.

    Key Benefits Achieved

    A change in IT mindset away from a focus on operational activities or internal customers to external customers.

    A clear understanding of how the organization creates and delivers value to customers.

    Opportunities for business transformation.

    Activities

    4.1 Analyze value streams that impact the customer.

    4.2 Map business capabilities to value streams.

    Outputs

    Value stream maps

    Business capability map

    5 Establish Transformation Leadership and Sustain the Capability

    The Purpose

    Establish a formal process for empowering employees and developing new leaders.

    Create a culture of continuous improvement and a long-term focus.

    Key Benefits Achieved

    Increased ability to sustain momentum that is inherent to business transformations.

    Better strategic workforce planning and a clearer career path for individuals in IT.

    A system to measure IT’s contribution to business transformation.

    Activities

    5.1 Set the structure for the office of the CIO.

    5.2 Assess current leadership skills and needs.

    5.3 Spread a culture of self-discovery.

    5.4 Maintain the transformation capability.

    Outputs

    OCIO structure document

    Transformational leadership dashboard

    Develop a Web Experience Management Strategy

    • Buy Link or Shortcode: {j2store}555|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Web Experience Management (WEM) solutions have emerged as applications that provide marketers and other customer experience professionals with a complete set of tools for web content management, delivery, campaign execution, and site analytics.
    • However, many organizations are unsure of how to leverage these new technologies to enhance their customer interaction strategy.

    Our Advice

    Critical Insight

    • WEM products are not a one-size-fits-all investment: unique evaluations and customization is required in order to deploy a solution that fits your organization.
    • WEM technology often complements core CRM and marketing management products – it does not supplant it, and must augment the rest of your customer experience management portfolio.
    • WEM provides benefits by giving web visitors a better experience – leveraging tools such as web analytics gives the customer a tailored experience. Marketing can then monitor their behavior and use this information to warm leads.

    Impact and Result

    • Deploy a WEM platform and execute initiatives that will strengthen the web-facing customer experience, improving customer satisfaction and unlocking new revenue opportunities.
    • Avoid making unnecessary new WEM investments.
    • Make informed decisions about the types of technologies and initiatives that are necessary to support WEM.

    Develop a Web Experience Management Strategy Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should develop a WEM strategy, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Harness the value of web experience management

    Make the case for a web experience management suite and structure the WEM strategy project.

    • Develop a Web Experience Management Strategy Phase 1: Harness the Value of Web Experience Management
    • Web Experience Management Strategy Summary Template
    • WEM Project Charter Template

    2. Create the vision for web experience management

    Identify the target state WEM strategy, assess current state, and identify gaps.

    • Develop a Web Experience Management Strategy Phase 2: Create the Vision for Web Experience Management

    3. Execute initiatives for WEM deployment

    Build the WEM technology stack and create a web strategy initiatives roadmap.

    • Develop a Web Experience Management Strategy Phase 3: Execute Initiatives for WEM Deployment
    • Web Process Automation Investment Appropriateness Assessment Tool
    [infographic]

    Workshop: Develop a Web Experience Management Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the WEM Selection Project

    The Purpose

    Discuss the general project overview for the WEM selection.

    Key Benefits Achieved

    Launch of your WEM selection project.

    Development of your organization’s WEM requirements. 

    Activities

    1.1 Facilitation of activities from the Launch the WEM Project and Collect Requirements phase, including project scoping and resource planning.

    1.2 Conduct overview of the WEM market landscape, trends, and vendors.

    1.3 Conduct process mapping for selected marketing processes.

    1.4 Interview business stakeholders.

    1.5 Prioritize WEM functional requirements.

    Outputs

    WEM Procurement Project Charter

    WEM Use-Case Fit Assessment

    2 Plan the Procurement and Implementation Process

    The Purpose

    Plan the procurement and the implementation of the WEM solution.

    Key Benefits Achieved

    Selection of a WEM solution.

    A plan for implementing the selected WEM solution. 

    Activities

    2.1 Complete marketing process mapping with business stakeholders.

    2.2 Interview IT staff and project team, identify technical requirements for the WEM suite, and document high-level solution requirements.

    2.3 Perform a use-case scenario assessment, review use-case scenario results, identify use-case alignment, and review the WEM Vendor Landscape vendor profiles and performance.

    2.4 Create a custom vendor shortlist and investigate additional vendors for exploration in the marketplace.

    2.5 Meet with project manager to discuss results and action items.

    Outputs

    Vendor Shortlist

    WEM RFP

    Vendor Evaluations

    Selection of a WEM Solution

    WEM projected work break-down

    Implementation plan

    Framework for WEM deployment and CRM/Marketing Management Suite Integration

    Marketing Management Suite Software Selection Guide

    • Buy Link or Shortcode: {j2store}552|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Selecting and implementing the right MMS platform – one that aligns with your requirements is a significant undertaking.
    • Despite the importance of selecting and implementing the right MMS platform, many organizations struggle to define an approach to picking the most appropriate vendor and rolling out the solution in an effective and cost-efficient manner.
    • IT often finds itself in the unenviable position of taking the fall for an MMS platform that doesn’t deliver on the promise of the MMS strategy.

    Our Advice

    Critical Insight

    • MMS platform selection must be driven by your overall customer experience management strategy. Link your MMS selection to your organization’s CXM framework.
    • Determine what exactly you require from your MMS platform; leverage use cases to help guide selection.
    • Ensure strong points of integration between your MMS and other software such as CRM and POS. Your MMS solution should not live in isolation; it must be part of a wider ecosystem.

    Impact and Result

    • An MMS platform that effectively meets business needs and delivers value.
    • Reduced costs during MMS vendor platform selection and faster time to results after implementation.

    Marketing Management Suite Software Selection Guide Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Marketing Management Suite Software Selection Guide – A deck that walks you through the process of building your business case and selecting the proper MMS platform.

    This blueprint will help you build a business case for selecting the right MMS platform, define key requirements, and conduct a thorough analysis and scan of the current state of the ever-evolving MMS market space.

    • Marketing Management Suite Software Selection Guide Storyboard
    [infographic]

    Further reading

    Marketing Management Suite Software Selection Guide

    Streamline your organizational approach to selecting a right-sized marketing management platform.

    Analyst perspective

    A robustly configured and comprehensive MMS platform is a crucial ingredient to help kick-start your organization's cross-channel and multichannel marketing management initiatives.

    Modern marketing management suites (MMS) are imperative given today's complex, multitiered, and often non-standardized marketing processes. Relying on isolated methods such as lead generation or email marketing techniques for executing key cross-channel and multichannel marketing initiatives is not enough to handle the complexity of contemporary marketing management activities.

    Organizations need to invest in highly customizable and functionally extensive MMS platforms to provide value alongside the marketing value chain and a 360-degree view of the consumer's marketing journey. IT needs to be rigorously involved with the sourcing and implementation of the new MMS tool, and the necessary business units also need to own the requirements and be involved from the initial stages of software selection.

    To succeed with MMS implementation, consider drafting a detailed roadmap that outlines milestone activities for configuration, security, points of integration, and data migration capabilities and provides for ongoing application maintenance and support.

    This is a picture of Yaz Palanichamy

    Yaz Palanichamy
    Senior Research Analyst, Customer Experience Strategy
    Info-Tech Research Group

    Executive summary

    Your Challenge

    • Many organizations struggle with taking a systematic and structured approach to selecting a right-sized marketing management suite (MMS) – an indispensable part of managing an organization's specific and nuanced marketing management needs.
    • Organizations must define a clear-cut strategic approach to investing in a new MMS platform. Exercising the appropriate selection and implementation rigor for a right-sized MMS tool is a critical step in delivering concrete business value to sustain various marketing value chains across the organization.

    Common Obstacles

    • An MMS vendor that is not well aligned to marketing requirements wastes resources and causes an endless cascade of end-user frustration.
    • The MMS market is rapidly evolving, making it difficult for vendors to retain a competitive foothold in the space.
    • IT managers and/or marketing professionals often find themselves in the unenviable position of taking the fall for MMS platforms that fail to deliver on the promise of the overarching marketing management strategy.

    Info-Tech's Approach

    • MMS platform selection must be driven by your overall marketing management strategy. Email marketing techniques, social marketing, and/or lead management strategies are often not enough to satisfy the more sophisticated use cases demanded by increasingly complex customer segmentation levels.
    • For organizations with a large audience or varied product offerings, a well-integrated MMS platform enables the management of various complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Info-Tech Insight

    IT must collaborate with marketing professionals and other key stakeholder groups to define a unified vision and holistic outlook for a right-sized MMS platform.

    Info-Tech's methodology for selecting a right-sized marketing management suite platform

    1. Understand Core MMS Features

    2. Build the Business Case & Streamline Requirements

    3. Discover the MMS Market Space & Prepare for Implementation

    Phase Steps

    1. Define MMS Platforms
    2. Classify Table Stakes & Differentiating Capabilities
    3. Explore Trends
    1. Build the Business Case
    2. Streamline the Requirements Elicitation Process for a New MMS Platform
    3. Develop an Inclusive RFP Approach
    1. Discover Key Players in the Vendor Landscape
    2. Engage the Shortlist & Select Finalist
    3. Prepare for Implementation

    Phase Outcomes

    1. Consensus on scope of MMS and key MMS platform capabilities
    1. MMS platform selection business case
    2. Top-level use cases and requirements
    3. Procurement vehicle best practices
    1. Market analysis of MMS platforms
    2. Overview of shortlisted vendors
    3. Implementation considerations

    Guided Implementation

    What does a typical GI on this topic look like?

    Phase 1 Phase 2 Phase 3

    Call #1: Understand what a marketing management suite is. Discuss core capabilities and key trends.

    Call #2: Build the business case
    to select a right-sized MMS.

    Call #3: Define your core
    MMS requirements.

    Call #4: Build and sustain procurement vehicle best practices.

    Call #5: Evaluate the MMS vendor landscape and short-list viable options.


    Call #6: Review implementation considerations.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    The MMS procurement process should be broken into segments:

    1. Create a vendor shortlist using this buyer's guide.
    2. Define a structured approach to selection.
    3. Review the contract.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    EXECUTIVE BRIEF

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing Management Suite Software Selection Buyer's Guide

    Info-Tech Insight

    A right-sized MMS software selection and procurement decision should involve comprehensive requirements and needs analysis by not just Marketing but also other organizational units such as IT, in conjunction with input suppled from the internal vendor procurement team.

    MMS Software Selection & Vendor Procurement Journey. The three main steps are: Envision the Art of the Possible; Elicit Granular Requirements; Contextualize the MMS Vendor Market Space

    Phase 1

    Understand Core MMS Features

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Level-set an understanding of MMS technology.
    • Define which MMS features are table stakes (standard) and which are key differentiating functionalities.
    • Identify the art of the possible in a modern MMS platform from sales, marketing, and service lenses.

    This phase involves the following participants:

    • CMO
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    What are marketing management suite platforms?

    Our Definition: Marketing management suite (MMS) platforms are core enterprise applications that provide a unified set of marketing processes for a given organization and, typically, the capability to coordinate key cross-channel marketing initiatives.

    Key product capabilities for sophisticated MMS platforms include but are not limited to:

    • Email marketing
    • Lead nurturing
    • Social media management
    • Content curation and distribution
    • Marketing reporting and analytics
    • Consistent brand messaging

    Using a robust and comprehensive MMS platform equips marketers with the appropriate tools needed to make more informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention initiatives. Moreover, such tools can help bolster effective revenue generation and ensure more viable growth initiatives for future marketing growth enablement strategies.

    Info-Tech Insight

    Feature sets are rapidly evolving over time as MMS offerings continue to proliferate in this market space. Ensure that you focus on core components such as customer conversion rates and new lead captures through maintaining well- integrated multichannel campaigns.

    Marketing through the ages

    Tracing the foundational origins of marketing management practices

    Initial traction for marketing management strategies began with the need to holistically understand the effects of advertising efforts and how the media mix could be best optimized.

    1902

    1920s-1930s

    1942

    1952-1964

    1970s-1990s

    Recognizing the increasing need for focused and professional marketing efforts, the University of Pennsylvania offers the first marketing course, dubbed "The Marketing of Products."

    As broadcast media began to peak, marketers needed to manage a greater number of complex and interspersed marketing channels.

    The introduction of television ads in 1942 offered new opportunities for brands to reach consumers across a growing media landscape. To generate the highest ROI, marketers sought to understand the consumer and focus on more tailored messaging and product personalization. Thus, modern marketing practices were born.

    Following the introduction of broadcast media, marketers had to develop strategies beyond traditional spray-and-pray methods. The first modern marketing measurement concept, "marketing mix," was conceptualized in 1952 and popularized in 1964 by Neil Borden.

    This period marked the digital revolution and the new era of marketing. With the advent of new communications technology and the modern internet, marketing management strategies reached new heights of sophistication. During the early 1990s, search engines emerged to help users navigate the web, leading to early forms of search engine optimization and advertising.

    Where it's going: the future state of marketing management

    1. Increasing Complexity Driving Consumer Purchasing Decisions
      • "The main complexity is dealing with the increasing product variety and changing consumer demands, which is forcing marketers to abandon undifferentiated marketing strategies and even niche marketing strategies and to adopt a mass customization process interacting one-to-one with their customers." – Complexity, 2019
    2. Consumers Seeking More Tailored Brand Personalization
      • Financial Services marketers lead all other industries in AI application adoption, with 37% currently using them (Salesforce, 2019).
    3. The Inclusion of More AI-Enabled Marketing Strategies
      • According to a 2022 Nostro report, 70% of consumers say it is important that brands continue to offer personalized consumer experiences.
    4. Green Marketing
      • Recent studies have shown that up to 80% of all consumers are interested in green marketing strategies (Marketing Schools, 2020).

    Marketing management by the numbers

    Key trends

    6%

    As a continuously growing discipline, marketing management roles are predicted to grow faster than average, at a rate of 6% over the next decade.

    Source: U.S. Bureau of Labor Statistics, 2021

    17%

    While many marketing management vendors offer A/B testing, only 17% of marketers are actively using A/B testing on landing pages to increase conversion rates.

    Source: Oracle, 2022

    70%

    It is imperative that technology and SaaS companies begin to use marketing automation as a core component of their martech strategy to remain competitive. About 70% of technology and SaaS companies are employing integrated martech tools.

    Source: American Marketing Association, 2021

    Understand MMS table stakes features

    Organizations can expect nearly all MMS vendors to provide the following functionality

    Email Marketing

    Lead Nurturing

    Reporting, Analytics, and Marketing KPIs

    Marketing Campaign Management

    Integrational Catalog

    The use of email alongside marketing efforts to promote a business' products and services. Email marketing can be a powerful tool to maintain connections with your audience and ensure sustained brand promotion.

    The process of developing and nurturing relationships with key customer contacts at every major touchpoint in their customer journey. MMS platforms can use automated lead-nurturing functions that are triggered by customer behavior.

    The use of well-defined metrics to help curate, gather, and analyze marketing data to help track performance and improve the marketing department's future marketing decisions and strategies.

    Tools needed for the planning, execution, tracking, and analysis of direct marketing campaigns. Such tools are needed to help gauge your buyers' sentiments toward your company's product offerings and services.

    MMS platforms should generally have a comprehensive open API/integration catalog. Most MMS platforms should have dedicated integration points to interface with various tools across the marketing landscape (e.g. social media, email, SEO, CRM, CMS tools, etc.).

    Identify differentiating MMS features

    While not always deemed must-have functionality, these features may be the deciding factor when choosing between two MMS-focused vendors.

    Digital Asset Management (DAM)

    A DAM can help manage digital media asset files (e.g. photos, audio files, video).

    Customer Data Management

    Customer data management modules help your organization track essential customer information to maximize your marketing results.

    Text-Based Marketing

    Text-based marketing strategy is ideal for any organization primarily focused on coordinating structured and efficient marketing campaigns.

    Customer
    Journey Orchestration

    Customer journey orchestration enables users to orchestrate customer conversations and journeys across the entire marketing value chain.

    AI-Driven Workflows

    AI-powered workflows can help eliminate complexities and allow marketers to automate and optimize tasks across the marketing spectrum.

    Dynamic Segmentation

    Dynamic segmentation to target audience cohorts based on recent actions and stated preferences.

    Advanced Email Marketing

    These include capabilities such as A/B testing, spam filter testing, and detailed performance reporting.

    Ensure you understand the art of the possible across the MMS landscape

    Understanding the trending feature sets that encompass the broader MMS vendor landscape will best equip your organization with the knowledge needed to effectively match today's MMS platforms with your organization's marketing requirements.

    Holistically examine the potential of any MMS solution through three main lenses:

    Data-Driven
    Digital Advertising

    Adapt innovative techniques such as conversational marketing to help collect, analyze, and synthesize crucial audience information to improve the customer marketing experience and pre-screen prospects in a more conscientious manner.

    Next Best Action Marketing

    Next best action marketing (NBAM) is a customer-centric paradigm/marketing technique designed to capture specific information about customers and their individual preferences. Predicting customers' future actions by understanding their intent during their purchasing decisions stage will help improve conversion rates.

    AI-Driven Customer
    Segmentation

    The use of inclusive and innovative AI-based forecast modeling techniques can help more accurately analyze customer data to create more targeted segments. As such, marketing messages will be more accurately tailored to the customer that is reading them.

    Art of the possible: data-driven digital advertising

    CONVERSATIONAL MARKETING INTELLIGENCE

    Are you curious about the measures needed to boost engagement among your client base and other primary target audience groups? Conversational marketing intelligence metrics can help collect and disseminate key descriptive data points across a broader range of audience information.

    AI-DRIVEN CONVERSATIONAL MARKETING DEVICES

    Certain social media channels (e.g. LinkedIn and Facebook) like to take advantage of click-to-Messenger-style applications to help drive meaningful conversations with customers and learn more about their buying preferences. In addition, AI-driven chatbot applications can help the organization glean important information about the customer's persona by asking probing questions about their marketing purchase behaviors and preferences.

    METAVERSE- DRIVEN BRANDING AND ADVERTISING

    One of the newest phenomena in data-driven marketing technology and digital advertising techniques is the metaverse, where users can represent themselves and their brand via virtual avatars to further gamify their marketing strategies. Moreover, brands can create immersive experiences and engage with influencers and established communities and collect a wealth of information about their audience that can help drive customer retention and loyalty.

    Case study

    This is the logos for Gucci and Roblox.

    Metaverse marketing extends the potential for commercial brand development and representation: a deep dive into Gucci's metaverse practice

    INDUSTRY: Luxury Goods Apparel
    SOURCE: Vogue Business

    Challenge

    Beginning with a small, family-owned leather shop known as House of Gucci in Florence, Italy, businessman and fashion designer Guccio Gucci sold saddles, leather bags, and other accessories to horsemen during the 1920s. Over the years, Gucci's offerings have grown to include various other personal luxury goods.

    As consumer preferences have evolved over time, particularly with the younger generation, Gucci's professional marketing teams looked to invest in virtual technology environments to help build and sustain better brand awareness among younger consumer audiences.

    Solution

    In response to the increasing presence of metaverse-savvy gamers on the internet, Gucci began investing in developing its online metaverse presence to bolster its commercial marketing brand there.

    A recent collaboration with Roblox, an online gaming platform that offers virtual experiences, provided Gucci the means to showcase its fashion items using the Gucci Garden – a virtual art installation project for Generation Z consumers, powered by Roblox's VR technology. The Gucci Garden virtual system featured a French-styled garden environment where players could try on and buy Gucci virtual fashion items to dress up their blank avatars.

    Results

    Gucci's disruptive, innovative metaverse marketing campaign project with Roblox is proof of its commitment to tapping new marketing growth channels to showcase the brand to engage new and prospective consumers (e.g. Roblox's player base) across more unique sandboxed/simulation environments.

    The freedom and flexibility in the metaverse environments allows brands such as Gucci to execute a more flexible digital marketing approach and enables them to take advantage of innovative metaverse-driven technologies in the market to further drive their data-driven digital marketing campaigns.

    Art of the possible: next best action marketing (NBAM)

    NEXT BEST ACTION PREDICTIVE MODELING

    To improve conversion propensity, next best action techniques can use predictive modeling methods to help build a dynamic overview of the customer journey. With information sourced from actionable marketing intelligence data, MMS platforms can use NBAM techniques to identify customer needs based on their buying behavior, social media interactions, and other insights to determine what unique set of actions should be taken for each customer.

    MACHINE LEARNING–BASED RECOMMENDER SYSTEMS

    Rules-based recommender systems can help assign probabilities of purchasing behaviors based on the patterns in touchpoints of a customer's journey and interaction with your brand. For instance, a large grocery chain company such as Walmart or Whole Foods will use ML-based recommender systems to decide what coupons they should offer to their customers based on their purchasing history.

    Art of the possible: AI-driven customer segmentation

    MACHINE/DEEP LEARNING (ML/DL) ALGORITHMS

    The inclusion of AI in data analytics helps make customer targeting more accurate
    and meaningful. Organizations can analyze customer data more thoroughly and generate in-depth contextual and descriptive information about the targeted segments. In addition, they can use this information to automate the personalization of marketing campaigns for a specific target audience group.

    UNDERSTANDING CUSTOMER SENTIMENTS

    To greatly benefit from AI-powered customer segmentation, organizations must deploy specialized custom AI solutions to help organize qualitative comments into quantitative data. This approach requires companies to use custom AI models and tools that will analyze customer sentiments and experiences based on data extracted from various touchpoints (e.g. CRM systems, emails, chatbot logs).

    Phase 2

    Build the Business Case and Streamline Requirements

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Define and build the business case for the selection of a right-sized MMS platform.
    • Elicit and prioritize granular requirements for your MMS platform.

    This phase involves the following participants:

    • CMO
    • Technical Marketing Analyst
    • Digital Marketing Project Manager
    • Marketing Data Analytics Analyst
    • Marketing Management Executive

    Software Selection Engagement

    5 Advisory Calls over a 5-Week Period to Accelerate Your Selection Process

    Expert analyst guidance over 5 weeks on average to select software and negotiate with the vendor.

    Save money, align stakeholders, speed up the process and make better decisions.

    Use a repeatable, formal methodology to improve your application selection process.

    Better, faster results, guaranteed, included in your membership.

    This is an image of the plan for five advisory calls over a five-week period.

    CLICK HERE to book your Selection Engagement

    Elicit and prioritize granular requirements for your marketing management suite (MMS) platform

    Understanding business needs through requirements gathering is the key to defining everything you need from your software. However, it is an area where people often make critical mistakes.

    Poorly scoped requirements

    Best practices

    • Fail to be comprehensive and miss certain areas of scope.
    • Focus on how the solution should work instead of what it must accomplish.
    • Have multiple levels of detail within the requirements, causing inconsistency and confusion.
    • Drill all the way down to system-level detail.
    • Add unnecessary constraints based on what is done today rather than focusing on what is needed for tomorrow.
    • Omit constraints or preferences that buyers think are obvious.
    • Get a clear understanding of what the system needs to do and what it is expected to produce.
    • Test against the principle of MECE – requirements should be "mutually exclusive and collectively exhaustive."
    • Explicitly state the obvious and assume nothing.
    • Investigate what is sold on the market and how it is sold. Use language that is consistent with that of the market and focus on key differentiators – not table stakes.
    • Contain the appropriate level of detail – the level should be suitable for procurement and sufficient for differentiating vendors.

    Info-Tech Insight
    Poor requirements are the number one reason projects fail. Review Info-Tech's Improve Requirements Gathering blueprint to learn how to improve your requirements analysis and get results that truly satisfy stakeholder needs.

    Info-Tech's approach

    Develop an inclusive and thorough approach to the RFP process

    Identity Need; Define Business requirements; Gain Business Authorization; Perform RFI/RFP; Negotiate Agreement; Purchase Goods and Services; Assess and Measure Performance.

    Info-Tech Insight

    Review Info-Tech's process and understand how you can prevent your organization from leaking negotiation leverage while preventing vendors from taking control of your RFP.

    The Info-Tech difference:

    1. The secret to managing an RFP is to make it as manageable and as thorough as possible. The RFP process should be like any other aspect of business – by developing a standard process. With a process in place, you are better able to handle whatever comes your way, because you know the steps you need to follow to produce a top-notch RFP.
    2. The business then identifies the need for more information about a product/service or determines that a purchase is required.
    3. A team of stakeholders from each area impacted gather all business, technical, legal, and risk requirements. What are the expectations of the vendor relationship post-RFP? How will the vendors be evaluated?
    4. Based on the predetermined requirements, either an RFI or an RFP is issued to vendors with a due date.

    Leverage Info-Tech's Contract Review Service to level the playing field with your shortlisted vendors

    You may be faced with multiple products, services, master service agreements, licensing models, service agreements, and more.
    Use Info-Tech's Contract Review Service to gain insights on your agreements:

    1. Are all key terms included?
    2. Are they applicable to your business?
    3. Can you trust that results will be delivered?
    4. What questions should you be asking from an IT perspective?

    Validate that a contract meets IT's and the business' needs by looking beyond the legal terminology. Use a practical set of questions, rules, and guidance to improve your value for dollar spent.

    This is an image of three screenshots from Info-Tech's Contract Review Service.

    CLICK to BOOK The Contract Review Service

    CLICK to DOWNLOAD Master Contract Review and Negotiation for Software Agreements

    Phase 3

    Discover the MMS Market Space and Prepare for Implementation

    Phase 1

    Phase 2

    Phase 3

    1.1 Define MMS Platforms

    1.2 Classify Table Stakes & Differentiating Capabilities

    1.3 Explore Trends

    2.1 Build the Business Case

    2.2 Streamline Requirements Elicitation

    2.3 Develop an Inclusive RFP Approach

    3.1 Discover Key Players in the Vendor Landscape

    3.2 Engage the Shortlist & Select Finalist

    3.3 Prepare for Implementation

    This phase will walk you through the following activities:

    • Dive into the key players of the MMS vendor landscape.
    • Understand best practices for building a vendor shortlist.
    • Understand key implementation considerations for MMS.

    This phase involves the following participants:

    • CMO
    • Marketing Management Executive
    • Applications Manager
    • Digital Marketing Project Manager
    • Sales Executive
    • Vendor Outreach and Partnerships Manager

    Review your use cases to start your shortlist

    Your Info-Tech analysts can help you narrow down the list of vendors that will meet your requirements.

    Next steps will include:

    1. Reviewing your requirements.
    2. Checking out SoftwareReviews.
    3. Shortlisting your vendors.
    4. Conducting demos and detailed proposal reviews.
    5. Selecting and contracting with a finalist!

    Get to know the key players in the MMS landscape

    The following slides provide a top-level overview of the popular players you will encounter in your MMS shortlisting process.

    This is a series of images of the logos for the companies which will be discussed later in this blueprint.

    Evaluate software category leaders through vendor rankings and awards

    SoftwareReviews

    This is an image of two screenshots from the Data Quadrant Report.

    The Data Quadrant is a thorough evaluation and ranking of all software in an individual category to compare platforms across multiple dimensions.

    Vendors are ranked by their Composite Score, based on individual feature evaluations, user satisfaction rankings, vendor capability comparisons, and likeliness to recommend the platform.

    This is an image of two screenshots from the Emotional Footprint Report.

    The Emotional Footprint is a powerful indicator of overall user sentiment toward the relationship with the vendor, capturing data across five dimensions.

    Vendors are ranked by their Customer Experience (CX) Score, which combines the overall Emotional Footprint rating with a measure of the value delivered by the solution.

    Speak with category experts to dive deeper into the vendor landscape

    SoftwareReviews

    • Fact-based reviews of business software from IT professionals.
    • Product and category reports with state-of-the-art data visualization.
    • Top-tier data quality backed by a rigorous quality assurance process.
    • User-experience insight that reveals the intangibles of working with a vendor.

    CLICK HERE to ACCESS

    Comprehensive software reviews
    to make better IT decisions

    We collect and analyze the most detailed reviews on enterprise software from real users to give you an unprecedented view into the product and vendor before you buy.

    SoftwareReviews is powered by Info-Tech

    Technology coverage is a priority for Info-Tech, and SoftwareReviews provides the most comprehensive unbiased data on today's technology. Combined with the insight of our expert analysts, our members receive unparalleled support in their buying journey.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Multichannel Integration

    Areas to Improve:

    • Mobile Marketing Management
    • Advanced Data Segmentation
    • Pricing Sensitivity and Implementation Support Model

    This is an image of SoftwareReviews analysis for Adobe Experience Cloud.

    history

    This is the Logo for Adobe Experience Cloud

    "Adobe Experience Cloud (AEC), formerly Adobe Marketing Cloud (AMC), provides a host of innovative multichannel analytics, social, advertising, media optimization, and content management products (just to name a few). The Adobe Marketing Cloud package allows users with valid subscriptions to download the entire collection and use it directly on their computer with open access to online updates. Organizations that have a deeply ingrained Adobe footprint and have already reaped the benefits of Adobe's existing portfolio of cloud services products (e.g. Adobe Creative Cloud) will find the AEC suite a functionally robust and scalable fit for their marketing management and marketing automation needs.

    However, it is important to note that AEC's pricing model is expensive when compared to other competitors in the space (e.g. Sugar Market) and, therefore, is not as affordable for smaller or mid-sized organizations. Moreover, there is the expectation of a learning curve with the AEC platform. Newly onboarded users will need to spend some time learning how to navigate and work comfortably with AEC's marketing automaton modules. "
    - Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Adobe Experience Cloud Platform pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    2021

    Adobe Experience Platform Launch is integrated into the Adobe Experience Platform as a suite of data collection technologies (Experience League, Adobe).

    November 2020

    Adobe announces that it will spend $1.5 billion to acquire Workfront, a provider of marketing collaboration software (TechTarget, 2020).

    September 2018

    Adobe acquires marketing automation software company Marketo (CNBC, 2018).

    June 2018

    Adobe buys e-commerce services provider Magento Commerce from private equity firm Permira for $1.68 billion (TechCrunch, 2018).

    2011

    Adobe acquires DemDex, Inc. with the intention of adding DemDex's audience-optimization software to the Adobe Online Marketing Suite (Adobe News, 2011).

    2009

    Adobe acquires online marketing and web analytics company Omniture for $1.8 billion and integrates its products into the Adobe Marketing Cloud (Zippia, 2022).

    Adobe platform launches in December 1982.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Workflow Management
    • Advanced Data Segmentation
    • Marketing Operations Management

    Areas to Improve:

    • Email Marketing Automation
    • Marketing Asset Management
    • Process of Creating and/or Managing Marketing Lists

    This is an image of SoftwareReviews analysis for Dynamics 365

    history

    This is the logo for Dynamics 365

    2021

    Microsoft Dynamics 365 suite adds customer journey orchestration as a viable key feature (Tech Target, 2021)

    2019

    Microsoft begins adding to its Dynamics 365 suite in April 2019 with new functionalities such as virtual agents, fraud detection, new mixed reality (Microsoft Dynamics 365 Blog, 2019).

    2017

    Adobe and Microsoft expand key partnership between Adobe Experience Manager and Dynamics 365 integration (TechCrunch, 2017).

    2016

    Microsoft Dynamics CRM paid seats begin growing steadily at more than 2.5x year-over-year (TechCrunch, 2016).

    2016

    On-premises application, called Dynamics 365 Customer Engagement, contains the Dynamics 365 Marketing Management platform (Learn Microsoft, 2023).

    Microsoft Dynamics 365 product suite is released on November 1, 2016.

    "Microsoft Dynamics 365 for Marketing remains a viable option for organizations that require a range of innovative MMS tools that can provide a wealth of functional capabilities (e.g. AI-powered analytics to create targeted segments, A/B testing, personalizing engagement for each customer). Moreover, Microsoft Dynamics 365 for Marketing offers trial options to sandbox their platform for free for 30 days to help users familiarize themselves with the software before buying into the product suite.

    However, ensure that you have the time to effectively train users on implementing the MS Dynamics 365 platform. The platform does not score high on customizability in SoftwareReviews reports. Developers have only a limited ability to modify the core UI, so organizations need to be fully equipped with the knowledge needed to successfully navigate MS-based applications to take full advantage of the platform. For organizations deep in the Microsoft stack, D365 Marketing is a compelling option."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Dynamics 365
    Marketing

    Dynamics 365
    Marketing (Attachment)

    • Starts from $1,500 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations without any other Dynamics 365 application
    • Starts from $750 per tenant/month*
    • Includes 10,000 contacts, 100,000 interactions, and 1,000 SMS messages
    • For organizations with a qualifying Dynamics 365 application

    * Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Marketing Workflow Management
    • Lead Nurturing

    Areas to Improve:

    • Advanced Campaign Management
    • Email Marketing Automation
    • Marketing Segmentation

    This is an image of SoftwareReviews analysis for HubSpot

    history

    This is an image of the Logo for HubSpot

    2022

    HubSpot Marketing Hub releases Campaigns 2.0 module for its Marketing Hub platform (HubSpot, 2022).

    2018


    HubSpot announces the launch of its Marketing Hub Starter platform, a new offering that aims to give growing teams the tools they need to start marketing right (HubSpot Company News, 2018).

    2014

    HubSpot celebrates its first initial public offering on the NYSE market (HubSpot Company News, 2014).

    2013

    HubSpot opens its first international office location in Dublin, Ireland
    (HubSpot News, 2013).

    2010

    Brian Halligan and Dharmesh Shah write "Inbound Marketing," a seminal book that focuses on inbound marketing principles (HubSpot, n.d.).

    HubSpot opens for business in Cambridge, MA, USA, in 2005.

    "HubSpot's Marketing Hub software ranks consistently high in scores across SoftwareReviews reports and remains a strong choice for organizations that want to run successful inbound marketing campaigns that make customers interested and engaged with their business. HubSpot Marketing Hub employs comprehensive feature sets, including the option to streamline ad tracking and management, perform various audience segmentation techniques, and build personalized and automated marketing campaigns.

    However, SoftwareReviews reports indicate end users are concerned that HubSpot Marketing Hub's platform may be slightly overpriced in recent years and not cost effective for smaller and mid-sized companies that are working with a limited budget. Moreover, when it comes to mobile user accessibility reports, HubSpot's Marketing Hub does not directly offer data usage reports in relation to how mobile users navigate various web pages on the customer's website."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    HubSpot Marketing Hub (Starter Package)

    HubSpot Marketing Hub (Professional Package)

    HubSpot Marketing Hub (Enterprise Package)

    • Starts from $50/month*
    • Includes 1,000 marketing contacts
    • All non-marketing contacts are free, up to a limit of 15 million overall contacts (marketing contacts + non-marketing contracts)
    • Starts from $890/month*
    • Includes 2,000 marketing contacts
    • Onboarding is required for a one-time fee of $3,000
    • Starts from $3600/month*
    • Includes 10,000 marketing contacts
    • Onboarding is required for a one-time fee of $6,000

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Customer Journey Mapping
    • Contacts Management

    Areas to Improve:

    • Pricing Model Flexibility
    • Integrational API Support
    • Antiquated UI/CX Design Elements

    This is an image of SoftwareReviews analysis for Maropost

    history

    This is an image of the Logo for MAROPOST Marketing Cloud

    2022

    Maropost acquires Retail Express, leading retail POS software in Australia for $55M (PRWire, 2022).

    2018


    Maropost develops innovative product feature updates to its marketing cloud platform (e.g. automated social campaign management, event segmentation for mobile apps) (Maropost, 2019).

    2015

    US-based communications organization Success selects Maropost Marketing Cloud for marketing automation use cases (Apps Run The World, 2015).

    2017

    Maropost is on track to become one of Toronto's fastest-growing companies, generating $30M in annual revenue (MarTech Series, 2017).

    2015

    Maropost is ranked as a "High Performer" in the Email Marketing category in a G2 Crowd Grid Report (VentureBeat, 2015).

    Maropost is founded in 2011 as a customer-centric ESP platform.

    Maropost Marketing Cloud – Essential

    Maropost
    Marketing Cloud –Professional

    Maropost
    Marketing Cloud –Enterprise

    • Starts from $279/month*
    • Includes baseline features such as email campaigns, A/B campaigns, transactional emails, etc.
    • Starts from $849/month*
    • Includes additional system functionalities of interest (e.g. mobile keywords, more journeys for marketing automation use cases)
    • Starts from $1,699/month*
    • Includes unlimited number of journeys
    • Upper limit for custom contact fields is increased by 100-150

    *Pricing correct as of October 2022. Listed in USD and absent discounts.
    See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Advanced Data Segmentation
    • Marketing Analytics
    • Multichannel Integration

    Areas to Improve:

    • Marketing Operations
      Management
    • Marketing Asset Management
    • Community Marketing Management

    This is an image of SoftwareReviews analysis for Oracle Marketing Cloud.

    history

    This is an image of the Logo for Oracle Marketing Cloud

    2021

    New advanced intelligence capabilities within Oracle Eloqua Marketing Automation help deliver more targeted and personalized messages (Oracle, Marketing Automation documentation).

    2015


    Oracle revamps its marketing cloud with new feature sets, including Oracle ID Graph for cross-platform identification of customers, AppCloud Connect, etc. (Forbes, 2015).

    2014

    Oracle announces the launch of the Oracle Marketing Cloud (TechCrunch, 2014).

    2005

    Oracle acquires PeopleSoft, a company that produces human resource management systems, in 2005 for $10.3B (The Economic Times, 2016).

    1982

    Oracle becomes the first company to sell relational database management software (RDBMS). In 1982 it has revenue of $2.5M (Encyclopedia.com).

    Relational Software, Inc (RSI) – later renamed Oracle Corporation – is founded in 1977.

    "Oracle Marketing Cloud offers a comprehensive interwoven and integrated marketing management solution that can help end users launch cross-channel marketing programs and unify all prospect and customer marketing signals within one singular view. Oracle Marketing Cloud ranks consistently high across our SoftwareReviews reports and sustains top scores in overall customer experience rankings at a factor of 9.0. The emotional sentiment of users interacting with Oracle Marketing Cloud is also highly favorable, with Oracle's Emotional Footprint score at +93.

    Users should be aware that some of the reporting mechanisms and report-generation capabilities may not be as mature as those of some of its competitors in the MMS space (e.g. Salesforce, Adobe). Data exportability also presents a challenge in Oracle Marketing Cloud and requires a lot of internal tweaking between end users of the system to function properly. Finally, pricing sensitivity may be a concern for small and mid-sized organizations who may find Oracle's higher-tiered pricing plans to be out of reach. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Oracle Marketing Cloud pricing is opaque.
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Marketing Analytics
    • Advanced Campaign Management
    • Email Marketing Automation
    • Social Media Marketing Management

    Areas to Improve:

    • Community Marketing Management
    • Marketing Operations Management
    • Pricing Sensitivity and Vendor Support Model

    This is an image of SoftwareReviews analysis for Salesforce

    history

    This is an image of the Logo for Salesforce Marketing Cloud

    2022

    Salesforce announces sustainability as a core company value (Forbes, 2022).

    2012



    Salesforce unveils Salesforce Marketing Cloud during Dreamforce 2012, with 90,000 registered attendees (Dice, 2012).

    2009

    Salesforce launches Service Cloud, bringing customer service and support automation features to the market (TechCrunch, 2009).

    2003


    The first Dreamforce event is held at the Westin St. Francis hotel in downtown San Francisco
    (Salesforce, 2020).

    2001


    Salesforce delivers $22.4M in revenue for the fiscal year ending January 31, 2002 (Salesforce, 2020).

    Salesforce is founded in 1999.

    "Salesforce Marketing Cloud is a long-term juggernaut of the marketing management software space and is the subject of many Info-Tech member inquiries. It retains strong composite and customer experience (CX) scores in our SoftwareReviews reports. Some standout features of the platform include marketing analytics, advanced campaign management functionalities, email marketing automation, and customer journey management capabilities. In recent years Salesforce has made great strides in improving the overall user experience by investing in new product functionalities such as the Einstein What-If Analyzer, which helps test how your next email campaign will impact overall customer engagement, triggers personalized campaign messages based on an individual user's behavior, and uses powerful real-time segmentation and sophisticated AI to deliver contextually relevant experiences that inspire customers to act.

    On the downside, we commonly see Salesforce's solutions as costlier than competitors' offerings, and its commercial/sales teams tend to be overly aggressive in marketing its solutions without a distinct link to overarching business requirements. "
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Marketing Cloud Basics

    Marketing Cloud Pro

    Marketing Cloud Corporate

    Marketing Cloud Enterprise

    • Starts at $400*
    • Per org/month
    • Personalized promotional email marketing
    • Starts at $1,250*
    • Per org/month
    • Personalized marketing automation with email solutions
    • Starts at $3,750*
    • Per org/month
    • Personalized cross-channel strategic marketing solutions

    "Request a Quote"

    *Pricing correct as of October 2022. Listed in USD and absent discounts. See pricing on vendor's website for latest information.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Email Marketing Automation
    • Marketing Workflow Management
    • Marketing Analytics

    Areas to Improve:

    • Mobile Marketing Management
    • Marketing Operations Management
    • Advanced Data Segmentation

    This is an image of SoftwareReviews analysis for SAP

    history

    This is an image of the Logo for SAP

    2022

    SAP announces the second cycle of the 2022 SAP Customer Engagement Initiative. (SAP Community Blog, 2022).

    2020

    SAP acquires Austrian cloud marketing company Emarsys (TechCrunch, 2020).

    2015

    SAP Digital for Customer Engagement launches in May 2015 (SAP News, 2015).

    2009

    SAP begins branching out into three markets of the future (mobile technology, database technology, and cloud). SAP acquires some of its competitors (e.g. Ariba, SuccessFactors, Business Objects) to quickly establish itself as a key player in those areas (SAP, n.d.).

    1999

    SAP responds to the internet and new economy by launching its mysap.com strategy (SAP, n.d.).

    SAP is founded In 1972.

    "Over the years, SAP has positioned itself as one of the usual suspects across the enterprise applications market. While SAP has a broad range of capabilities within the CRM and customer experience space, it consistently underperforms in many of our user-driven SoftwareReviews reports for MMS and adjacent areas, ranking lower in MMS product feature capabilities such as email marketing automation and advanced campaign management than other mainstream MMS vendors, including Salesforce Marketing Cloud and Adobe Experience Cloud. The SAP Customer Engagement Marketing platform seems decidedly a secondary focus for SAP, behind its more compelling presence across the enterprise resource planning space.

    If you are approaching an MMS selection from a greenfield lens and with no legacy vendor baggage for SAP elsewhere, experience suggests that your needs will be better served by a vendor that places greater primacy on the MMS aspect of their portfolio."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    SAP Customer Engagement Marketing pricing is opaque:
    Request a demo.*

    *Info-Tech recommends reaching out to the vendor's internal sales management team for explicit details on individual pricing plans for the Adobe Marketing Cloud suite.

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Social Media Automation
    • Email Marketing Automation
    • Marketing Analytics

    Areas to Improve:

    • Ease of Data Integration
    • Breadth of Features
    • Marketing Workflow Management

    b

    SoftwareReviews' Enterprise MMS Rankings

    Strengths:

    • Campaign Management
    • Segmentation
    • Email Delivery

    Areas to Improve:

    • Mobile Optimization
    • A/B Testing
    • Content Authoring

    This is an image of SoftwareReviews analysis for ZOHO Campaigns.

    history

    This is an image of the Logo for ZOHO Campaigns

    2021

    Zoho announces CRM-Campaigns sync (Zoho Campaigns Community Learning, 2021).

    2020

    Zoho reaches more than 50M customers in January ( Zippia, n.d.).

    2017

    Zoho launches Zoho One, a comprehensive suite of 40+ applications (Zoho Blog, 2017).

    2012

    Zoho releases Zoho Campaigns (Business Wire, 2012).

    2007

    Zoho expands into the collaboration space with the release of Zoho Docs and Zoho Meetings (Zoho, n.d.).

    2005

    Zoho CRM is released (Zoho, n.d.).

    Zoho platform is founded in 1996.

    "Zoho maintains a long-running repertoire of end-to-end software solutions for business development purposes. In addition to its flagship CRM product, the company also offers Zoho Campaigns, which is an email marketing software platform that enables contextually driven marketing techniques via dynamic personalization, email interactivity, A/B testing, etc. For organizations that already maintain a deep imprint of Zoho solutions, Zoho Campaigns will be a natural extension to their immediate software environment.

    Zoho Campaigns is a great ecosystem play in environments that have a material Zoho footprint. In the absence of an existing Zoho environment, it's prudent to consider other affordable products as well."
    Yaz Palanichamy
    Senior Research Analyst, Info-Tech Research Group

    Free Version

    Standard

    Professional

    • Starts at $0*
    • Per user/month billed annually
    • Up to 2,000 contacts
    • 6,000 emails/month
    • Starts at $3.75*
    • Per user/month billed annually
    • Up to 100,000 contacts
    • Advanced email templates
    • SMS marketing
    • Starts at $6*
    • Per user/month billed annually
    • Advanced segmentation
    • Dynamic content

    *Pricing correct as of October 2022. Listed in USD and absent discounts.

    See pricing on vendor's website for latest information.

    Leverage Info-Tech's research to plan and execute your MMS implementation

    Use Info-Tech's three-phase implementation process to guide your planning:

    1. Assess

    2. Prepare

    3. Govern & Course Correct

    Download Info-Tech's Governance and Management of Enterprise Software Implementation
    Establish and execute an end-to-end, agile framework to succeed with the implementation of a major enterprise application.

    Ensure your implementation team has a high degree of trust and communication

    If external partners are needed, dedicate an internal resource to managing the vendor and partner relationships.

    Communication

    Teams must have some type of communication strategy. This can be broken into:

    • Regularity: Having a set time each day to communicate progress and a set day to conduct retrospectives.
    • Ceremonies: Injecting awards and continually emphasizing delivery of value to encourage relationship building and constructive motivation.
    • Escalation: Voicing any concerns and having someone responsible for addressing them.

    Proximity

    Distributed teams create complexity as communication can break down. This can be mitigated by:

    • Location: Placing teams in proximity to eliminate the barrier of geographical distance and time zone differences.
    • Inclusion: Making a deliberate attempt to pull remote team members into discussions and ceremonies.
    • Communication Tools: Having the right technology (e.g. video conference) to help bring teams closer together virtually.

    Trust

    Members should trust other members are contributing to the project and completing their required tasks on time. Trust can be developed and maintained by:

    • Accountability: Having frequent quality reviews and feedback sessions. As work becomes more transparent, people become more accountable.
    • Role Clarity: Having a clear definition of what everyone's role is.

    Selecting a right-sized MMS platform

    This selection guide allows organizations to execute a structured methodology for picking an MMS platform that aligns with their needs. This includes:

    • Alignment and prioritization of key business and technology drivers for an MMS selection business case.
    • Identification of key use cases and requirements for a right-sized MMS platform.
    • A comprehensive market scan of key players in the MMS market space.

    This formal MMS selection initiative will drive business-IT alignment, identify pivotal sales and marketing automation priorities, and thereby allow for the rollout of a streamlined MMS platform that is highly likely to satisfy all stakeholder needs.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop

    contact your account representative for more information

    workshops@infotech.com

    1-888-670-8889

    Summary of accomplishment

    Knowledge Gained

    • What marketing management is
    • Historical origins of marketing management
    • The future of marketing management
    • Key trends in marketing management suites

    Processes Optimized

    • Requirements gathering
    • RFPs and contract reviews
    • Marketing management suite vendor selection
    • Marketing management platform implementation

    Marketing Management

    • Adobe Experience Cloud
    • Microsoft Dynamics 365 for Marketing
    • HubSpot Marketing Hub
    • Maropost Marketing Cloud
    • Oracle Marketing Cloud

    Vendors Analyzed

    • Salesforce Marketing Cloud
    • SAP
    • Sugar Market
    • Zoho Campaigns

    Related Info-Tech Research

    Select a Marketing Management Suite

    Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.

    Get the Most Out of Your CRM

    Customer relationship management (CRM) application portfolios are often messy,
    with multiple integration points, distributed data, and limited ongoing end-user training. A properly optimized CRM ecosystem will reduce costs and increase productivity.

    Customer Relationship Management Platform Selection Guide

    Speed up the process to build your business case and select your CRM solution. Despite the importance of CRM selection and implementation, many organizations struggle to define an approach to picking the right vendor and rolling out the solution in an effective and cost-efficient manner.

    Bibliography

    "16 Biggest Tech Acquisitions in History." The Economic Times, 28 July 2016. Web.
    "Adobe Acquires Demdex – Brings Audience Optimization to $109 Billion Global Online Ad Market." Adobe News, 18 Jan 2011. Accessed Nov 2022.
    "Adobe Company History Timeline." Zippia, 9 Sept 2022. Accessed Nov 2022.
    "Adobe to acquire Magento for $1.68B." TechCrunch, 21 May 2018. Accessed Dec 2022.
    Anderson, Meghan Keaney. "HubSpot Launches European Headquarters." HubSpot Company News, 3 Mar 2013.
    Arenas-Gaitán, Jorge, et al. "Complexity of Understanding Consumer Behavior from the Marketing Perspective." Journal of Complexity, vol. 2019, 8 Jan 2019. Accessed Sept 2022.
    Bureau of Labor Statistics. "Advertising, Promotions, and Marketing Managers." Occupational Outlook Handbook. U.S. Department of Labor, 8 Sept 2022. Accessed 1 Nov 2022.
    "Campaigns." Marketing Hub, HubSpot, n.d. Web.
    Conklin, Bob. "Adobe report reveals best marketing practices for B2B growth in 2023 and beyond." Adobe Experience Cloud Blog, 23 Sept 2022. Web.
    "Consumer Behavior Stats 2021: The Post-Pandemic Shift in Online Shopping Habit" Nosto.com, 7 April 2022. Accessed Oct 2022.
    "Data Collection Overview." Experience League, Adobe.com, n.d. Accessed Dec 2022.
    Duduskar, Avinash. "Interview with Tony Chen, CEO at Channel Factory." MarTech Series, 16 June 2017. Accessed Nov 2022.
    "Enhanced Release of SAP Digital for Customer Engagement Helps Anyone Go Beyond CRM." SAP News, 8 Dec. 2015. Press release.
    Fang, Mingyu. "A Deep Dive into Gucci's Metaverse Practice." Medium.com, 27 Feb 2022. Accessed Oct 2022.
    Flanagan, Ellie. "HubSpot Launches Marketing Hub Starter to Give Growing Businesses the Tools They Need to Start Marketing Right." HubSpot Company News, 17 July 2018. Web.
    Fleishman, Hannah. "HubStop Announces Pricing of Initial Public Offering." HubSpot Company News, 8 Oct. 204. Web.
    Fluckinger, Don. "Adobe to acquire Workfront for $1.5 billion." TechTarget, 10 Nov 2020. Accessed Nov 2022.
    Fluckinger, Don. "Microsoft Dynamics 365 adds customer journey orchestration." TechTarget, 2 March 2021. Accessed Nov 2022.
    Green Marketing: Explore the Strategy of Green Marketing." Marketing Schools, 19 Nov 2020. Accessed Oct 2022.
    Ha, Anthony. "Oracle Announces Its Cross-Platform Marketing Cloud." TechCrunch, 30 April 2014. Web.
    Heyd, Kathrin. "Partners Welcome – SAP Customer Engagement Initiative 2022-2 is open for your registration(s)!" SAP Community Blog, 21 June 2022. Accessed Nov 2022.
    HubSpot. "Our Story." HubSpot, n.d. Web.
    Jackson, Felicia. "Salesforce Tackles Net Zero Credibility As It Adds Sustainability As A Fifth Core Value." Forbes, 16 Feb. 2022. Web.
    Kolakowski, Nick. "Salesforce CEO Marc Benioff Talks Social Future." Dice, 19 Sept. 2012. Web.
    Lardinois, Frederic. "Microsoft's Q4 earnings beat Street with $22.6B in revenue, $0.69 EPS." TechCrunch, 19 July 2016. Web.
    Levine, Barry. "G2 Crowd report finds the two email marketing tools with the highest user satisfaction." Venture Beat, 30 July 2015. Accessed Nov 2022.
    Looking Back, Moving Forward: The Evolution of Maropost for Marketing." Maropost Blog, 21 May 2019. Accessed Oct 2022.
    Maher, Sarah. "What's new with HubSpot? Inbound 2022 Feature Releases." Six & Flow, 9 July 2022. Accessed Oct 2022.
    Marketing Automation Provider, Salesfusion, Continues to Help Marketers Achieve Their Goals With Enhanced User Interface and Powerful Email Designer Updates." Yahoo Finance, 10 Dec 2013. Accessed Oct 2022.
    "Maropost Acquires Retail Express for $55 Million+ as it Continues to Dominate the Global Commerce Space." Marapost Newsroom, PRWire.com, 19 Jan 2022. Accessed Nov 2022.
    McDowell, Maghan. "Inside Gucci and Roblox's new virtual world." Vogue Business, 17 May 2021. Web.
    Miller, Ron. "Adobe and Microsoft expand partnership with Adobe Experience Manager and Dynamics 265 Integration." TechCrunch, 3 Nov 2017. Accessed Nov 2022.
    Miller, Ron. "Adobe to acquire Magento for $1.68B" TechCrunch, 21 May 2018. Accessed Nov 2022.
    Miller, Ron. "SAP continues to build out customer experience business with Emarys acquisition." TechCrunch, 1 Oct. 2020. Web.
    Miller, Ron. "SugarCRM moves into marketing automation with Salesfusion acquisition." TechCrunch, 16 May 2019.
    Novet, Jordan. "Adobe confirms it's buying Marketo for $4.75 billion." CNBC, 20 Sept 2018. Accessed Dec 2022.
    "Oracle Corp." Encyclopedia.com, n.d. Web.
    Phillips, James. "April 2019 Release launches with new AI, mixed reality, and 350+ feature updates." Microsoft Dynamics 365 Blog. Microsoft, 2 April 2019. Web.
    S., Aravindhan. "Announcing an important update to Zoho CRM-Zoho Campaigns integration." Zoho Campaigns Community Learning, Zoho, 1 Dec. 2021. Web.
    Salesforce. "The History of Salesforce." Salesforce, 19 March 2020. Web.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment" GlobeNewswire, 6 May 2016. Accessed Oct 2022. Press release.
    "Salesfusion Integrates With NetSuite CRM to Simplify Sales and Marketing Alignment." Marketwired, 6 May 2016. Web.
    "Salesfusion is Now Sugar Market: The Customer FAQ." SugarCRM Blog, 31 July 2019. Web.
    "Salesfusion's Marketing Automation Platform Drives Awareness and ROI for Education Technology Provider" GlobeNewswire, 25 June 2015. Accessed Nov 2022. Press release.
    SAP. "SAP History." SAP, n.d. Web.
    "State of Marketing." 5th Edition, Salesforce, 15 Jan 2019. Accessed Oct 2022.
    "Success selects Maropost Marketing Cloud for Marketing Automation." Apps Run The World, 10 Jan 2015. Accessed Nov 2022.
    "SugarCRM Acquires SaaS Marketing Automation Innovator Salesfusion." SugarCRM, 16 May 2019. Press release.
    Sundaram, Vijay. "Introducing Zoho One." Zoho Blog, 25 July 2017. Web.
    "The State of MarTech: Is you MarTech stack working for you?" American Marketing Association, 29 Nov 2021. Accessed Oct 2022.
    "Top Marketing Automation Statistics for 2022." Oracle, 15 Jan 2022. Accessed Oct 2022.
    Trefis Team. "Oracle Energizes Its Marketing Cloud With New Features." Forbes, 7 April 2015. Accessed Oct 2022.
    Vivek, Kumar, et al. "Microsoft Dynamics 365 Customer Engagement (on-premises) Help, version 9.x." Learn Dynamics 365, Microsoft, 9 Jan 2023. Web.
    "What's new with HubSpot? Inbound 2022 feature releases" Six and Flow, 9 July 2022. Accessed Nov 2022.
    Widman, Jeff. "Salesforce.com Launches The Service Cloud,, A Customer Service SaaS Application." TechCrunch, 15 Jan. 2009. Web.
    "Zoho History." Zippia, n.d. Web.
    "Zoho Launches Zoho Campaigns." Business Wire, 14 Aug. 2012. Press release.
    Zoho. "About Us." Zoho, n.d. Web.

    Need hands-on assistance?

    Engage Info-Tech for a Software Selection Workshop!

    40 Hours of Advisory Assistance Delivered On-Line or In-Person

    Select Better Software, Faster.

    40 Hours of Expert Analyst Guidance
    Project & Stakeholder Management Assistance
    Save money, align stakeholders, Speed up the process & make better decisions.
    Better, faster results, guaranteed, $25K standard engagement fee

    This is an image of the plan for five advisory calls over a five week period.

    CLICK HERE to book your Workshop Engagement

    Document and Maintain Your Disaster Recovery Plan

    • Buy Link or Shortcode: {j2store}417|cart{/j2store}
    • member rating overall impact (scale of 10): 9.3/10 Overall Impact
    • member rating average dollars saved: $52,224 Average $ Saved
    • member rating average days saved: 38 Average Days Saved
    • Parent Category Name: DR and Business Continuity
    • Parent Category Link: /business-continuity
    • Disaster recovery plan (DRP) documentation is often driven by audit or compliance requirements rather than aimed at the team that would need to execute recovery.
    • Between day-to-day IT projects and the difficulty of maintaining 300+ page manuals, DRP documentation is not updated and quickly becomes unreliable.
    • Inefficient publishing strategies result in your DRP not being accessible during disaster or key staff not knowing where to find the latest version.

    Our Advice

    Critical Insight

    • DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
    • Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
    • Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    Impact and Result

    • Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans. Don’t mix the two in an all-in-one plan that is not effective for either audience.
    • Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
    • Incorporate DRP maintenance into change management procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Document and Maintain Your Disaster Recovery Plan Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should adopt a visual-based DRP, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Streamline DRP documentation

    Start by documenting your recovery workflow. Create supporting documentation in the form of checklists, flowcharts, topology diagrams, and contact lists. Finally, summarize your DR capabilities in a DRP Summary Document for stakeholders and auditors.

    • Document and Maintain Your Disaster Recovery Plan – Phase 1: Streamline DRP Documentation

    2. Select the optimal DRP publishing strategy

    Select criteria for assessing DRP tools, and evaluate whether a business continuity management tool, document management solution, wiki site, or manually distributing documentation is best for your DR team.

    • Document and Maintain Your Disaster Recovery Plan – Phase 2: Select the Optimal DRP Publishing Strategy
    • DRP Publishing and Document Management Solution Evaluation Tool
    • BCM Tool – RFP Selection Criteria

    3. Keep your DRP relevant through maintenance best practices

    Learn how to integrate DRP maintenance into core IT processes, and learn what to look for during testing and during annual reviews of your DRP.

    • Document and Maintain Your Disaster Recovery Plan – Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices
    • Sample Project Intake Form Addendum for Disaster Recovery
    • Sample Change Management Checklist for Disaster Recovery
    • DRP Review Checklist
    • DRP-BCP Review Workflow (Visio)
    • DRP-BCP Review Workflow (PDF)

    4. Appendix: XMPL Case Study

    Model your DRP after the XMPL case study disaster recovery plan documentation.

    • Document and Maintain Your Disaster Recovery Plan – Appendix: XMPL Case Study
    • XMPL DRP Summary Document
    • XMPL Notification, Assessment, and Declaration Plan
    • XMPL Systems Recovery Playbook
    • XMPL Recovery Workflows (Visio)
    • XMPL Recovery Workflows (PDF)
    • XMPL Data Center and Network Diagrams (Visio)
    • XMPL Data Center and Network Diagrams (PDF)
    • XMPL DRP Business Impact Analysis Tool
    • XMPL DRP Workbook
    [infographic]

    Workshop: Document and Maintain Your Disaster Recovery Plan

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Streamline DRP Documentation

    The Purpose

    Teach your team how to create visual-based documentation.

    Key Benefits Achieved

    Learn how to create visual-based DR documentation.

    Activities

    1.1 Conduct a table-top planning exercise.

    1.2 Document your high-level incident response plan.

    1.3 Identify documentation to include in your playbook.

    1.4 Create an initial collection of supplementary documentation.

    1.5 Discuss what further documentation is necessary for recovering from a disaster.

    1.6 Summarize your DR capabilities for stakeholders.

    Outputs

    Documented high-level incident response plan

    List of documentation action items

    Collection of 1-3 draft checklists, flowcharts, topology diagrams, and contact lists

    Action items for ensuring that the DRP is executable for both primary and backup DR personnel

    DRP Summary Document

    2 Select the Optimal DRP Publishing Strategy

    The Purpose

    Learn the considerations for publishing your DRP.

    Key Benefits Achieved

    Identify the best strategy for publishing your DRP.

    Activities

    2.1 Select criteria for assessing DRP tools.

    2.2 Evaluate categories for DRP tools.

    Outputs

    Strategy for publishing DRP

    3 Learn How to Keep Your DRP Relevant Through Maintenance Best Practices

    The Purpose

    Address the common pain point of unmaintained DRPs.

    Key Benefits Achieved

    Create an approach for maintaining your DRP.

    Activities

    3.1 Alter your project intake considerations.

    3.2 Integrate DR considerations into change management.

    3.3 Integrate documentation into performance measurement and performance management.

    3.4 Learn best practices for maintaining your DRP.

    Outputs

    Project Intake Form Addendum Template

    Change Management DRP Checklist Template

    Further reading

    Document and Maintain Your Disaster Recovery Plan

    Put your DRP on a diet – keep it fit, trim, and ready for action.

    ANALYST PERSPECTIVE

    The traditional disaster recovery plan (DRP) “red binder” is dead. It takes too long to create, it’s too hard to maintain, and it’s not usable in a crisis.

    “This blueprint outlines the following key tactics to streamline your documentation effort and produce a better result:

    • Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.
    • Use flowcharts, checklists, and diagrams over traditional manuals. This drives documentation that is more concise, easier to maintain, and effective in a crisis.
    • Create your DRP in layers to get tangible results faster, starting with a recovery workflow that outlines your DR strategy, and then build out the specific documentation needed to support recovery.”
    (Frank Trovato, Research Director, Infrastructure, Info-Tech Research Group)

    This project is about DRP documentation after you have clarified your DR strategy; create these necessary inputs first

    These artifacts are the cornerstone for any disaster recovery plan.

    • Business Impact Analysis
    • DR Roles and Responsibilities
    • Recovery Workflow

    Missing a component? Start here. ➔ Create a Right-Sized Disaster Recovery Plan

    This blueprint walks you through building these inputs.
    Our approach saves clients on average US$16,825.22. (Clients self-reported an average saving of US$16,869.21 while completing the Create a Right-Sized Disaster Recovery Plan blueprint through advisory calls, guided implementations, or workshops (Info-Tech Research Group, 2017, N=129).)

    How this blueprint will help you document your DRP

    This Research is Designed For:

    • IT managers in charge of disaster recovery planning (DRP) and execution.
    • Organizations seeking to optimize their DRP using best-practice methodology.
    • Business continuity professionals that are involved with disaster recovery.

    This Research Will Help You:

    • Divide the process of creating DR documentation into manageable chunks, providing a defined scope for you to work in.
    • Identify an appropriate DRP document management and distribution strategy.
    • Ensure that DR documentation is up to date and accessible.

    This Research Will Also Assist:

    • IT managers preparing for a DR audit.
    • IT managers looking to incorporate components of DR into an IT operations document.

    This Research Will Help Them:

    • Follow a structured approach in building DR documentation using best practices.
    • Integrate DR into day-to-day IT operations.

    Executive summary

    Situation

    • DR documentation is often driven by audit or compliance requirements, rather than aimed at the team that would need to execute recovery.
    • Traditional DRPs are text-heavy, 300+ page manuals that are simply not usable in a crisis.
    • Compounding the problem, DR documentation is rarely updated, so it’s just shelf-ware.

    Complication

    • DRP is often given lower priority as day-to-day IT projects displace DR documentation efforts.
    • Inefficient publishing strategies result in your DRP not being accessible during disasters or key staff not knowing where to find the latest version.
    • Organizations that create traditional DRPs end up with massive manuals that are difficult to maintain, so they quickly become unreliable.

    Resolution

    • Create visual and concise DR documentation that strips out unnecessary content and is written for an IT audience – the team that would actually be executing the recovery. Your business leaders can take the same approach to create separate business response plans – don’t mix the two into an all-in-one plan that is not effective for either audience.
    • Determine a documentation distribution strategy that supports ease of maintenance and accessibility during a disaster.
    • Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Info-Tech Insight

    1. DR documentation fails when organizations try to boil the ocean with an all-in-one plan aimed at auditors, business leaders, and IT. It’s too long, too hard to maintain, and ends up being little more than shelf-ware.
    2. Using flowcharts, checklists, and diagrams aimed at an IT audience is more concise and effective in a disaster, quicker to create, and easier to maintain.
    3. Create your DRP in layers to keep the work manageable. Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    An effective DRP that mitigates a wide range of potential outages is critical to minimizing the impact of downtime

    The criticality of having an effective DRP is underestimated.

    Cost of Downtime for the Fortune 1000
    • Cost of unplanned apps downtime per year: $1.25B to $2.5B
    • Cost of critical apps failure per hour: $500,000 to $1M
    • Cost of infrastructure failure per hour: $100,000
    • 35% reported to have recovered within 12 hours.
    • 17% of infrastructure failures took more than 24 hours to recover.
    • 13% of application failures took more than 24 hours to recover.
    Size of Impact Increasing Across Industries
    • The cost of downtime is rising across the board and not just for organizations that traditionally depend on IT (e.g. e-commerce).
    • Downtime cost increase since 2010:
      • Hospitality: 129% increase
      • Transportation: 108% increase
      • Media organizations: 104% increase
    Potential Lost Revenue
    A line graph of Potential Lost Revenue with vertical axis 'LOSS ($)' and horizontal axis 'TIME'. The line starts with low losses near the origin where 'Incident Occurs', gradually accelerates to higher losses as time passes, then decelerates before 'All Revenue Lost'. Note: 'Delay in recovery causes exponential revenue loss'.
    (Adapted from: Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan (2007 Edition).)

    The impact of downtime increases significantly over time, not just in terms of lost revenue (as illustrated here) but also goodwill/reputation and health/safety. An effective DR solution and overall resiliency that mitigate a wide range of potential outages are critical to minimizing the impact of downtime.

    Without an effective DRP, your organization is gambling on being able to define and implement a recovery strategy during a time of crisis. At the very least, this means extended downtime – potentially weeks – and substantial impact.

    Only 38% of those with a full or mostly complete DRP believe their DRPs would be effective in a real crisis

    Organizations continue to struggle with creating DRPs, let alone making them actionable.

    Why are so many living with either an incomplete or ineffective DRP? For the same reasons that IT documentation in general continues to be a pain point:

    • It is an outdated model of what documentation should be – the traditional manual with detailed (lengthy) descriptions and procedures.
    • Despite the importance of DR, low priority is placed on creating a DRP and the day-to-day SOPs required to support a recovery.
    • There is a lack of effective processes for ensuring documentation stays up to date.
    A bar graph documenting percentages of survey responses about the completeness of their DRP. 'Only 20% of survey respondents indicated they have a complete DRP'. 13% said 'No DRP'. 33% said 'Partial DRP'. 34% said 'Mostly Completed'. 20% said 'Full DRP'.
    (Source: Info-Tech Research Group, N=165)
    A bar graph documenting percentages of survey responses about the level of confidence in their DRP. 'Only 38% of those who have a mostly completed or full DRP actually feel it would be effective in a crisis'. 4% said 'Low'. 58% said 'Unsure'. 38% said 'Confident'.
    (Source: Info-Tech Research Group, N=69 (includes only those who indicated DRP is mostly completed or completed))

    Improve usability and effectiveness with visual-based and more-concise documentation

    Choose flowcharts over process guides, checklists over lengthy procedures, and diagrams over descriptions.

    If you need a three-inch binder to hold your DRP, imagine having to flip through it to determine next steps during a crisis.

    DR documentation needs to be concise, scannable, and quickly understood to be effective. Visual-based documentation meets these requirements, so it’s no surprise that it also leads to higher DR success.

    DR success scores are based on:

    • Meeting recovery time objectives (RTOs).
    • Meeting recovery point objectives (RPOs).
    • IT staff’s confidence in their ability to meet RTOs/RPOs.
    A line graph of DR documentation types and their effectiveness. The vertical axis is 'DR Success', from Low to High. The horizontal axis is Documentation Type, from 'Traditional Manual' to 'Primarily flowcharts, checklists, and diagrams'. The line trends up to higher success with visual-based and more-concise documentation.(Source: Info-Tech Research Group, N=95)

    “Without question, 300-page DRPs are not effective. I mean, auditors love them because of the detail, but give me a 10-page DRP with contact lists, process flows, diagrams, and recovery checklists that are easy to follow.” (Bernard Jones, MBCI, CBCP, CORP, Manager Disaster Recovery/BCP, ActiveHealth Management)

    Maintainability is another argument for visual-based, concise documentation

    There are two end goals for your DR documentation: effectiveness and maintainability. Without either, you will not have success during a disaster.

    Organizations using a visual-based approach were 30% more likely to find that DR documentation is easy to maintain. “Easy to maintain” leads to a 46% higher rate of DR success.
    Two bar graphs documenting survey responses regarding maintenance ease of DR documentation types. The first graph compares Traditional Manual vs Visual-based. For 'Traditional Manual' 72% responded they were Difficult to maintain while 28% responded they were Easy to maintain; for 'Visual-based' 42% responded they were Difficult to maintain while 58% responded they were Easy to maintain. Visual-based DR documentation received 30% more votes for Easy to Maintain. The second graph compares success rates of 'Difficult to Maintain' vs 'Easy to Maintain' DR documentation with Difficult being 31% and Easy being 77%, a 46% difference. 'Source: Info-Tech Research Group, N=96'.

    Not only are visual-based disaster recovery plans more effective, but they are also easier to maintain.

    Overcome documentation inertia with a tiered model that allows you to eat the elephant one bite at a time

    Start with a recovery workflow to at least ensure a coordinated response. Then use that workflow to determine required supporting documentation.

    Recovery Workflow: Starting the project with overly detailed documentation can slow down the entire process. Overcome planning inertia by starting with high-level incident response plans in a flowchart format. For examples and additional information, see XMPL Medical’s Recovery Workflows.

    Recovery Procedures (Systems Recovery Playbook): For each step in the high-level flowchart, create recovery procedures where necessary using additional flowcharts, checklists, and diagrams as appropriate. Leverage Info-Tech’s Systems Recovery Playbook example as a starting point.

    Additional Reference Documentation: Reference existing IT documentation, such as network diagrams and configuration documents, as well as more detailed step-by-step procedures where necessary (e.g. vendor documentation), particularly where needed to support alternate recovery staff who may not be as well versed as the primary system owners.

    Info-Tech Insight

    Organizations that use flowcharts, checklist, and diagrams over traditional, dense DRP manuals are far more likely to meet their RTOs/RPOs because their documentation is more usable and easier to maintain.

    Use a DRP summary document to satisfy executives, auditors, and clients

    Stakeholders don’t have time to sift through a pile of paper. Summarize your overall continuity capabilities in one, easy-to-read place.

    DRP Summary Document

    • Summarize BIA results
    • Summarize DR strategy (including DR sites)
    • Summarize backup strategy
    • Summarize testing and maintenance plans

    Follow Info-Tech’s methodology to make DRP documentation efficient and effective

    Phases

    Phase 1: Streamline DRP documentation Phase 2: Select the optimal DRP publishing strategy Phase 3: Keep your DRP relevant through maintenance best practices

    Phases

    1.1

    Start with a recovery workflow

    2.1

    Decide on a publishing strategy

    3.1

    Incorporate DRP maintenance into core IT processes

    1.2

    Create supporting DRP documentation

    3.2

    Conduct an annual focused review

    1.3

    Write the DRP Summary

    Tools and Templates

    End-to-End Sample DRP DRP Publishing Evaluation Tool Project In-take/Request Form

    Change Management Checklist

    Follow XMPL Medical’s journey through DR documentation

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

    Outline of the Disaster Recovery Plan

    XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

    Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

    Resulting Disaster Recovery Plan

    XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

    Disaster Recovery Plan
    • Recovery Workflow
    • Business Impact Analysis
    • DRP Summary
    • System Recovery Checklists
    • Communication, Assessment, and Disaster Declaration Plan

    Info-Tech Best Practice

    XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

    Model your disaster recovery documentation off of our example

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Recovery Workflow:

    • Recovery Workflows (PDF, VSDX)

    Recovery Procedures (Systems Recovery Playbook):

    • DR Notification, Assessment, and Disaster Declaration Plan
    • Systems Recovery Playbook
    • Network Topology Diagrams

    Additional Reference Documentation:

    • DRP Workbook
    • Business Impact Analysis
    • DRP Summary Document

    Use Info-Tech’s DRP Maturity Scorecard to evaluate your progress

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Document and Maintain Your Disaster Recovery Plan – Project Overview

    1. Streamline DRP Documentation 2. Select the Optimal DRP Publishing Strategy 3. Keep Your DRP Relevant
    Supporting Tool icon
    Best-Practice Toolkit

    1.1 Start with a recovery workflow

    1.2 Create supporting DRP documentation

    1.3 Write the DRP summary

    2.1 Create Committee Profiles

    3.1 Build Governance Structure Map

    3.2 Create Committee Profiles

    Guided Implementations
    • Review Info-Tech’s approach to DRP documentation.
    • Create a high-level recovery workflow.
    • Create supporting DRP documentation.
    • Write the DRP summary.
    • Identify criteria for selecting a DRP publishing strategy.
    • Select a DRP publishing strategy.
    • Optional: Select requirements for a BCM tool and issue an RFP.
    • Optional: Review responses to RFP.
    • Learn best practices for integrating DRP maintenance into day-to-day IT processes.
    • Learn best practices for DRP-focused reviews.
    Associated Activity icon
    Onsite Workshop
    Module 1:
    Streamline DRP documentation
    Module 2:
    Select the optimal DRP publishing strategy
    Module 3:
    Learn best practices for keeping your DRP relevant
    Phase 1 Outcome:
    • A complete end-to-end DRP
    Phase 2 Outcome:
    • Selection of a publishing and management tool for your DRP documentation
    Phase 3 Outcome:
    • Strategy for maintaining your DRP documentation

    Workshop Overview Associated Activity icon

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Info-Tech Analysts Finalize Deliverables
    Activities
    Assess DRP Maturity and Review Current Capabilities

    0.1 Assess current DRP maturity through Info-Tech’s Maturity Scorecard.

    0.2 Identify the IT systems that support mission-critical business activities, and select 2 or 3 key applications to be the focus of the workshop.

    0.3 Identify current recovery strategies for selected applications.

    0.4 Identify current DR challenges for selected applications.

    Document Your Recovery Workflow

    1.1 Create a recovery workflow: review tabletop planning, walk through DR scenarios, identify DR gaps, and determine how to fill them.

    Create Supporting Documentation

    1.2 Create supporting DRP documentation.

    1.3 Write the DRP summary.

    Establish a DRP Publishing, Management, and Maintenance Strategy

    2.1 Decide on a publishing strategy.

    3.1 Incorporate DRP maintenance into core IT.

    3.2 Considerations for reviewing your DRP regularly.

    Deliverables
    1. Baseline DRP metric (based on DRP Maturity Scorecard)
    1. High-level DRP workflow
    2. DRP gaps and risks identified
    1. Recovery workflow and/or checklist for sample of IT systems
    2. Customized DRP Summary Template
    1. Strategy for selecting a DRP publishing tool
    2. DRP management and maintenance strategy
    3. Workshop summary presentation deck

    Workshop Goal: Learn how to document and maintain your DRP.

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members, who will come onsite to facilitate a workshop for your organization.


    Phase 1: Streamline DRP Documentation

    Step 1.1: Start with a recovery workflow

    PHASE 1
    PHASE 2
    PHASE 3
    1.1 1.2 1.3 2.1 3.1 3.2
    Start with a Recovery Workflow Create Supporting Documentation Write the DRP Summary Select DRP Publishing Strategy Integrate into Core IT Processes Conduct an Annual Focused Review

    This step will walk you through the following activities:

    • Review a model DRP.
    • Review your recovery workflow.
    • Identify documentation required to support the recovery workflow.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Alternate DR Personnel

    Outcomes of this step

    • Understanding the visual-based, concise approach to DR documentation.
    • Creating a recovery workflow that provides a roadmap for coordinating incident response and identifying required supporting documentation.

    Info-Tech Insights

    A DRP is a collection of procedures and supporting documents that allow an organization to recover its IT services to minimize system downtime for the business.

    1.1 — Start with a recovery workflow to ensure a coordinated response and identify required supporting documentation

    The recovery workflow clarifies your DR strategy and ensures the DR team is on the same page.

    Recovery Workflow

    The recovery workflow maps out the incident response plan from event detection, assessment, and declaration to systems recovery and validation.

    This documentation includes:

    • Clarifying initial incident response steps.
    • Clarifying the order of systems recovery and which recovery actions can occur concurrently.
    • Estimating actual recovery timeline through each stage of recovery.
    Recovery Procedures (Playbook)
    Additional Reference Documentation

    “We use flowcharts for our declaration procedures. Flowcharts are more effective when you have to explain status and next steps to upper management.” (Assistant Director-IT Operations, Healthcare Industry)

    Review business impact analysis (BIA) results to plan your recovery workflow

    The BIA defines system criticality from the business’s perspective. Use it to guide system recovery order.

    Specifically, review the following from your BIA:

    • The list of tier 1, 2, and 3 applications. This will dictate the recovery order in your recovery workflow.
    • Application dependencies. This will outline what needs to be included as part of an application recovery workflow.
    • The recovery time objective (RTO) and recovery point objective (RPO) for each application. This will also guide the recovery, and enable you to identify gaps where the recovery workflow does not meet RTOs and RPOs.

    CASE STUDY: The XMPL DRP documentation is based on this Business Impact Analysis Tool.

    Haven’t conducted a BIA? Use Info-Tech’s streamlined approach.

    Info-Tech’s publication Create a Right-Sized Disaster Recovery Plan takes a very practical approach to BIA work. Our process gives IT leaders a mechanism to quickly get agreement on system recovery order and DR investment priorities.

    Conduct a tabletop planning exercise to determine your recovery workflow

    Associated Activity icon 1.1.1 Tabletop Planning Exercise

    1. Define a scenario to drive the tabletop planning exercise:
      • Use a scenario that forces a full failover to your DR environment, so you can capture an end-to-end recovery workflow.
      • Avoid scenarios that impact health and safety such as tornados or a fire. You want to focus on IT recovery.
      • Example scenarios: Burst water pipe that causes data-center-wide damage or a gas leak that forces evacuation and power to be shut down for at least two days.

    Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

    Info-Tech Insight

    Use scenarios to provide context for DR planning, and to test your plans, but don’t create a separate plan for every possibility.

    The high-level recovery plan will be the same whether the incident is a fire, flood, or tornado. While there might be some variances and outliers, these scenarios can be addressed by adding decision points and/or separate, supplementary instructions.

    Walk through the scenario and capture the recovery workflow

    Associated Activity icon 1.1.2 Tabletop Planning Exercise
    1. Capture the following information for tier 1, tier 2, and tier 3 systems:
      1. On white cue cards, record the steps and track start and end times for each step (where 00:00 is when the incident occurred).
      2. On yellow cue cards, document gaps in people, process, and technology requirements to complete the step.
      3. On red cue cards, indicate risks (e.g. no backup person for a key staff member).

    Note:

    • Ensure the language is sufficiently genericized (e.g. refer to events, not specifically a burst water pipe).
    • Review isolated failures (e.g. hardware, software). Typically, the recovery procedure documented for individual systems covers the essence of the recovery workflow whether it’s just the one system that failed or it’s part of a site-wide recovery.

    Note: You may have already completed this exercise as part of Create a Right-Sized Disaster Recovery Plan.

    Document your current-state recovery workflow based on the results of the tabletop planning

    Supporting Tool icon 1.1.2 Incident Response Plan Flowcharts, Tabs 2 and 3

    After you finish the tabletop planning exercise, the steps on the set of cue cards define your recovery workflow. Capture this in a flowchart format.

    Use the sample DRP to guide your own flowchart. Some notes on the example are:

    • XMPL’s Incident Management to DR flowchart shows the connection between its standard Service Desk processes and DR processes.
    • XMPL’s high-level workflows outline its recovery of tier 1, 2, and 3 systems.
    • Where more detail is required, include links to supporting documentation. In this example, XMPL Medical includes links to its Systems Recovery Playbook.
    Preview of an Info-Tech Template depicting a sample flowchart.

    This sample flowchart is included in XMPL Recovery Workflows.

    Step 1.2: Create Supporting DRP Documentation

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Create checklists for your playbook.
    • Document more complex procedures with flowcharts.
    • Gather and/or write network topology diagrams.
    • Compile a contact list.
    • Ensure there is enough material for backup personnel.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Backup DR Personnel

    Outcomes of this step

    • Actionable supporting documentation for your disaster recovery plan.
    • Contact list for IT personnel, business personnel, and vendor support.

    1.2 — Create supporting documentation for your disaster recovery plan

    Now that you have a high-level incident response plan, collect the information you need for executing that plan.

    Recovery Workflow

    Write your recovery procedures playbook to be effective and usable. Your playbook documentation should include:

    • Supplementary flowcharts
    • Checklists
    • Topology diagrams
    • Contact lists
    • DRP summary

    Reference vendors’ technical information in your flowcharts and checklists where appropriate.

    Recovery Procedures (Playbook)

    Additional Reference Documentation

    Info-Tech Insight

    Write for your audience. The playbook is for IT; include only the information they need to execute the plan. DRP summaries are for executives and auditors; do not include information intended for IT. Similarly, your disaster recovery plan is not for business units; keep BCP content out of your DRP.

    Use checklists to streamline step-by-step procedures

    Supporting Tool icon 1.2.1 XMPL Medical’s System Recovery Checklists

    Checklists are ideal when staff just need a reminder of what to do, not how to do it.

    XMPL Medical used its high-level flowcharts as a roadmap for creating its Systems Recovery Playbook.

    • Since its Playbook is intended for experienced IT staff, the writing style in the checklists is concise. XMPL includes links to reference material to support recovery, especially for alternate staff who might need additional instruction.
    • XMPL includes key parameters (e.g. IP addresses) rather than assume those details would be memorized, especially in a stressful DR scenario.
    • Similarly, include links to other useful resources such as VM templates.
    Preview of the Info-Tech Template 'Systems Recovery Playbook'.

    Included in the XMPL Systems Recovery Playbook are checklists for recovering XMPL’s virtual desktop infrastructure, mission-critical applications, and core infrastructure components.

    Use flowcharts to document processes with concurrent tasks not easily captured in a checklist

    Supporting Tool icon 1.2.2 XMPL Medical’s Phone Services Recovery Flowchart

    Recovery procedures can consist of flowcharts, checklists, or both, as well as diagrams. The main goal is to be clear and concise.

    • XMPL Medical created a flowchart to capture its phone services recovery procedure to capture concurrent tasks.
    • Additional instructions, where required, could still be captured in a Playbook checklist or other supporting documentation.
    • The flowchart could have also included key settings or other details as appropriate, particularly if the DR team chose to maintain this recovery procedure just in a flowchart format.
    Preview of the Info-Tech Template 'Recovery Workflows'.

    Included in the XMPL DR documentation is an example flowchart for recovering phone systems. This flowchart is in Recovery Workflows.

    Reference this blueprint for more SOP flowchart examples: Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind

    Use topology diagrams to capture network layout, integrations, and system information

    Supporting Tool icon 1.2.4 XMPL Medical’s Data Center and Network Diagrams

    Topology diagrams, key checklists, and configuration settings are often enough for experienced networking staff to carry out their DR tasks.

    • XMPL Medical includes these diagrams with its DRP. Instead of recreating these diagrams, the XMPL Medical DR Manager asked their network team for these diagrams:
      • Primary data center diagram
      • DR site diagram
      • High-level network diagrams
    • Often, organizations already have network topology diagrams for reference purposes.

    “Our network engineers came to me and said our standard SOP template didn't work for them. They're now using a lot of diagrams and flowcharts, and that has worked out better for them.” (Assistant Director-IT Operations, Healthcare Industry)

    Preview of the Info-Tech Template 'Systems Recovery Playbook'.

    You can download a PDF and a VSD version of these Data Center and Network Diagrams from Info-Tech’s website.

    Create a list of organizational, IT, and vendor contacts that may be required to assist with recovery

    If there is something strange happening to your IT infrastructure, who you gonna call?

    Many DR managers have their team on speed dial. However, having the contact info of alternate staff, BCP leads, and vendors can be very helpful during a disaster. XMPL Medical lists the following information in its DRP Workbook:

    • The DR Teams, SMEs critical to disaster recovery, their backups, and key contacts (e.g. BC Management team leads, vendor contacts) that would be involved in:
      • Declaring a disaster.
      • Coordinating a response at an organizational level.
      • Executing recovery.
    • The people that have authority to declare a disaster.
    • Each person’s spending authority.
    • The rules for delegating authority.
    • Primary and alternate staff for each role.
    Example list of alternate staff, BCP leads, and vendors.

    Confirm with your DR team that you have all of the documentation that you need to recover during a disaster

    Associated Activity icon 1.2.7 Group Discussion

    DISCUSS: Is there enough information in your DRP for both primary and backup DR personnel?

    • Is it clear who is responsible for each DR task, including notification steps?
    • Have alternate staff for each role been identified?
    • Does the recovery workflow capture all of the high-level steps?
    • Is there enough documentation for alternate staff (e.g. network specs)?

    Step 1.3: Write the DRP Summary

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Write a DRP summary document.

    This step involves the following participants:

    • DRP Owner

    Outcomes of this step

    • High-level outline of your DRP capabilities for stakeholders such as executives, auditors, and clients.

    Summarize your DR capabilities using a DRP summary document

    Supporting Tool icon 1.3.1 DRP Summary Document

    The sample included on Info-Tech’s website is customized for the XMPL Medical Case Study – use the download as a starting point for your own summary document.

    DRP Summary Document

    XMPL’s DRP Summary is organized into the following categories:

    • DR requirements: This includes a summary of scope, business impact analysis (BIA), risk assessment, and high-level RTOs and achievable RTOs.
    • DR strategy: This includes a summary of XMPL’s recovery procedures, DR site, and backup strategy.
    • Testing and maintenance: This includes a summary of XMPL’s DRP testing and maintenance strategy.

    Be transparent about existing business risks in your DRP summary

    The DRP summary document is business facing. Include information of which business leaders (and other stakeholders) need to be aware.

    • Discrepancies between desired and achievable RTOs? Organizational leadership needs to know this information. Only then can they assign the resources and budget that IT needs to achieve the desired DR capabilities.
    • What is the DRP’s scope? XMPL Medical lists the IT components that will be recovered during a disaster, and components which will not. For instance, XMPL’s DRP does not recover medical equipment, and XMPL has separate plans for business continuity and emergency response coordination.
    Application tier Desired RTO (hh:mm) Desired RPO (hh:mm) Achievable RTO (hh:mm) Achievable RPO (hh:mm)
    Tier 1 4:00 1:00 *90:00 1:00
    Tier 2 8:00 1:00 *40:00 1:00
    Tier 3 48:00 24:00 *96:00 24:00

    The above table to is a snippet from the XMPL DR Summary Document (section 2.1.3.2).

    In the example, the DR team is unable to recover tier 1, 2, and 3 systems within the desired RTO. As such, they clearly communicate this information in the DRP summary, and include action items to address these gaps.

    Phase 2: Select the Optimal DRP Publishing Strategy

    Step 2.1: Select a DRP Publishing Strategy

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Select criteria for assessing DRP tools.
    • Evaluate categories for DRP tools.
    • Optional: Write an RFP for a BCM tool.

    This step involves the following participants:

    • DRP Owner

    Outcomes of this step

    • Identified strategies for publishing your DRP (i.e. making it available to your DR team).

    Info-Tech Insights

    Diversify your publishing strategy to ensure you can access your DRP in a disaster. For example, if you are using a BCM tool or SharePoint Online as your primary documentation repository, also push the DRP to your DR team’s smartphones as a backup in case the disaster affects internet access.

    2.1 — Select a DR publishing and document management strategy that fits your organization

    Publishing and document management considerations:

    Portability/External Access: Assume your primary site is down and inaccessible. Can you still access your documentation? As shown in this chart, traditional strategies of either keeping a copy at another location (e.g. at the failover site) or with staff (e.g. on a USB drive) still dominate, but these aren’t necessarily the best options.
    A bar chart titled 'Portability Strategy Popularity'. 'External Website (wiki site, cloud-based DRP tool, etc.)' scored 16%. 'Failover Site (network drive or redundant SharePoint, etc.)' scored 53%. 'Distribute to Staff (use USB drive, personal email, etc.)' scored 50%. 'Not Accessible Offsite' scored 7%.
    Note: Percentages total more than 100% due to respondents using more than one portability strategy.
    (Source: Info-Tech Research Group, N=118)
    Maintainability/Usability: How easy is it to create, update, and use the documentation? Is it easy to link to other documents as shown in the flowchart and checklist examples? Is there version control? Lack of version control can create a maintenance nightmare as well as issues in a crisis if staff are questioning whether they have the right version.
    Cost/Effort: Is the cost and effort appropriate? For example, a large enterprise may need a formal solution (e.g. DRP tools or SharePoint), but the cost might be hard to justify for a smaller company.

    Pros and cons of potential strategies

    This section will review the following strategies, their pros and cons, and how they meet publishing and document management requirements:

    • DRP tools (e.g. eBRP, Recovery Planner, LDRPS)
    • In-house solutions combining SharePoint and MS Office (or equivalent)
    • Wiki site
    • “Manual” approaches such as storing documents on a USB drive

    Avoid 42 hours of downtime due to a non-diversified publishing strategy

    CASE STUDY

    Industry Municipality
    Source Interview

    Situation

    • A municipal government has recently completed an end-to-end disaster recovery plan.
    • The team is feeling good about the fact that they were able to identify:
      • Relative criticality of applications.
      • Dependencies for each application.
      • Incident response plans for the current state and desired state.
      • System recovery procedures.

    Challenge

    • While the DR plan itself was comprehensive, the team only published the DR onto the government’s network drives.
    • A power generation issue caused power to be shut down, which in turn cascaded into downtime for the network.
    • Once the network was down, their DRP was inaccessible.

    Insights

    • Each piece of documentation that was created could have contributed to recovery efforts. However, because they were inaccessible, there was a delayed response to the incident. The result was 42 hours of downtime for end users.
    • Having redundant publishing strategies is just like having redundant IT infrastructure. In the event of downtime, not only do you need to have DR documentation, but you also need to make sure that it is accessible.

    Decide on a DR publishing strategy by looking at portability, maintainability, cost, and required effort

    Supporting Tool icon 2.1.1 DRP Publishing and Management Evaluation Tool

    Use the information included in Step 2.1 to guide your analysis of DRP publishing solutions.

    The tool enables you to compare two possible solutions based on these key considerations discussed in this section:

    • Portability/external access
    • Maintainability/usability
    • Cost
    • Effort

    The right choice will depend on factors such as current in-house tools, maturity around document management, the size of your IT department, and so on.

    For example, a small shop may do very well with the USB drive strategy, whereas a multi-national company will need a more formal strategy to manage consistent DRP distribution.

    Preview of Info-Tech's 'DRP Publishing and Management Solution Evaluation Tool'.

    The DRP Publishing and Management Solution Evaluation Tool helps you to evaluate the tools included in this section.

    Don’t think of a business continuity management (BCM) tool as a silver bullet; know what you’re getting out of it

    Portability/External Access:
    • Pros: Typically a SaaS option provides built-in external access with appropriate security and user administration to vary access rights.
    • Cons: Degree of external access is often dependent on the vendor.
    Maintainability/Usability:
    • Pros: Built-in templates encourage consistency and guide initial content development by indicating what details need to be captured.
    • Pros: Built-in document management (e.g. version control, metadata support), centralized access/navigation to required documents, and some automation (e.g. update contacts throughout the system).
    • Cons: Not a silver bullet. You still have to do the work to define and capture your processes.
    • Cons: Requires end-user and administrator training.
    Cost/Effort:
    • Pros: For large enterprises, the convenience of built-in document management and templates can outweigh the cost.
    • Cons: Expect leading DRP tools to cost $20K or more per year.

    About this approach:
    BCM tools are solutions that provide templates, tools, and document management to create BC and DR documentation.

    Info-Tech Insight

    The business case for a BCM tool is built by answering the following questions:

    • Will the BCM tool solve an unmet need?
    • Will the tool be more effective and efficient than an in-house solution?
    • Will the solution provide enhanced capabilities that an in-house solution cannot provide?

    If you cannot get a satisfactory answer to each of these questions, then opt for an in-house solution.

    “We explored a DRP tool, and it was something we might have used, but it was tens of thousands of pounds per year, so it didn’t stack up financially for us at all.” (Rik Toms, Head of Strategy – IP and IT, Cable and Wireless Communications)

    For in-house solutions, leverage tools such as SharePoint to provide document management capabilities

    Portability/External Access:
    • Pros: SharePoint is commonly web-enabled and supports external access with appropriate security and user administration.
    • Cons: Must be installed at redundant sites or be cloud-based to be effective in a crisis that takes down your primary data center.
    Maintainability/Usability:
    • Pros: Built-in document management (e.g. version control, metadata support) as well as centralized access/navigation to required documents.
    • Pros: No tool learning curve – SharePoint and MS Office would be existing solutions already used on a daily basis.
    • Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
    • Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: Using existing tools, so this is a sunk cost in terms of capex.
    • Cons: Additional effort required to create templates and manage the documentation library.

    About this approach:
    DRPs and SOPs most often start as MS Office documents, even if there is a DRP tool available. For organizations that elect to bypass a formal DRP tool, and most do, the biggest gap they have to overcome is document management.

    Many organizations are turning to SharePoint to meet this need. For those that already have SharePoint in place, it makes sense to further leverage SharePoint for DR documentation and day-to-day SOPs.

    For SharePoint to be a practical solution, the documentation must still be accessible if the primary data center is down, e.g. by having redundant SharePoint instances at multiple in-house locations, or using a cloud-based SharePoint solution.

    “Just about everything that a DR planning tool does, you can do yourself using homegrown solutions or tools that you're already familiar with such as Word, Excel, and SharePoint.” (Allen Zuk, President and CEO, Sierra Management Consulting)

    A healthcare company uses SharePoint as its DRP and SOP documentation management solution

    CASE STUDY Healthcare

    • This organization is responsible for 50 medical facilities across three states.
    • It explored DRP tools, but didn’t find the right fit, so it has developed an in-house solution based in SharePoint. While DRP tools have improved, the organization no longer needs that type of solution. Its in-house solution is meeting its needs.
    • It has SharePoint instances at multiple locations to ensure availability if one site is down.

    Documentation Strategy

    • Created an IT operations library in SharePoint for DR and SOPs, from basic support to bare-metal restore procedures.
    • SOPs are linked from SharePoint to the virtual help desk for greater accessibility.
    • Where practical, diagrams and flowcharts are used, e.g. DR process flowcharts and network services SOPs dominated by diagrams and flowcharts.

    Management Strategy

    • Directors and the CIO have made finishing off SOPs their performance improvement objective for the year. The result is staff have made time to get this work done.
    • Status updates are posted monthly, and documentation is a regular agenda item in leadership meetings.
    • Regular tabletop testing validates documentation and ensures familiarity with procedures, including where to find required information.

    Results

    • Dependency on a few key individuals has been reduced. All relevant staff know what they need to do and where to access required documentation.
    • SOPs are enabling DR training as well as day-to-day operations training for new staff.
    • The organization has a high confidence in its ability to recovery from a disaster within established timelines.

    Explore using a wiki site as an inexpensive alternative to SharePoint and other content management solutions

    Portability/External Access:
    • Pros: Wiki sites can support external access as with any web solution.
    • Cons: Must be installed at redundant sites, hosted, or cloud-based to be effective in a crisis that takes down your primary data center.
    Maintainability/Usability:
    • Pros: Built-in document management (version control, metadata support, etc.) as well as centralized access/navigation to required information.
    • Pros: Authorized users can make updates dynamically, depending on how much restriction you have on the site.
    • Cons: No built-in automation (e.g. automated updates to contacts throughout the system).
    • Cons: Consistency depends on creating templates and implementing processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: An inexpensive option compared to traditional content management solutions such as SharePoint.
    • Cons: Learning curve if wikis are new to your organization.

    About this approach:
    Wiki sites are websites where users collaborate to create and edit the content. Wikipedia is an example.

    While wiki sites are typically used for collaboration and dynamic content development, the traditional collaborative authoring model can be restricted to provide structure and an approval process.

    Several tools are available to create and manage wiki sites (and other collaboration solutions), as outlined in the following research:

    Info-Tech Insight

    If your organization is not already using wiki sites, this technology can introduce a culture shock. Start slow by using a wiki site within a specific department or for a particular project. Then evaluate how well your staff adapt to this technology as well as its potential effectiveness in your organization. Refer to our collaboration strategy research for additional guidance.

    For small IT shops, distributing documentation to key staff (e.g. via a USB drive) can still be effective

    Portability/External Access:
    • Pros: Appropriate staff have the documentation with them; there is no need to log into a remote site or access a tool to get at the information.
    • Cons: Relies on staff to be diligent about ensuring they have the latest documentation and keep it with them (not leave it in their desk drawer).
    Maintainability/Usability:
    • Pros: With this strategy, MS Office (or equivalent) is used to create and maintain the documentation, so there is no learning curve.
    • Pros: Simple, straightforward methodology – keep the master on a network drive, and download a copy to your USB drive.
    • Cons: No built-in automation (e.g. automated updates to contact information) or document management (e.g. version control).
    • Cons: Consistency depends on creating templates and implementing rigid processes for document updates, review, and approval.
    Cost/Effort:
    • Pros: Little to no cost and no tool management required.
    • Cons: “Manual” document management requires strict attention to process for version control, updates, approvals, and distribution.

    About this approach:
    With this strategy, your ERT and key IT staff keep a copy of your DRP and relevant documentation with them (e.g. on a USB drive). If the primary site experiences a major event, they have ready access to the documentation.

    Fifty percent of respondents in our recent survey use this strategy. A common scenario is to use a shared network drive or a solution such as SharePoint as the master centralized repository, but distribute a copy to key staff.

    Info-Tech Insight

    This approach can have similar disadvantages as using hard copies. Ensuring the USB drives are up to date, and that all staff who might need access have a copy, can become a burdensome process. More often, USB drives are updated periodically, so there is the risk that the information will be out of date or incomplete.

    Avoid extensive use of paper copies of DR documentation

    DR documents need to be easy to update, accessible from anywhere, and searchable. Paper doesn’t meet these needs.

    Portability/External Access:
    • Pros: Does not rely on technology or power.
    • Cons: Requires all staff who might be involved in a DR to have a copy, and to have it with them at all times, to truly have access at any time from anywhere.
    Maintainability/Usability:
    • Pros: In terms of usability, again there is no dependence on technology.
    • Cons: Updates need to be printed and distributed to all relevant staff every time there is a change to ensure staff have access to the latest, most accurate documentation if a disaster occurred. You can’t schedule disasters, so information needs to be current all the time.
    • Cons: Navigation to other information is manual – flipping through pages, etc. No searching or hyperlinks.
    Cost/Effort:
    • Pros: No technology system to maintain, aside from what you use for printing.
    • Cons: Printing expenses are actually among the highest incurred by organizations, and this adds to it.
    • Cons: Labor intensive due to need to print and physically distribute documentation updates.

    About this approach:
    Traditionally DRPs are printed and distributed to managers and/or kept in a central location at both the primary site and a secondary site. In addition, wallet cards are distributed that contain key information such as contact numbers.

    A wallet card or even a few printed copies of your high-level DRP for general reference can be helpful, but paper is not a practical solution for your overall DR documentation library, particularly when you include SOPs for recovery procedures.

    One argument in favor of paper is there is no dependency on power during a crisis. However, in a power outage, staff can use smartphones and potentially laptops (with battery power) to access electronically stored documentation to get through first response steps. In addition, your DR site should have backup power to be an appropriate recovery site.

    Optional: Partial list of BCM tool vendors

    A partial list of BCM tool vendors, including: Business Protector, catalyst, clearview, ContinuityLogic. Fusion, Logic Manager, Quantivate, RecoveryPlanner.com, MetricStream, SimpleRisk, riskonnect, Strategic BCP - ResilienceONE, RSA, and Sungard Availability Services.

    The list is only a partial list of BCM tool vendors. The order in which vendors are presented, and inclusion in this list, does not represent an endorsement.

    Optional: Use our list of requirements as a foundation for selecting and reviewing BCM tools

    Supporting Tool icon 2.1.2 BCM Tool – RFP Selection Criteria

    If a BCM tool is the best option for your environment, expedite the evaluation process with our BCM Tool – RFP Selection Criteria.

    Through advisory services, workshops, and consulting engagements, we have created this BCM Tool Requirements List. The featured requirements includes the following categories:

    1. Integrations
    2. Planning and Monitoring
    3. Administration
    4. Architecture
    5. Security
    6. Support and Training
    Preview of the Info-Tech template 'BCM Tool – RFP Selection Criteria'.

    This BCM Tool – RFP Selection Criteria can be appended to an RFP. You can leverage Info-Tech’s RFP Template if your organization does not have one.

    Info-Tech can write full RFPs

    As part of a consulting engagement, Info-Tech can write RFPs for BCM tools and provide a customized scoring tool based on your environment’s unique requirements.

    Phase 3: Keep Your DRP Relevant Through Maintenance Best Practices

    Step 3.1: Integrate DRP maintenance into core IT processes

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    • Integrate DRP maintenance with Project Management.
    • Integrate DRP considerations into Change Management.
    • Integrate with Performance Management.

    This step involves the following participants:

    • DRP Owner
    • Head of Project Management Office
    • Head of Change Advisory Board
    • CIO

    Outcomes of this step

    • Updated project intake form.
    • Updated change management practice.
    • Updated performance appraisals.

    3.1 — Incorporate DRP maintenance into core IT processes

    Focusing on these three processes will help ensure that your plan stays current, accurate, and usable.

    The Info-Tech / COBIT5 'IT Management and Governance Framework' with three processes highlighted: 'MEA01 Performance Measurement', 'BAI06 Change Management', and 'BAI01 Project Management'.

    Info-Tech Best Practice

    Prioritize quick wins that will have large benefits. The advice presented in this section offers easy ways to help keep your DRP up to date. These simple solutions can save a lot of time and effort for your DRP team as opposed to more intricate changes to the processes above.

    Assess how new projects impact service criticality and DR requirements upfront during project intake

    Icon for process 'BAI01 Project Management'.
    Supporting Tool icon 3.1.1 Sample Project Intake Form Addendum

    Understand the RTO/RPO requirements and IT impacts for new or enhanced services to ensure appropriate provisioning and overall DRP updates.

    • Have submitters include service continuity requirements. This information can be inserted into your business impact analysis. Use similar language that you use in your own BIA.
      • The submitter should know how critical the resulting project will be. Any items that the submitter doesn’t know, the Project Steering Committee should investigate.
    • Have IT assess the impact on the DRP. The submitter will not know how the DRP will be impacted directly. Ask the project committee to consider how DRP documentation and the DR environment will need to be changed due to the project under consideration.

    Note: The goal is not to make DR a roadblock, but rather to ensure project requirements will be met – including availability and DR requirements.

    Preview of the Info-Tech template 'Project Intake Form'.

    This Project Intake Form asks the submitter to fill out the availability and criticality requirements for the project.

    Leverage your change management process to identify required DRP updates as they occur

    Icon for process 'BAI06 Change Management'.

    Avoid the year-end rush to update your DRP. Keeping it up to date as changes occur saves time in the long run and ensures your plan is accurate when you need it.

    • As part of your change management process, identify potential updates to:
      • System documentation (e.g. configuration settings).
      • Recovery procedures (e.g. if a system has been virtualized, that changes the recovery procedure).
      • Your DR environment (e.g. system configuration updates for standby systems).
    • Keep track of how often a system has changed. Relevant DRP documentation might be due for a deeper review:
      • After a system has been changed ten times (even from routine changes), notify your DRP Manager to flag the relevant DRP documentation for review.
      • As part of formal DRP reviews, pay closer attention to DRP documentation for the flagged systems.
    Preview of the Info-Tech template 'Disaster Recovery Change Management'.

    This template asks the submitter to fill out the availability and criticality requirements for the project.

    For change management best practices beyond DRP considerations, please see Optimize Change Management.

    Integrate documentation into performance measurement and performance management

    Icon for process 'MEA01 Performance Measurement'.

    Documentation is a necessary evil – few like to create it and more immediate tasks take priority. If it isn’t scheduled and prioritized, it won’t happen.

    Why documentation is such a challenge

    How management can address these challenges

    We all know that IT staff typically do not like to write documentation. That’s not why they were hired, and good documentation is not what gets them promoted. Include documentation deliverables in your IT staff’s performance appraisal to stress the importance of ensuring documentation is up to date, especially where it might impact DR success.
    Similarly, documentation is secondary to more urgent tasks. Time to write documentation is often not allocated by project managers. Schedule time for developing documentation, just like any other project, or it won’t happen.
    Writing manuals is typically a time-intensive task. Focus on what is necessary for another experienced IT professional to execute the recovery. As discussed earlier, often a diagram or checklist is good enough and actually far more usable in a crisis.

    “Our directors and our CIO have tied SOP work to performance evaluations, and SOP status is reviewed during management meetings. People have now found time to get this work done.” (Assistant Director – IT Operations, Healthcare Industry)

    Step 3.2: Conduct an Annual Focused Review

    PHASE 1
    PHASE 2
    PHASE 3
    1.11.21.32.13.13.2
    Start with a Recovery WorkflowCreate Supporting DocumentationWrite the DRP SummarySelect DRP Publishing StrategyIntegrate into Core IT ProcessesConduct an Annual Focused Review

    This step will walk you through the following activities:

    1. Identify components of your DRP to refresh.
    2. Identify organizational changes requiring further focus.
    3. Test your DRP and identify problems.
    4. Correct problems identified with DRP.

    This step involves the following participants:

    • DRP Owner
    • System SMEs
    • Backup DR Personnel

    Outcomes of this step

    • An actionable, up-to-date DRP.

    Info-Tech Insight

    Testing is a waste of time and resources if you do not fix what’s broken. Tabletop testing is effective at uncovering gaps in your DR processes, but if you don’t address those gaps, then your DRP will still be unusable in a disaster.

    Set up a safety net to capture changes that slipped through the cracks with a focused review process

    Evaluate documentation supporting high-priority systems, as well as documentation supporting IT systems that have been significantly changed.

    • Ideally you’re maintaining documentation as you go along. But you need to have an annual review to catch items that may have slipped through.
    • Don’t review everything. Instead, review:
      • IT systems that have had 10+ changes: small changes and updates can add up over time. Ensure:
        • The plans for these systems are updated for changes (e.g. configuration changes).
        • SMEs and backup personnel are familiar with the changes.
      • Tier 1 / Gold Systems: Ensure that you can still recover tier 1 systems with your existing DRP documentation.
    • Track documentation issues that you discovered with your ticketing system or service desk tool to ensure necessary documentation changes are made.
    1. Annual Focused Review
    2. Tier 1 Systems
    3. Significantly Changed Systems
    4. Organizational Changes

    Identify larger changes, both organizational and within IT, that necessitate DRP updates

    During your focused review, consider how organizational changes have impacted your DRP.

    The COBIT 5 Enablers provide a foundation for this analysis. Consider:

    • Changes in regulatory requirements: Are there new requirements for IT that are not reflected in your DRP? Is the organization required to comply with any additional regulations?
    • Changes to organizational structures, business processes, and how employees work: Can employees still be productive once tier 1 services are restored or have RTOs changed? Has organizational turnover impacted your DRP?
    • SMEs leaving or changing roles: Can IT still execute your DRP? Are there still people for all the key roles?
    • Changes to IT infrastructure and applications: Can the business still access the information they need during a disaster? Is your BIA still accurate? Do new services need to be considered tier 1?

    Info-Tech Best Practice

    COBIT 5 Enablers
    What changes need to be reflected in your DRP?

    A cycle visualization titled 'Disaster Recovery Plan'. Starting at 'Changes in Regulatory Requirements', it proceeds clockwise to 'Organizational Structure', 'Changes in Business Processes', and 'How Employees Work', before it returns to DRP. Then 'Changes to Applications', 'Changes to Infrastructure', 'SMEs Leaving or Changing Roles', and then back to the DRP.

    Create a plan during your annual focused review to test your DRP throughout the year

    Regardless of your documentation approach, training and familiarity with relevant procedures is critical.

    • Start with tabletop exercises and progress to technology-based testing (simulation, parallel, and full-scale testing).
    • Ask staff to reference documentation while testing, even if they do not need to. This practice helps to confirm documentation accuracy and accessibility.
    • Incorporate cross-training in DR testing. This gives important experience to backup personnel and will further validate that documents are complete and accurate.
    • Track any discovered documentation issues with your ticketing system or project tracking tools to ensure necessary documentation changes are made.

    Example Test Schedule:

    1. Q1: Tabletop testing shadowed by backup personnel
    2. Q2: Tabletop testing led by backup personnel
    3. Q3: Technology-based testing
    4. Annual Focused Review: Review Results

    Reference this blueprint for guidance on DRP testing plans: Reduce Costly Downtime Through DR Testing

    Appendix A: XMPL Case Study

    Follow XMPL Medical’s journey through DR documentation

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Streamline your documentation and maintenance process by following the approach outlined in XMPL Medical’s journey to an end-to-end DRP.

    Outline of the Disaster Recovery Plan

    XMPL’s disaster recovery plan includes its business impact analysis and a subset of tier 1 and tier 2 patient care applications.

    Its DRP includes incident response flowcharts, system recovery checklists, and a communication plan. Its DRP also references IT operations documentation (e.g. asset management documents, system specs, and system configuration docs), but this material is not published with the example documentation.

    Resulting Disaster Recovery Plan

    XMPL’s DRP includes actionable documents in the form of high-level disaster response plan flowcharts and system recovery checklists. During an incident, the DR team is able to clearly see the items for which they are responsible.

    Disaster Recovery Plan
    • Recovery Workflow
    • Business Impact Analysis
    • DRP Summary
    • System Recovery Checklists
    • Communication, Assessment, and Disaster Declaration Plan

    Info-Tech Best Practice

    XMPL Medical’s disaster recovery plan illustrates an effective DRP. Model your end-to-end disaster recovery plan after XMPL’s completed templates. The specific data points will differ from organization to organization, but the structure of each document will be similar.

    Model your disaster recovery documentation off of our example

    CASE STUDY

    Industry Healthcare
    Source Created by amalgamating data from Info-Tech’s client base

    Recovery Workflow:

    • Recovery Workflows (PDF, VSDX)

    Recovery Procedures (Systems Recovery Playbook):

    • DR Notification, Assessment, and Disaster Declaration Plan
    • Systems Recovery Playbook
    • Network Topology Diagrams

    Additional Reference Documentation:

    • DRP Workbook
    • Business Impact Analysis
    • DRP Summary Document

    Use our structure to create your practical disaster recovery plan.

    Appendix B: Summary, Next Steps, and Bibliography

    Insight breakdown

    Use visual-based documentation instead of a traditional DRP manual.

    • Flowcharts, checklists, and diagrams are more concise, easier to maintain, and more effective in a crisis.
    • Write for an IT audience and focus on how to recover. You don’t need 30 pages of fluff describing the purpose of the document.

    Create your DRP in layers to keep the work manageable.

    • Start with a recovery workflow to ensure a coordinated response, and build out supporting documentation over time.

    Prioritize quick wins to make DRP maintenance easier and more likely to happen.

    • Incorporate DRP maintenance into change management and project intake procedures to systematically update and refine the DR documentation. Don’t save up changes for a year-end blitz, which turns document maintenance into an onerous project.

    Summary of accomplishment

    Knowledge Gained

    • How to create visual-based DRP documentation
    • How to integrate DRP maintenance into core IT processes

    Processes Optimized

    • DRP documentation creation
    • DRP publishing tool selection
    • DRP documentation maintenance

    Deliverables Completed

    • DRP documentation
    • Strategy for publishing your DRP
    • Modified project-intake form
    • Change management checklist for DR considerations

    Project step summary

    Client Project: Document and Maintain Your Disaster Recovery Plan

    • Create a recovery workflow.
    • Create supporting DRP documentation.
    • Write a summary for your DRP.
    • Decide on a publishing strategy.
    • Incorporate DRP maintenance into core IT processes.
    • Conduct an annual focused review.

    Info-Tech Insight

    This project has the ability to fit the following formats:

    • Onsite workshop by Info-Tech Research Group consulting analysts.
    • Do-it-yourself with your team.
    • Remote delivery (Info-Tech Guided Implementation).

    Related Info-Tech research

    Create a Right-Sized Disaster Recovery Plan
    Close the gap between your DR capabilities and service continuity requirements.

    Reduce Costly Downtime Through DR Testing
    Improve the accuracy of your DRP and your team’s ability to efficiently execute recovery procedures through regular DR testing.

    Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind
    Go beyond satisfying auditors to drive process improvement, consistent IT operations, and effective knowledge transfer.

    Prepare for a DRP Audit
    Assess your current DRP maturity, identify required improvements, and complete an audit-ready DRP summary document.

    Bibliography

    A Structured Approach to Enterprise Risk Management (ERM) and the Requirements of ISO 31000. The Association of Insurance and Risk Managers, Alarm: The Public Risk Management Association, and The Institute of Risk Management, 2010.

    “APO012: Manage Risk.” COBIT 5: Enabling Processes. ISACA, 2012.

    Bird, Lyndon, Ian Charters, Mel Gosling, Tim Janes, James McAlister, and Charlie Maclean-Bristol. Good Practice Guidelines: A Guide to Global Good Practice in Business Continuity. Global ed. Business Continuity Institute, 2013.

    COBIT 5: A Business Framework for the Governance and Management of Enterprise IT. ISACA, 2012.

    “EDM03: Ensure Risk Optimisation.” COBIT 5: Enabling Processes. ISACA, 2012.

    Risk Management. ISO 31000:2009.

    Rothstein, Philip Jan. Disaster Recovery Testing: Exercising Your Contingency Plan. Rothstein Associates: 1 Oct. 2007.

    Societal Security – Business continuity management systems – Guidance. ISO 22313:2012.

    Societal Security – Business continuity management systems – Requirements. ISO 22301:2012.

    Understanding and Articulating Risk Appetite. KPMG, 2008.

    Security Strategy

    • Buy Link or Shortcode: {j2store}42|cart{/j2store}
    • Related Products: {j2store}42|crosssells{/j2store}
    • member rating overall impact (scale of 10): 9.4/10
    • member rating average dollars saved: $33,431
    • member rating average days saved: 29
    • Parent Category Name: Security and Risk
    • Parent Category Link: /security-and-risk

    The challenge

    You may be experiencing one or more of the following:

    • You may not have sufficient security resources to handle all the challenges.
    • Security threats are prevalent. Yet many businesses struggle to embed systemic security thinking into their culture.
    • The need to move towards strategic planning of your security landscape is evident. How to get there is another matter.

    Our advice

    Insight

    To have a successful information security strategy, take these three factors into account:

    • Holistic: your view must include people, processes, and technology.
    • Risk awareness: Base your strategy on the actual risk profile of your company. And then add the appropriate best practices.
    • Business-aligned: When your strategic security plan demonstrates alignment with the business goals and supports it, embedding will go much more straightforward.

    Impact and results 

    • We have developed a highly effective approach to creating your security strategy. We tested and refined this for more than seven years with hundreds of different organizations.
    • We ensure alignment with business objectives.
    • We assess organizational risk and stakeholder expectations.
    • We enable a comprehensive current state assessment.
    • And we prioritize initiatives and build out a right-sized security roadmap.

     

    The roadmap

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    Get up to speed

    Read up on why you should build your customized information security strategy. Review our methodology and understand the four ways we can support you.

    Assess the security requirements

    It all starts with risk appetite, yes, but security is something you want to get right. Determine your organizations' security pressures and business goals, and then determine your security program's goals.

    • Build an Information Security Strategy – Phase 1: Assess Requirements
    • Information Security Requirements Gathering Tool (xls)
    • Information Security Pressure Analysis Tool (xls)

    Build your gap initiative

    Our best-of-breed security framework makes you perform a gap analysis between where you are and where you want to be (your target state). Once you know that, you can define your goals and duties.

    • Build an Information Security Strategy – Phase 2: Assess Gaps
    • Information Security Program Gap Analysis Tool (xls)

    Plan the implementation of your security strategy 

    With your design at this level, it is time to plan your roadmap.

    • Build an Information Security Strategy – Phase 3: Build the Roadmap

    Let it run and continuously improve. 

    Learn to use our methodology to manage security initiatives as you go. Identify the resources you need to execute the evolving strategy successfully.

    • Build an Information Security Strategy – Phase 4: Execute and Maintain
    • Information Security Strategy Communication Deck (ppt)
    • Information Security Charter (doc)

     

    Establish High-Value IT Performance Dashboards and Metrics

    • Buy Link or Shortcode: {j2store}58|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: $8,599 Average $ Saved
    • member rating average days saved: 10 Average Days Saved
    • Parent Category Name: Performance Measurement
    • Parent Category Link: /performance-measurement

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Our Advice

    Critical Insight

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Impact and Result

    Use Info-Tech’s ready-made dashboards for executives to ensure you:

    • Speak to the right audience
    • About the right things
    • In the right quantity
    • Using the right measures
    • At the right time.

    Establish High-Value IT Performance Dashboards and Metrics Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish High-Value IT Performance Metrics and Dashboards – a document that walks you through Info-Tech’s ready-made IT dashboards.

    This blueprint guides you through reviewing Info-Tech’s IT dashboards for your audience and organization, then walks you through practical exercises to customize the dashboards to your audience and organization. The blueprint also gives practical guidance for delivering your dashboards and actioning your metrics.

    • Establish High-Value IT Performance Metrics and Dashboards Storyboard

    2. Info-Tech IT Dashboards and Guide – Ready-made IT dashboards for the CIO to communicate to the CXO.

    IT dashboards with visuals and metrics that are aligned and organized by CIO priority and that allow you to customize with your own data, eliminating 80% of the dashboard design work.

    • Info-Tech IT Dashboards and Guide

    3. IT Dashboard Workbook – A step-by-step tool to identify audience needs, translate needs into metrics, design your dashboard, and track/action your metrics.

    The IT Dashboard Workbook accompanies the Establish High Value IT Metrics and Dashboards blueprint and guides you through customizing the Info-Tech IT Dashboards to your audience, crafting your messages, delivering your dashboards to your audience, actioning metrics results, and addressing audience feedback.

    • Info-Tech IT Dashboards Workbook

    4. IT Metrics Library

    Reference the IT Metrics Library for ideas on metrics to use and how to measure them.

    • IT Metrics Library

    5. HR Metrics Library

    Reference the HR Metrics Library for ideas on metrics to use and how to measure them.

    • HR Metrics Library

    Infographic

    Workshop: Establish High-Value IT Performance Dashboards and Metrics

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Test Info-tech’s IT Dashboards Against Your Audience’s Needs and Translate Audience Needs Into Metrics

    The Purpose

    Introduce the Info-Tech IT Dashboards to give the participants an idea of how they can be used in their organization.

    Understand the importance of starting with the audience and understanding audience needs before thinking about data and metrics.

    Explain how audience needs translate into metrics.

    Key Benefits Achieved

    Understanding of where to begin when it comes to considering dashboards and metrics (the audience).

    Identified audience and needs and derived metrics from those identified needs.

    Activities

    1.1 Review the info-Tech IT Dashboards and document impressions for your organization.

    1.2 Identify your audience and their attributes.

    1.3 Identify timeline and deadlines for dashboards.

    1.4 Identify and prioritize audience needs and desired outcomes.

    1.5 Associate metrics to each need.

    1.6 Identify a dashboard for each metric.

    Outputs

    Initial impressions of Info-Tech IT Dashboards.

    Completed Tabs 2 and 3 of the IT Dashboard Workbook.

    2 Inventory Your Data and Assess Data Quality and Readiness

    The Purpose

    Provide guidance on how to derive metrics and assess data.

    Key Benefits Achieved

    Understand the importance of considering how you will measure each metric and get the data.

    Understand that measuring data can be costly and that sometimes you just can’t afford to get the measure or you can’t get the data period because the data isn’t there.

    Understand how to assess data quality and readiness.

    Activities

    2.1 Complete a data inventory for each metric on each dashboard: determine how you will measure the metric, the KPI, any observation biases, the location of the data, the type of source, the owner, and the security/compliance requirements.

    2.2 Assess data quality for availability, accuracy, and standardization.

    2.3 Assess data readiness and the frequency of measurement and reporting.

    Outputs

    Completed Tab 4 of the IT Dashboard Workbook.

    3 Design and Build Your Dashboards

    The Purpose

    Guide participants in customizing the Info-Tech IT Dashboards with the data identified in previous steps.

    This step may vary as some participants may not need to alter the Info-Tech IT Dashboards other than to add their own data.

    Key Benefits Achieved

    Understanding of how to customize the dashboards to the participants’ organization.

    Activities

    3.1 Revisit the Info-Tech IT Dashboards and use the identified metrics to determine what should change in them.

    3.2 Build your dashboards by editing the Info-Tech IT Dashboards with your changes as planned in Step 3.1.

    Outputs

    Assessed Info-Tech IT Dashboards for your audience’s needs.

    Completed Tab 5 of the IT Dashboard Workbook.

    Finalized dashboards.

    4 Deliver Your Dashboard and Plan to Action Metrics

    The Purpose

    Guide participants in learning how to create a story around the dashboards.

    Guide participants in planning to action metrics and where to record results.

    Guide participants in how to address results of metrics and feedback from audience about dashboards.

    Key Benefits Achieved

    Participants understand how to speak to their dashboards.

    Participants understand how to action metrics results and feedback about dashboards.

    Activities

    4.1 Craft your story.

    4.2 Practice delivering your story.

    4.3 Plan to action your metrics.

    4.4 Understand how to record and address your results.

    Outputs

    Completed Tabs 6 and 7 of the IT Dashboard Workbook.

    5 Next Steps and Wrap-Up

    The Purpose

    Finalize work outstanding from previous steps and answer any questions.

    Key Benefits Achieved

    Participants have thought about and documented how to customize the Info-Tech IT Dashboards to use in their organization, and they have everything they need to customize the dashboards with their own metrics and visuals (if necessary).

    Activities

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Outputs

    Completed IT Dashboards tailored to your organization.

    Completed IT Dashboard Workbook

    Further reading

    Establish High-Value IT Performance Dashboards and Metrics

    Spend less time struggling with visuals and more time communicating about what matters to your executives.

    Analyst Perspective

    A dashboard is a communication tool that helps executives make data-driven decisions

    CIOs naturally gravitate toward data and data analysis. This is their strength. They lean into this strength, using data to drive decisions, track performance, and set targets because they know good data drives good decisions.

    However, when it comes to interpreting and communicating this complex information to executives who may be less familiar with data, CIOs struggle, often falling back on showing IT activity level data instead of what the executives care about. This results in missed opportunities to tell IT’s unique story, secure funding, reveal important trends, or highlight key opportunities for the organization.

    Break through these traditional barriers by using Info-Tech’s ready-made IT dashboards. Spend less time agonizing over visuals and layout and more time concentrating on delivering IT information that moves the organization forward.

    Photo of Diana MacPherson
    Diana MacPherson
    Senior Research Analyst, CIO
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    While most CIOs understand the importance of using metrics to measure IT’s accomplishments, needs, and progress, when it comes to creating dashboards to communicate these metrics, they:

    • Concentrate on the data instead of the audience.
    • Display information specific to IT activities instead of showing how IT addresses business goals and problems.
    • Use overly complicated, out of context graphs that crowd the dashboard and confuse the viewer.

    Common Obstacles

    CIOs often experience these challenges because they:

    • Have a natural bias toward data and see it as the whole story instead of a supporting character in a larger narrative.
    • Assume that the IT activity metrics that are easy to get and useful to them are equally interesting to all their stakeholders.
    • Do not have experience communicating visually to an audience unfamiliar with IT operations or lingo.

    Info-Tech’s Approach

    Use Info-Tech’s ready-made dashboards for executives to ensure you:

    • Speak to the right audience
    • About the right things
    • In the right quantity
    • Using the right measures
    • At the right time

    Info-Tech Insight

    The purpose of a dashboard is to drive decision making. A well designed dashboard presents relevant, clear, concise insights that help executives make data-driven decisions.

    Your challenge

    CIOs struggle to select the right metrics and dashboards to communicate IT’s accomplishments, needs, and progress to their executives. CIOs:

    • Fail to tailor metrics to their audience, often presenting graphs that are familiar and useful to them, but not their executives. This results in dashboards full of IT activities that executives neither understand nor find valuable.
    • Do not consider the timeliness of their metrics, which has the same effect as not tailoring their metrics: the executives do not care about the metrics they are shown.
    • Present too many metrics, which not only clutters the board but also dilutes the message the CIO needs to communicate.
    • Do not act on the results of their metrics and show progress, which makes metrics meaningless. Why measure something if you won’t act on the results?

    The bottom line: CIOs often communicate to the wrong audience, about the wrong things, in the wrong amount, using the wrong metrics, at the wrong time.

    In a survey of 500 executives, organizations that struggled with dashboards identified the reasons as:
    61% Inadequate context
    54% Information overload

    — Source: Exasol

    CXOs and CIOs agree that IT performance metrics need improvement

    When asked which performance indicators should be implemented in your business, CXOs and CIOs both agree that IT needs to improve its metrics across several activity areas: technology performance, cost and salary, and risk.

    A diagram that shows performance indicators and metrics from cxo and cio.

    The Info-Tech IT Dashboards center key metrics around these activities ensuring you align your metrics to the needs of your CXO audience.

    Info-Tech CEO/CIO Alignment Survey Benchmark Report n=666

    The Info-Tech IT Dashboards are organized by the top CIO priorities

    The top six areas that a CIO needs to prioritize and measure outcomes, no matter your organization or industry, are:

    • Managing to a budget: Reducing operational costs and increasing strategic IT spend
    • Customer/constituent satisfaction: Directly and indirectly impacting customer experience.
    • Risk management: Actively knowing and mitigating threats to the organization.
    • Delivering on business objectives: Aligning IT initiatives to the vision of the organization.
    • Employee engagement: Creating an IT workforce of engaged and purpose-driven people.
    • Business leadership relations: Establishing a network of influential business leaders.

    Deliver High-Value IT Dashboards to Your Executives

    A diagram that shows Delivering High-Value IT Dashboards to Your Executives

    Info-Tech’s approach

    Deliver High-Value Dashboards to Your Executives

    A diagram that shows High-Value Dashboard Process.

    Executives recognize the benefits of dashboards:
    87% of respondents to an Exasol study agreed that their organization’s leadership team would make more data-driven decisions if insights were presented in a simpler and more understandable way
    (Source: Exasol)

    The Info-Tech difference:

    We created dashboards for you so you don’t have to!

    1. Eliminate 80% of the dashboard design work by selecting from our ready-made Info-Tech IT Dashboards.
    2. Use our IT Dashboard Workbook to adjust the dashboards to your audience and organization.
    3. Follow our blueprint and IT Dashboard Workbook tool to craft, and deliver your dashboard to your CXO team, then action feedback from your audience to continuously improve.

    Info-Tech’s methodology for establishing high-value dashboards

    1. Test Info-Tech’s IT Dashboards Against Your Audience’s Needs

    Phase Steps

    1. Validate Info-Tech’s IT Dashboards for Your Audience
    2. Identify and Document Your Audience’s Needs

    Phase Outcomes

    1. Initial impressions of Info-Tech IT Dashboards
    2. Completed Tabs 2 of the IT Dashboard Workbook

    2. Translate Audience Needs into Metrics

    Phase Steps

    1. Review Info-Tech’s IT Dashboards for Your Audience
    2. Derive Metrics from Audience Needs
    3. Associate metrics to Dashboards

    Phase Outcomes

    1. Completed IT Tab 3 of IT Dashboard Workbook

    3. Ready Your Data for Dashboards

    Phase Steps

    1. Assess Data Inventory
    2. Assess Data Quality
    3. Assess Data Readiness
    4. Assess Data Frequency

    Phase Outcomes

    1. Assessed Info-Tech IT Dashboards for your audience’s needs
    2. Completed Tab 5 of the IT Dashboard Workbook
    3. Finalized dashboards

    4. Build and Deliver Your Dashboards

    Phase Steps

    1. Design Your Dashboard
    2. Update Your Dashboards
    3. Craft Your Story and Deliver Your Dashboards

    Phase Outcomes

    1. Completed IT Tab 5 and 6 of IT Dashboard Workbook and finalized dashboards

    5. Plan, Record, and Action Your Metrics

    Phase Steps

    1. Plan How to Record Metrics
    2. Record and Action Metrics

    Phase Outcomes

    1. Completed IT Dashboards tailored to your organization
    2. Completed IT Dashboard Workbook

    How to Use This Blueprint

    Choose the path that works for you

    A diagram that shows path of using this blueprint.

    The Info-Tech IT Dashboards address several needs:

    1. New to dashboards and metrics and not sure where to begin? Let the phases in the blueprint guide you in using Info-Tech’s IT Dashboards to create your own dashboards.
    2. Already know who your audience is and what you want to show? Augment the Info-Tech’s IT Dashboards framework with your own data and visuals.
    3. Already have a tool you would like to use? Use the Info-Tech’s IT Dashboards as a design document to customize your tool.

    Insight Summary

    The need for easy-to-consume data is on the rise making dashboards a vital data communication tool.

    70%: Of employees will be expected to use data heavily by 2025, an increase from 40% in 2018.
    — Source: Tableau

    Overarching insight

    A dashboard’s primary purpose is to drive action. It may also serve secondary purposes to update, educate, and communicate, but if a dashboard does not drive action, it is not serving its purpose.

    Insight 1

    Start with the audience. Resist the urge to start with the data. Think about who your audience is, what internal and external environmental factors influence them, what problems they need to solve, what goals they need to achieve, then tailor the metrics and dashboards to suit.

    Insight 2

    Avoid showing IT activity-level metrics. Instead use CIO priority-based metrics to report on what matters to the organization. The Info-Tech IT Dashboards are organized by the CIO priorities: risks, financials, talent, and strategic initiatives.

    Insight 3

    Dashboards show the what not the why. Do not assume your audience will draw the same conclusions from your graphs and charts as you do. Provide the why by interpreting the results, adding insights and calls to action, and marking key areas for discussion.

    Insight 4

    A dashboard is a communication tool and should reflect the characteristics of good communication. Be clear, concise, consistent, and relevant.

    Insight 5

    Action your data. Act and report progress on your metrics. Gathering metrics has a cost, so if you do not plan to action a metric, do not measure it.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Photo of Dashboards

    Key deliverable: Dashboards

    Ready-made risk, financials, talent, and strategic initiatives dashboards that organize your data in a visually appealing way so you can concentrate on the metrics and communication.

    Photo of IT Dashboard Workbook

    IT Dashboard Workbook

    The IT Dashboard Workbook keeps all your metrics, data, and dashboard work in one handy file!

    Photo of IT Dashboard Guide

    IT Dashboard Guide

    The IT Dashboard Guide provides the Info-Tech IT Dashboards and information about how to use them.

    Blueprint benefits

    CIO Benefits

    • Reduces the burden of figuring out what metrics to show executives and how to categorize and arrange the visuals.
    • Increases audience engagement through tools and methods that guide CIOs through tailoring metrics and dashboards to audience needs.
    • Simplifies CIO messages so executives better understand IT needs and value.
    • Provides CIOs with the tools to demonstrate transparency and competency to executive leaders.
    • Provides tools and techniques for regular review and action planning of metrics results, which leads to improved performance, efficiency, and effectiveness.

    Business Benefits

    • Provides a richer understanding of the IT landscape and a clearer connection of how IT needs and issues impact the organization.
    • Increases understanding of the IT team’s contribution to achieving business outcomes.
    • Provides visibility into IT and business trends.
    • Speeds up decision making by providing insights and interpretations to complex situations.

    Measure the value of this blueprint

    Realize measurable benefits after using Info-Tech’s approach:

    Determining what you should measure, what visuals you should use, and how you should organize your visuals, is time consuming. Calculate the time it has taken you to research what metrics you should show, create the visuals, figure out how to categorize the visuals, and layout your visuals. Typically, this takes about 480 hours of time. Use the ready-made Info-Tech IT Dashboards and the IT Dashboard Workbook to quickly put together a set of dashboards to present your CXO. Using these tools will save approximately 480 hours.

    A study at the University of Minnesota shows that visual presentations are 43% more effective at persuading their audiences (Bonsignore). Estimate how persuasive you are now by averaging how often you have convinced your audience to take a specific course of action. After using the Info-Tech IT Dashboards and visual story telling techniques described in this blueprint, average again. You should be 43% more persuasive.

    Further value comes from making decisions faster. Baseline how long it takes, on average, for your executive team to make a decision before using Info-Tech’s IT Dashboards then time how long decisions take when you use your Info-Tech’s IT Dashboards. Your audience should reach decisions 21% faster according to studies at Stanford University and the Wharton School if business (Bonsignore).

    Case Study

    Visuals don’t have to be fancy to communicate clear messages.

    • Industry: Construction
    • Source: Anonymous interview participant

    Challenge

    Year after year, the CIO of a construction company attended business planning with the Board to secure funding for the year. One year, the CEO interrupted and said, “You're asking me for £17 million. You asked me for £14 million last year and you asked me for £12 million the year before that. I don't quite understand what we get for our money.”

    The CEO could not understand how fixing laptops would cost £17 million and for years no one had been able to justify the IT spend.

    Solutions

    The CIO worked with his team to produce a simple one-page bubble diagram representing each IT department. Each bubble included the total costs to deliver the service, along with the number of employees. The larger the bubble, the higher the cost. The CIO brought each bubble to life as he explained to the Board what each department did.

    The Board saw, for example, that IT had architects who thought about the design of a service, where it was going, the life cycle of that service, and the new products that were coming out. They understood what those services cost and knew how many architects IT had to provide for those services.

    Recommendations

    The CEO remarked that he finally understood why the CIO needed £17 million. He even saw that the costs for some IT departments were low for the amount of people and offered to pay IT staff more (something the CIO had requested for years).

    Each year the CIO used the same slide to justify IT costs and when the CIO needed further investment for things like security or new products, an upgrade, or end of life support, the sign-offs came very quickly because the Board understood what IT was doing and that IT wasn't a bottomless pit.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit
    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation
    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop
    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting
    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    A diagram that shows Guided Implementation in 5 phases.

    Workshop overview

    Day 1: Test Info-tech’s IT Dashboards Against Your Audience’s Needs and Translate Audience Needs Into Metrics

    Activities
    1.1 Review the info-Tech IT Dashboards and document impressions for your organization.
    1.2 Identify your audience’s attributes.
    1.3 Identify timeline and deadlines for dashboards.
    1.4 Identify and prioritize audience needs and desired outcomes.
    1.5 Associate metrics to each need.
    1.6 Identify a dashboard for each metric.

    Deliverables
    1. Initial impressions of Info-Tech IT Dashboards.
    2. Completed Tabs 2 and 3 of the IT Dashboard Workbook.

    Day 2: Inventory Your Data; Assess Data Quality and Readiness

    Activities
    2.1 Complete a data inventory for each metric on each dashboard: determine how you will measure the metric, the KPI, any observation biases, the location of the data, the type of source, and the owner and security/compliance requirements.
    2.2 Assess data quality for availability, accuracy, and standardization.
    2.3 Assess data readiness and frequency of measurement and reporting.

    Deliverables
    1. Completed Tab 4 of the IT Dashboard Workbook.

    Day 3: Design and Build Your Dashboards

    Activities
    3.1 Revisit the Info-Tech IT Dashboards and use the identified metrics to determine what should change on the dashboards.
    3.2 Build your dashboards by editing the Info-Tech IT Dashboards with your changes as planned in Step 3.1.

    Deliverables
    1. Assessed Info-Tech IT Dashboards for your audience’s needs.
    2. Completed Tab 5 of the IT Dashboard Workbook.
    3. Finalized dashboards.

    Day 4: Deliver Your Dashboard and Plan to Action Metrics

    Activities
    4.1 Craft your story.
    4.2 Practice delivering your story.
    4.3 Plan to action your metrics.
    4.4 Understand how to record and address your results.

    Deliverables
    1. Completed Tabs 6 and 7 of the IT Dashboard Workbook.

    Day 5: Next Steps and Wrap-Up (offsite)

    Activities
    5.1 Complete in-progress deliverables from previous four days
    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. Completed IT Dashboards tailored to your organization.
    2. Completed IT Dashboard Workbook.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    What is an IT dashboard?

    A photo of Risks - Protect the Organization. A photo of Financials: Transparent, fiscal responsibility
    A photo of talent attrat and retain top talent A photo of Strategic Initiatives: Deliver Value to Customers.

    An IT dashboard is…
    a visual representation of data, and its main purpose is to drive actions. Well-designed dashboards use an easy to consume presentation style free of clutter. They present their audience with a curated set of visuals that present meaningful metrics to their audience.

    Dashboards can be both automatically or manually updated and can show information that is dynamic or a snapshot in time.

    Info-Tech IT Dashboards

    Review the Info-Tech IT Dashboards

    We created dashboards so you don’t have to.

    A photo of Risks - Protect the Organization. A photo of Financials: Transparent, fiscal responsibility A photo of talent attrat and retain top talent A photo of Strategic Initiatives: Deliver Value to Customers.

    Use the link below to download the Info-Tech IT Dashboards and consider the following:

    1. What are your initial reactions to the dashboards?
    2. Are the visuals appealing? If so, what makes them appealing?
    3. Can you use these dashboards in your organization? What makes them usable?
    4. How would you use these dashboards to speak your own IT information to your audience?

    Download the Info-Tech IT Dashboards

    Why Use Dashboards When We Have Data?

    How graphics affect us

    Cognitively

    • Engage our imagination
    • Stimulate the brain
    • Heighten creative thinking
    • Enhance or affect emotions

    Emotionally

    • Enhance comprehension
    • Increase recollection
    • Elevate communication
    • Improve retention

    Visual clues

    • Help decode text
    • Attract attention
    • Increase memory

    Persuasion

    • 43% more effective than text alone

    — Source: (Vogel et al.)

    Phase 1

    Test Info-Tech’s IT Dashboards Against Your Audience’s Needs

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Documenting impressions for using Info-Tech’s IT Dashboards for your audience.
    • Documenting your audience and their needs and metrics for your IT dashboards

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Info-Tech IT Dashboard organization and audience

    We created a compelling way to organize IT dashboards so you don’t have to. The Info-Tech IT Dashboards are organized by CIO Priorities, and these are consistent irrespective of industry or organization. This is a constant that you can organize your metrics around.

    A photo of Info-Tech IT Dashboards

    Dashboard Customization

    The categories represent a constant around which you can change the order; for example, if your CXO is more focused on Financials, you can switch the Financials dashboard to appear first.

    The Info-Tech IT Dashboards are aimed at a CXO audience so if your audience is the CXO, then you may decide to change very little, but you can customize any visual to appeal to your audience.

    Phase 1 will get you started with your audience.

    Always start with the audience

    …and not the data!

    Reliable, accurate data plays a critical role in dashboards, but data is only worthwhile if it is relevant to the audience who consumes it, and dashboards are only as meaningful as the data and metrics they represent.

    Instead of starting with the data, start with the audience. The more IT understands about the audience, the more relevant the metrics will be to their audience and the more aligned leadership will be with IT.

    Don’t forget yourself and who you are. Your audience will have certain preconceived notions about who you are and what you do. Consider these when you think about what you want your audience to know.

    46% executives identify lack of customization to individual user needs as a reason they struggle with dashboards.
    — Source: (Exasol)

    Resist the Data-First Temptation

    If you find yourself thinking about data and you haven’t thought about your audience, pull yourself back to the audience.

    Ask first Ask later
    Who is this dashboard for? What data should I show?
    How will the audience use the dashboard to make decisions? Where do I get the data?
    How can I show what matters to the audience? How much effort is required to get the data?

    Meaningful measures rely on understanding your audience and their needs

    It is crucial to think about who your audience is so that you can translate their needs into metrics and create meaningful visuals for your dashboards.

    A diagram that highlights step 1-3 of understanding your audience in the high-value dashboard process.

    Step 1.1

    Review and Validate Info-Tech’s IT Dashboards for Your Audience

    Activities:
    1.1.1 Examine Info-Tech’s IT Dashboards.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 1.1 & 1.2 to Test Info-Tech’s IT Dashboards Against Your Audience’s Needs.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Info-Tech dashboards reviewed for your organization’s audience.

    1.1.1 Examine the Info-Tech IT Dashboards

    30 minutes

    1. If you haven’t already downloaded the Info-Tech IT Dashboards, click the link below to download.
    2. Complete a quick review of the dashboards and consider how your audience would receive them.
    3. Document your thoughts, with special emphasis on your audience in the Info-Tech Dashboard Impressions slide.

    A diagram that shows Info-Tech IT Dashboards

    Download Info-Tech IT Dashboards

    Reviewing visuals can help you think about how your audience will respond to them

    Jot down your thoughts below. You can refer to this later as you consider your audience.

    Consider:

    • Who is your dashboard audience?
    • Are their needs different from the Info-Tech IT Dashboard audience’s? If so, how?
    • Will the visuals work for your audience on each dashboard?
    • Will the order of the dashboards work for your audience?
    • What is missing?

    Step 1.2

    Identify and Document Your Audience’s Needs

    Activities:
    1.2.1 Document your audience’s needs in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 1.1 & 1.2 to Test Info-Tech’s IT Dashboards Against Your Audience’s Needs.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Audience details documented in IT Dashboard Workbook

    Identify Your Audience and dig deeper to understand their needs

    Connect with your audience

    • Who is your audience?
    • What does your audience care about? What matters to them?
    • How is their individual success measured? What are their key performance indicators (KPIs)?
    • Connect the challenges and pain points of your audience to how IT can help alleviate those pain points:
      • For example, poor financial performance could be due to a lack of digitization. Identify areas where IT can help alleviate this issue.
      • Try to uncover the root cause behind the need. Root causes are often tied to broad organizational objectives, so think about how IT can impact those objectives.

    Validate the needs you’ve uncovered with the audience to ensure you have not misinterpreted them and clarify the desired timeline and deadline for the dashboard.

    Document audiences and needs on Tab 2 of the IT Dashboard Workbook

    Typical Audience Needs
    Senior Leadership
    • Inform strategic planning and track progress toward objectives.
    • Understand critical challenges.
    • Ensure risks are managed.
    • Ensure budgets are managed.
    Board of Directors
    • Understand organizational risks.
    • Ensure organization is fiscally healthy.
    Business Partners
    • Support strategic workforce planning.
    • Surface upcoming risks to workforce.
    CFO
    • IT Spend
    • Budget Health and Risks

    Prioritize and select audience needs that your dashboard will address

    Prioritize needs by asking:

    • Which needs represent the largest value to the entire organization (i.e. needs that impact more of the organization than just the audience)?
    • Which needs will have the largest impact on the audience’s success?
    • Which needs are likely to drive action (e.g. if supporting a decision, is the audience likely to be amenable to changing the way they make that decision based on the data)?

    Select three to five of the highest priority needs for each audience to include on a dashboard.

    Prioritize needs on Tab 2 of the IT Dashboard Workbook

    A diagram that shows 3 tiers of high priority, medium priority, and low priority.

    1.2.1 Document Your Audience Needs in the IT Dashboard Workbook

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 2. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove after you have completed your updates.

    A table of documenting audience, including key attributes, desired timeline, deadline, needs, and priority.

    Download Info-Tech IT Dashboard Workbook

    Phase 2

    Translate Audience Needs Into Metrics

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Revisiting the Info-Tech IT Dashboards for your audience.
    • Documenting your prioritized audience’s needs and the desired outcome of each in the IT Dashboard Workbook.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Linking audience needs to metrics has positive outcomes

    When you present metrics that your audience cares about, you:

    • Deliver real value and demonstrate IT’s value as a trusted partner.
    • Improve the relationship between the business and IT.
    • Enlighten the business about what IT does and how it is connected to the organization.

    29% of respondents to The Economist Intelligence Unit survey cited inadequate collaboration between IT and the business as one of the top barriers to the organization’s digital objectives.
    — Source: Watson, Morag W., et al.

    Dashboard Customization

    The Info-Tech IT Dashboards use measures for each dashboard that correspond with what the audience (CXO) cares about. You can find these measures in the IT Dashboard Workbook. If your audience is the CXO, you may have to change a little but you should still validate the needs and metrics in the IT Dashboard Workbook.

    Phase 2 covers the process of translating needs into metrics.

    Once you know what your audience needs, you know what to measure

    A diagram that highlights step 4-5 of knowing your audience needs in the high-value dashboard process.

    Step 2.1

    Document Desired Outcomes for Each Prioritized Audience Need

    Activities:
    2.1.1 Compare the Info-Tech IT Dashboards with your audience’s needs.
    2.1.2 Document prioritized audience needs and the desired outcome of each in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Understanding of how well Info-Tech IT Dashboards address audience needs.
    • Documented desired outcomes for each audience need.

    2.1.1 Revisit Info-Tech’s IT Dashboards and Review for Your Audience

    30 minutes

    1. If you haven’t already downloaded the Info-Tech IT Dashboards, click the link below to download.
    2. Click the link below to download the Info-Tech IT Dashboard Workbook.
    3. Recall your first impressions of the dashboards that you recorded on earlier in Phase 1 and open up the audience and needs information you documented in Tab 2 of the IT Dashboard Workbook.
    4. Compare the dashboards with your audience’s needs that you documented on Tab 2.
    5. Record any updates to your thoughts or impressions on the next slide. Think about any changes to the dashboards that you would make so that you can reference it when you build the dashboards.

    Download Info-Tech IT Dashboard Workbook

    A photo of Info-Tech IT Dashboards
    The Info-Tech IT Dashboards contain a set of monthly metrics tailored toward a CXO audience.

    Download Info-Tech IT Dashboards

    Knowing what your audience needs, do the metrics the visuals reflect address them?

    Any changes to the Info-Tech IT Dashboards?

    Consider:

    • Are your audience’s needs already reflected in the visuals in each of the dashboards? If so, validate this in the next activity by reviewing the prioritized needs, desired outcomes, and associated metrics already documented in the IT Dashboard Workbook.
    • Are there any visuals your audience would need that you don’t see reflected in the dashboards? Write them here to use in the next exercise.

    Desired outcomes make identifying metrics easier

    When it’s not immediately apparent what the link between needs and metrics is, brainstorm desired outcomes.

    A diagram that shows an example of desired outcomes

    2.1.2 Document your audience’s desired outcome per prioritized need

    Now that you’ve examined the Info-Tech IT Dashboards and considered the needs of your audience, it is time to understand the outcomes and goals of each need so that you can translate your audience’s needs into metrics.

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 3. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove it after you have completed your updates.

    A diagram that shows desired outcome per prioritized need

    Download Info-Tech IT Dashboard Workbook

    Deriving Meaningful Metrics

    Once you know the desired outcomes, you can identify meaningful metrics

    A diagram of an example of meaningful metrics.

    Common Metrics Mistakes

    Avoid the following oversights when selecting your metrics.

    A diagram that shows 7 metrics mistakes

    Step 2.2

    Derive Metrics From Audience Needs

    Activities:
    2.2.1 Derive metrics using the Info-Tech IT Dashboards and the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented metrics for audience needs.

    2.2.1 Derive metrics from desired outcomes

    Now that you have completed the desired outcomes, you can determine if you are meeting those desired outcomes. If you struggle with the metrics, revisit the desired outcomes. It could be that they are not measurable or are not specific enough.

    2 hours

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 3. The workbook contains pre-populated text that reflects information about Info-Tech’s IT Dashboards. You may want to keep the pre-populated text as reference as you identify your own audience then remove it after you have completed your updates.

    A diagram that shows derive metrics from desired outcomes

    Download Info-Tech IT Dashboard Workbook

    Download IT Metrics Library

    Download HR Metrics Library

    Step 2.3

    Associate Metrics to Dashboards

    Activities:
    2.3.1 Review the metrics and identify which dashboard they should appear on.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 2.1 to 2.3 to translate audience needs into metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Metrics associated to each dashboard.

    2.3.1 Associate metrics to dashboards

    30 minutes

    Once you have identified all your metrics from Step 2.2, identify which dashboard they should appear on. As with all activities, if the Info-Tech IT Dashboard meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information.

    A diagram that shows associate metrics to dashboards

    Phase 3

    Ready Your Data for Dashboards

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Inventorying your data
    • Assessing your data quality
    • Determining data readiness
    • Determining data measurement frequency

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Can you measure your metrics?

    Once appropriate service metrics are derived from business objectives, the next step is to determine how easily you can get your metric.

    A diagram that highlights step 5 of measuring your metrics in the high-value dashboard process.

    Make sure you select data that your audience trusts

    40% of organizations say individuals within the business do not trust data insights.
    — Source: Experian, 2020

    Phase 3 covers the process of identifying data for each metric, creating a data inventory, assessing the readiness of your data, and documenting the frequency of measuring your data. Once complete, you will have a guide to help you add data to your dashboards.

    Step 3.1

    Assess Data Inventory

    Activities:
    3.1.1 Download the IT Dashboard Workbook and complete the data inventory section on Tab 4.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data inventory for each metric.

    3.1.1 Data Inventory

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 4. The pre-populated text is arranged into the tables according to the dashboard they appear on; you may need to scroll down to see all the dashboard tables.

    Create a data inventory by placing each metric identified on Tab 3 into the corresponding dashboard table. Complete each column as described below.

    A diagram that shows 9 columns of data inventory.

    Metrics Libraries: Use the IT Metrics Library and HR Metrics Library for ideas for metrics to use and how to measure them.

    Download Info-Tech IT Dashboard Workbook

    Step 3.2

    Assess Data Quality

    Activities:
    3.2.1 Use the IT Dashboard Workbook to complete an assessment of data quality on Tab 4.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data quality assessment for each metric.

    3.2.1 Assess Data Quality

    1 hour

    Document the data quality on Tab 4 of the IT Dashboard Workbook by filling in the data availability, data accuracy, and data standardization columns as described below.

    A diagram that shows data availability, data accuracy, and data standardization columns.

    Data quality is a struggle for many organizations. Consider how much uncertainty you can tolerate and what would be required to improve your data quality to an acceptable level. Consider cost, technological resources, people resources, and time required.

    Download Info-Tech IT Dashboard Workbook

    Step 3.3

    Assess Data Readiness

    Activities:
    3.3.1 Use the IT Dashboard Workbook to determine the readiness of your data.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to ready your data for dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented data readiness for each metric

    3.3.1 Determine Data Readiness

    1 hour

    Once the data quality has been documented and examined, complete the Data Readiness section of Tab 4 in the Info-Tech IT Dashboard Workbook. Select a readiness classification using the definitions below. Use the readiness of your data to determine the level of effort required to obtain the data and consider the constraints and cost/ROI to implement new technology or revise processes and data gathering to produce the data.

    A diagram that shows data readiness section

    Remember: Although in most cases, simple formulas that can be easily understood are the best approach, both because effort is lower and data that is not manipulated is more trustworthy, do not abandon data because it is not perfect but instead plan to make it easier to obtain.

    Download Info-Tech IT Dashboard Workbook

    Step 3.4

    Assess Data Frequency

    Activities:
    3.4.1 Use the IT Dashboard Workbook to determine the readiness of your data and how frequently you will measure your data.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 3.1 to 3.4 to assess data inventory, quality, and readiness.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented frequency of measurement for each metric.

    3.4.1 Document Planned Frequency of measurement

    10 minutes

    Document the planned frequency of measurement for all your metrics on Tab 4 of the IT Dashboard Workbook.

    For each metric, determine how often you will need to refresh it on the dashboard and select a frequency from the drop down. The Info-tech IT Dashboards assume a monthly refresh.

    Download Info-Tech IT Dashboard Workbook

    Phase 4

    Build and Deliver Your Dashboards

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Designing your dashboards
    • Updating your dashboards
    • Crafting your story
    • Delivering your dashboards

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Using your dashboard to tell your story with visuals

    Now that you have linked metrics to the needs of your audience and you understand how to get your data, it is time to start building your dashboards.

    A diagram that highlights step 6 of creating meaningful visuals in the high-value dashboard process.

    Using visual language

    • Shortens meetings by 24%
    • Increases the ability to reach consensus by 21%
    • Strengthens persuasiveness by 43%

    — Source: American Management Association

    Phase 4 guides you through using the Info-Tech IT Dashboard visuals for your audience’s needs and your story.

    Step 4.1

    Design Your Dashboard

    Activities:
    4.1.1 Plan and validate dashboard metrics, data, level of effort and visuals.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Identified and validated metrics, data, and visuals for your IT dashboards.

    Use clear visuals that avoid distracting the audience

    Which visual is better to present?

    Sample A:
    A photo of Sample A visuals

    Sample B:
    A diagram Sample B visuals

    Select the appropriate visuals

    Identify the purpose of the visualization. Determine which of the four categories below aligns with the story and choose the appropriate visual to display the data.

    Relationship

    A photo of Scatterplots
    Scatterplots

    • Used to show relationships between two variables.
    • Can be difficult to interpret for audiences that are not familiar with them.

    Distribution

    A photo of Histogram
    Histogram

    • Use a histogram to show spread of a given numeric variable.
    • Can be used to organize groups of data points.
    • Requires continuous data.
    • Can make comparisons difficult.

    A photo of Scatterplot
    Scatterplot

    • Can show correlation between variables.
    • Show each data plot, making it easier to compare.

    Composition

    A photo of Pie chart
    Pie chart

    • Use pie charts to show different categories.
    • Avoid pie charts with numerous slices.
    • Provide numbers alongside slices, as it can be difficult to compare slices based on size alone.

    A photo of Table
    Table

    • Use tables when there are a large number of categories.
    • Presents information in a simple way.

    Comparison

    A photo of Bar graph
    Bar graph

    • Use to compare categories.
    • Easy to understand, familiar format.

    A photo of Line chart
    Line chart

    • Use to show trends or changes over time.
    • Clear and easy to analyze.

    (Calzon)

    Examples of data visualization

    To compare categories, use a bar chart:
    2 examples of bar chart
    Conclusion: Visualizing the spend in various areas helps prioritize.


    To show trends, use a line graph:
    An example of line graph.
    Conclusion: Overlaying a trend line on revenue per employee helps justify headcount costs.


    To show simple results, text is sometimes more clear:
    A diagram that shows examples of text and graphics.
    Conclusion: Text with meaningful graphics conveys messages quickly.


    To display relative percentages of values, use a pie chart:
    An example of pie chart.
    Conclusion: Displaying proportions in a pie chart gives an at-a-glance understanding of the amount any area uses.

    Choose effective colors and design

    Select colors that will enhance the story

    • Use color strategically to help draw the audience’s attention and highlight key information.
    • Choose two to three colors to use consistently throughout the dashboard, as too many colors will be distracting to the audience.
    • Use colors that connect with the audience (e.g., organization or department colors).
    • Don’t use colors that are too similar in shade or brightness level, as those with colorblindness might have difficulty discerning them.

    Keep the design simple and clear

    • Leave white space to separate sections and keep the dashboard simple.
    • Don’t measure everything; show just enough to address the audience’s needs.
    • Use blank space between data points to provide natural contrast (e.g., leaving space between each bar on a bar graph). Don’t rely on contrast between colors to separate data (Miller).
    • Label each data point directly instead of using a separate key, so anyone who has difficulty discerning color can still interpret the data (Miller).

    Example

    A example that shows colours and design of a chart.

    Checklist to build compelling visuals in your presentation

    Leverage this checklist to ensure you are creating the perfect visuals and graphs for your presentation.

    Checklist:

    • Do the visuals grab the audience’s attention?
    • Will the visuals mislead the audience/confuse them?
    • Do the visuals facilitate data comparison or highlight trends and differences in a more effective manner than words?
    • Do the visuals present information simply, cleanly, and accurately?
    • Do the visuals illustrate messages and themes from the accompanying text?

    4.1.1 Plan and validate your dashboard visuals

    1 hour

    Click the links below to download the Info-Tech IT Dashboards and the IT Dashboard Workbook. Open the IT Dashboard Workbook and select Tab 5. For each dashboard, represented by its own table, open the corresponding Info-Tech IT Dashboard as reference.

    A diagram of dashboard and its considerations when selecting visuals.

    Download Info-Tech IT Dashboards

    Download Info-Tech IT Dashboard Workbook

    Step 4.2

    Update Your Dashboards

    Activities:
    4.2.1 Update the visuals on the Info-Tech IT Dashboards with data and visuals identified in the IT Dashboard Workbook.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Dashboards updated with your visuals, metrics, and data identified in the IT Dashboard Workbook.

    4.2.1 Update visuals with your own data

    2 hours

    1. Get the data that you identified in Tab 4 and Tab 5 of the IT Dashboard Workbook.
    2. Click the link below to go to the Info-Tech IT Dashboards and follow the instructions to update the visuals.

    Do not worry about the Key Insights or Calls to Action; you will create this in the next step when you plan your story.

    Download Info-Tech IT Dashboards

    Step 4.3

    Craft Your Story and Deliver Your Dashboards

    Activities:
    4.3.1 Craft Your Story
    4.3.2 Finalize Your Dashboards
    4.3.3 Practice Delivering Your Story With Your Dashboards

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 4.1 to 4.3 to build and deliver your dashboards.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Documented situations, key insights, and calls to action for each dashboard/visual.
    • A story to tell for each dashboard.
    • Understanding of how to practice delivering the dashboards using stories.

    Stories are more easily understood and more likely to drive decisions

    IT dashboards are valuable tools to provide insights that drive decision making.

    • Monitor: Track and report on strategic areas IT supports.
    • Provide insights: sPresent important data and information to audiences in a clear and efficient way.

    “Data storytelling is a universal language that everyone can understand – from people in STEM to arts and psychology.” — Peter Jackson, Chief Data and Analytics Officer at Exasol

    Storytelling provides context, helping the audience understand and connect with data and metrics.

    • 93% of respondents (business leaders and data professionals) agreed that decisions made as a result of successful data storytelling have the potential to help increase revenue.
    • 92% of respondents agreed that data storytelling was critical to communicate insights effectively.
    • 87% percent of respondents agreed that leadership teams would make more data-driven decisions if insights gathered from data were presented more simply.

    — Exasol

    For more visual guidance, download the IT Dashboard Guide

    Include all the following pieces in your message for an effective communication

    A diagram of an effective message, including consistent, clearn, relevant, and concise.

    Info-Tech Insight

    Time is a non-renewable resource. The message crafted must be considered a value-adding communication to your audience.

    Enable good communication with these components

    Be Consistent

    • The core message must be consistent regardless of audience, channel, or medium.
    • Test your communication with your team or colleagues to obtain feedback before delivering to a broader audience.
    • A lack of consistency can be interpreted as an attempt at deception. This can hurt credibility and trust.

    Be Clear

    • Say what you mean and mean what you say.
    • Choice of language is important: “Do you think this is a good idea? I think we could really benefit from your insights and experience here.” Or do you mean: “I think we should do this. I need you to do this to make it happen.”
    • Avoid jargon.

    Be Relevant

    • Talk about what matters to the audience.
    • Tailor the details of the message to the audience’s specific concerns.
    • IT thinks in processes but wider audiences focus mostly on results; talk in terms of results.
    • IT wants to be understood, but this does not matter to stakeholders. Think: “What’s in it for them?”
    • Communicate truthfully; do not make false promises or hide bad news.

    Be Concise

    • Keep communication short and to the point so key messages are not lost in the noise.
    • There is a risk of diluting your key message if you include too many other details.
    • If you provide more information than necessary, the clarity and consistency of the message can be lost.

    Draft the core messages to communicate

    1. Hook your audience: Use a compelling introduction that ensures your target audience cares about the message. Start with a story or metaphor and then support with the data on your dashboard. Avoid rushing in with data first.
    2. Demonstrate you can help: Let the audience know that based on the unique problem, you can help. There is value in engaging and working with you further.
    3. Write for the ear: Use concise and clear sentences, avoid technological language, and when you read it aloud ensure it sounds like how you would normally speak.
    4. Interpret visuals for your audience: Do not assume they will reach the same conclusions as you. For example, walk them through what a chart shows even if the axes are labeled, tell them what a trend line indicates or what the comparison between two data points means.
    5. Identify a couple of key insights: Think about one or two key takeaways you want your audience to leave with.
    6. Finish with a call to action: Your concluding statement should not be a thank-you but a call to action that ignites how your audience will behave after the communication. Dashboards exist to drive decisions, so if you have no call to action, you should ask if you need to include the visual.

    4.3.1 Craft Your Story

    1 hour

    Click the link below to download the IT Dashboard Workbook and open the file. Select Tab 6. The workbook contains grey text that reflects a sample story about the Info-Tech IT Dashboards. You may want to keep the sample text as reference, then remove after you have entered your information.

    A diagram of dashboard to craft your story.

    Download Info-Tech IT Dashboard Workbook

    4.3.2 Finalize Your Dashboards

    30 minutes

    1. Take the Key Insights and Calls to Action that you documented in Tab 6 of the IT Dashboard Workbook and place them in their corresponding dashboard.
    2. Add any text to your dashboard as necessary but only if the visual requires more information. You can add explanations more effectively during the presentation.

    A diagram that shows strategic initiatives: deliver value to customers.

    Tip: Aim to be brief and concise with any text. Dashboards simplify information and too much text can clutter the visuals and obscure the message.

    Download Info-Tech IT Dashboard Workbook

    4.3.3 Practice Delivering Your Story With Your Dashboards

    1 hour

    Ideally you can present your dashboard to your audience so that you are available to clarify questions and add a layer of interpretation that would crowd out boards if added as text.

    1. To prepare to tell your story, consult the Situation, Key Insights, and Call to Action sections that you documented for each dashboard in Tab 6 of the Info-Tech IT Dashboard Workbook.
    2. Practice your messages as you walk through your dashboards. The next two slides provide delivery guidance.
    3. Once you deliver your dashboards, update Tab 6 with audience feedback. Often dashboards are iterative and when your audience sees them, they are usually inspired to think about what else they would like to see. This is good and shows your audience is engaged!

    Don’t overwhelm your audience with information and data. You spent time to craft your dashboards so that they are clear and concise, so spend time practicing delivering a message that matches your clear, concise dashboards

    Download Info-Tech IT Dashboard Workbook

    Hone presentation skills before meeting with key stakeholders

    Using voice and body

    Think about the message you are trying to convey and how your body can support that delivery. Hands, stance, and frame all have an impact on what might be conveyed.

    If you want your audience to lean in and be eager about your next point, consider using a pause or softer voice and volume.

    Be professional and confident

    State the main points of your dashboard confidently. While this should be obvious, it needs to be stated explicitly. Your audience should be able to clearly see that you believe the points you are stating.

    Present in a way that is genuine to you and your voice. Whether you have an energetic personality or a calm and composed personality, the presentation should be authentic to you.

    Connect with your audience

    Look each member of the audience in the eye at least once during your presentation or if you are presenting remotely, look into the camera. Avoid looking at the ceiling, the back wall, or the floor. Your audience should feel engaged – this is essential to keeping their attention.

    Avoid reading the text from your dashboard, and instead paraphrase it while maintaining eye/camera contact.

    Info-Tech Insight

    You are responsible for the response of your audience. If they aren’t engaged, it is on you as the communicator.

    Communication Delivery Checklist

    • Have you practiced delivering the communication to team members or coaches?
    • Have you practiced delivering the communication to someone with little to no technology background?
    • Are you making yourself open to feedback and improvement opportunities?
    • If the communication is derailed from your plan, are you prepared to handle that change?
    • Can you deliver the communication without reading your notes word for word?
    • Have you adapted your voice throughout the communication to highlight specific components you want the audience to focus on?
    • Are you presenting in a way that is genuine to you and your personality?
    • Can you communicate the message within the time allotted?
    • Are you moving in an appropriate manner based on your communication (e.g., toward the screen, across the stage, hand gestures)
    • Do you have room for feedback on the dashboards? Solicit feedback with your audience after the meeting and record it in Tab 6 of the IT Dashboard Workbook.

    Phase 5

    Plan, record, and action your metrics

    A diagram that shows phase 1 to 5.

    This phase will walk you through the following:

    • Planning to track your metrics
    • Recording your metrics
    • Actioning your metrics

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Actioning your metrics to drive results

    To deliver real value from your dashboards, you need to do something with the results.

    Don’t fail on execution! The whole reason you labor to create inviting visuals and meaningful metrics is to action those metrics. The metrics results inform your entire story! It’s important to plan and do, but everything is lost if you fail to check and act.

    70%: of survey respondents say that managers do not get insights from performance metrics to improve strategic decision making.
    60%: of survey respondents say that operational teams do not get insights to improve operation decision making.

    (Bernard Marr)

    “Metrics aren’t a passive measure of progress but an active part of an organization’s everyday management….Applying the “plan–do–check–act” feedback loop…helps teams learn from their mistakes and identify good ideas that can be applied elsewhere”

    (McKinsey)

    Step 5.1

    Plan How to Record Metrics

    Activities:
    5.1.1 For each dashboard, add a baseline and target to existing metrics and KPIs.

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 5.1 to 5.2 to plan, record, and action your metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Baselines and targets identified and recorded for each metric.

    5.1.1 Identify Baselines and Targets

    1 hour

    To action your metrics, you must first establish what your baselines and targets are so that you can determine if you are on track.

    To establish baselines:
    If you do not have a baseline. Run your metric to establish one.

    To establish targets:

    • Use historical data and trends of performance.
    • If you do not have historical data, establish an initial target based on stakeholder-identified requirements and expectations.
    • You can also run the metrics report over a defined period of time and use the baseline level of achievement to establish an initial target.
    • The target may not always be a number – it could be a trend. The initial target may be changed after review with stakeholders.

    Actions for Success:
    How will you ensure you can get this metric? For example, if you would like to measure delivered value, to make sure the metric is measurable, you will need to ensure that measures of success are documented for an imitative and then measured once complete.

    • If you need help with Action plans, the IT Metrics Library includes action plans for all of its metrics that may help

    A diagram of identify metrics and to identify baselines and targets.

    Download Info-Tech IT Dashboard Workbook

    Step 5.2

    Record and Action Metrics

    Activities:
    5.2.1 Record and Action Results

    • Note, the Info-Tech IT Dashboards are organized by CIO priorities – Risk, Financials, Talent, and Strategic Initiatives – and address the needs of the CXO audience. The IT Dashboard Workbook is pre-populated with this information.
    • If this meets your audience’s needs, you do not have to edit this content and can instead use the pre-populated information. You may wish to review the information to ensure it is still valid for your audience.

    A diagram that shows step 5.1 to 5.2 to plan, record, and action your metrics.

    This phase involves the following participants:

    • Senior IT leadership
    • Dashboard SMEs

    Outcomes of this step:

    • Understanding of what and where to record metrics once run.

    5.2.1 Record and Action Results

    1 hour

    After analyzing your results, use this information to update your dashboards. Revisit Tab 6 of the IT Dashboard Workbook to update your story. Remember to record any audience feedback about the dashboards in the Audience Feedback section.

    Action your measures as well as your metrics

    What should be measured can change over time as your organization matures and the business environment changes. Understanding what creates business value for your organization is critical. If metrics need to be changed, record metrics actions under Identified Actions on Tab 7. A metric will need to be addressed in one of the following ways:

    • Added: A new metric is required or an existing metric needs large-scale changes (example: calculation method or scope).
    • Changed: A minor change is required to the presentation format or data. Note: a major change in a metric would be performed through the Add option.
    • Removed: The metric is no longer required, and it needs to be removed from reporting and data gathering. A final report date for that metric should be determined.
    • Maintained: The metric is still useful and no changes are required to the metric, its measurement, or how it’s reported.

    A diagram of record results and identify how to address results.

    Don’t be discouraged if you need to update your metrics a few times before you get it right. It can take some trial and error to find the measures that best indicate the health of what you are measuring.

    Download Info-Tech IT Dashboard Workbook

    Tips for actioning results

    Sometimes actioning your metrics results requires more analysis

    If a metric deviates from your target, you may need to analyze how to correct the issue then run the metric again to see if the results have improved.

    Identify Root Cause
    Root Cause Analysis can include problem exploration techniques like The 5 Whys, fishbone diagrams, or affinity mapping.

    Select a Solution
    Once you have identified a possible root cause, use the same technique to brainstorm and select a solution then re-run your metrics.

    Consider Tension Metrics
    Consider tension metrics when selecting a solution. Will improving one area affect another? A car can go faster but it will consume more fuel – a project can be delivered faster but it may affect the quality.

    Summary of Accomplishment

    Problem Solved

    1. Using this blueprint and the IT Dashboard Workbook, you validated and customized the dashboards for your audience and organization, which reduced or eliminated time spent searching for and organizing your own visuals.
    2. You documented your dashboards’ story so you are ready to present them to your audience.
    3. You assessed the data for your dashboards and you built a metrics action-tracking plan to maintain your dashboards’ metrics.

    If you would like additional support, have our analysts guide you through an Info-Tech workshop or Guided Implementation.

    Contact your account representative for more information.
    workshops@infotech.com
    1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech Workshop.

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    Contact your account representative for more information.

    workshops@infotech.com
    1-888-670-8889

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    A photo of Info-Tech IT Dashboards
    Review the Info-Tech IT Dashboards
    Determine how you can use the Info-Tech IT Dashboards in your organization and the anticipated level of customization.

    A photo of the IT Dashboard Workbook
    Plan your dashboards
    Complete the IT Dashboard Workbook to help plan your dashboards using Info-Tech’s IT Dashboards.

    Research Contributors and Experts

    Photo of John Corrado
    John Corrado
    Head of IT
    X4 Pharmaceuticals

    As head of IT, John is charged with the creation of strategic IT initiatives that align with X4s vision, mission, culture, and long-term goals and is responsible for the organization’s systems, security, and infrastructure. He works closely developing partnerships with X4tizens across the organization to deliver value through innovative programs and services.

    Photo of Grant Frost
    Grant Frost
    Chief Information & Security Officer
    Niagara Catholic School Board

    Grant Frost is an experienced executive, information technologist and security strategist with extensive experience in both the public and private sector. Grant is known for, and has extensive experience in, IT transformation and the ability to increase capability while decreasing cost in IT services.

    Photo of Nick Scozzaro
    Nick Scozzaro
    CEO and Co-Founder of MobiStream and ShadowHQ
    ShadowHQ

    Nick got his start in software development and mobility working at BlackBerry where he developed a deep understanding of the technology landscape and of what is involved in both modernizing legacy systems and integrating new ones. Working with experts across multiple industries, he innovated, learned, strategized, and ultimately helped push the boundaries of what was possible.

    Photo of Joseph Sanders
    Joseph Sanders
    Managing Director of Technology/Cyber Security Services
    Kentucky Housing Corporation

    In his current role Joe oversees all IT Operations/Applications Services that are used to provide services and support to the citizens of Kentucky. Joe has 30+ years of leadership experience and has held several executive roles in the public and private sector. He has been a keynote speaker for various companies including HP, IBM, and Oracle.

    Photo of Jochen Sievert
    Jochen Sievert
    Director Performance Excellence & IT
    Zeon Chemicals

    Jochen moved to the USA from Duesseldorf, Germany in 2010 to join Zeon Chemicals as their IT Manager. Prior to Zeon, Jochen has held various technical positions at Novell, Microsoft, IBM, and Metro Management Systems.

    Info-Tech Contributors

    Ibrahim Abdel-Kader, Research Analyst
    Donna Bales, Principal Research Director
    Shashi Bellamkonda, Principal Research Director
    John Burwash, Executive Counselor
    Tony Denford, Research Lead
    Jody Gunderman, Senior Executive Advisor
    Tom Hawley, Managing Partner
    Mike Higginbotham, Executive Counselor
    Valence Howden, Principal Research Director
    Dave Kish, Practice Lead
    Carlene McCubbin, Practice Lead
    Jennifer Perrier, Principal Research Director
    Gary Rietz, Executive Counselor
    Steve Schmidt, Senior Managing Partner
    Aaron Shum, Vice President, Security & Privacy
    Ian Tyler-Clarke, Executive Counselor

    Plus, an additional four contributors who wish to remain anonymous.

    Related Info-Tech Research

    Photo of Build an IT Risk Taxonomy

    Build an IT Risk Taxonomy

    Use this blueprint as a baseline to build a customized IT risk taxonomy suitable for your organization.

    Photo of Create a Holistic IT Dashboard

    Create a Holistic IT Dashboard

    This blueprint will help you identify the KPIs that matter to your organization.

    Photo of Develop Meaningful Service Metrics

    Develop Meaningful Service Metrics

    This blueprint will help you Identify the appropriate service metrics based on stakeholder needs.

    Photo of IT Spend & Staffing Benchmarking

    IT Spend & Staffing Benchmarking

    Use this benchmarking service to capture, analyze, and communicate your IT spending and staffing.

    Photo of Key Metrics for Every CIO

    Key Metrics for Every CIO

    This short research piece highlights the top metrics for every CIO, how those align to your CIO priorities, and action steps against those metrics.

    Photo of Present Security to Executive Stakeholders

    Present Security to Executive Stakeholders

    This blueprint helps you identify communication drivers and goals and collect data to support your presentation. It provides checklists for building and delivering a captivating security presentation.

    Bibliography

    “10 Signs You Are Sitting on a Pile of Data Debt.” Experian, n.d. Web.

    “From the What to the Why: How Data Storytelling Is Key to Success.” Exasol, 2021. Web.

    Bonsignore, Marian. “Using Visual Language to Create the Case for Change.” Amarican Management Association. Accessed 19 Apr. 2023.

    Calzon, Bernardita. “Top 25 Dashboard Design Principles, Best Practices & How To’s.” Datapine, 5 Apr. 2023.

    “Data Literacy.” Tableau, n.d. Accessed 3 May 2023.

    “KPIs Don’t Improve Decision-Making In Most Organizations.” LinkedIn, n.d. Accessed 2 May 2023.

    Miller, Amanda. “A Comprehensive Guide to Accessible Data Visualization.” Betterment, 2020. Accessed May 2022.

    “Performance Management: Why Keeping Score Is so Important, and so Hard.” McKinsey. Accessed 2 May 2023.

    Vogel, Douglas, et al. Persuasion and the Role of Visual Presentation Support: The UM/3M Study. Management Information Systems Research Center School of Management University of Minnesota, 1986.

    Watson, Morag W., et al. ”IT’s Changing Mandate in an Age of Disruption.” The Economist Intelligence Unit Limited, 2021.

    2020 Security Priorities Report

    • Buy Link or Shortcode: {j2store}245|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Security Strategy & Budgeting
    • Parent Category Link: /security-strategy-and-budgeting

    Use this deck to learn what projects security practitioners are prioritizing for 2020. Based on a survey of 460 IT security professionals, this report explains what you need to know about the top five priorities, including:

    • Signals and drivers
    • Benefits
    • Critical uncertainties
    • Case study
    • Implications

    While the priorities should in no way be read as prescriptive, this research study provides a high-level guide to understand that priorities drive the initiatives, projects, and responsibilities that make up organizations' security strategies.

    Our Advice

    Critical Insight

    There is always more to do, and if IT leaders are to grow with the business, provide meaningful value, and ascend the ladder to achieve true business partner and innovator status, aggressive prioritization is necessary. Clearly, security has become a priority across organizations, as security budgets have continued to increase over the course of 2019. 2020’s priorities highlight that data security has become the thread that runs through all other security priorities, as data is now the currency of the modern digital economy. As a result, data security has reshaped organizations’ priorities to ensure that data is always protected.

    Impact and Result

    Ultimately, understanding how changes in technology and patterns of work stand to impact the day-to-day lives of IT staff across seniority and industries will allow you to evaluate what your priorities should be for 2020. Ensure that you’re spending your time right. Use data to validate. Prioritize and implement.

    2020 Security Priorities Report Research & Tools

    Start here – read the Executive Brief

    This storyboard will help you understand what projects security practitioners are prioritizing for 2020.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Data security

    Data security often rubs against other organizational priorities like data quality, but organizations need to understand that the way they store, handle, and dispose of data is now under regulatory oversight.

    • 2020 Security Priorities Report – Priority 1: Data Security

    2. Cloud security

    Cloud security means that organizations can take advantage of automation tools not only for patching and patch management but also to secure code throughout the SDLC. It is clear that cloud will transform how security is performed.

    • 2020 Security Priorities Report – Priority 2: Cloud Security

    3. Email security

    Email security is critical, since email continues to be one of the top points of ingress for cyberattacks from ransomware to business email compromise.

    • 2020 Security Priorities Report – Priority 3: Email Security

    4. Security risk management

    Security risk management requires organizations to make decisions based on their individual risk tolerance on such things as machine learning and IoT devices.

    • 2020 Security Priorities Report – Priority 4: Security Risk Management

    5. Security awareness and training

    Human error continues to be a security issue. In 2020, organizations should tailor their security awareness and training to their people so that they are more secure not only at work but also in life.

    • 2020 Security Priorities Report – Priority 5: Security Awareness and Training
    [infographic]

    Make IT a Successful Partner in M&A Integration

    • Buy Link or Shortcode: {j2store}79|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Many organizations forget the essential role IT plays during M&A integration. IT is often unaware of a merger or acquisition until the deal is announced, making it very difficult to adequately interpret business goals and appropriately assess the target organization.
    • IT-related integration activities are amongst the largest cost items in an M&A, yet these costs are often overlooked or underestimated during due diligence.
    • IT is expected to use the M&A team’s IT due diligence report and estimated IT integration budget, which may not have been generated appropriately.
    • IT involvement in integration is critical to providing a better view of risks, improving the ease of integration, and optimizing synergies.

    Our Advice

    Critical Insight

    • Anticipate that you are going to be under pressure. Fulfill short-term, tactical operational imperatives while simultaneously conducting discovery and designing the technology end-state.
    • To migrate risks and guide discovery, select a high-level IT integration posture that aligns with business objectives.

    Impact and Result

    • Once a deal has been announced, use this blueprint to set out immediately to understand business M&A goals and expected synergies.
    • Assemble an IT Integration Program to conduct discovery and begin designing the technology end-state, while simultaneously identifying and delivering operational imperatives and quick-wins as soon as possible.
    • Following discovery, use this blueprint to build initiatives and put together an IT integration budget. The IT Integration Program has an obligation to explain the IT cost implications of the M&A to the business.
    • Once you have a clear understanding of the cost of your IT integration, use this blueprint to build a long-term action plan to achieve the planned technology end-state that best supports the business capabilities of the organization.

    Make IT a Successful Partner in M&A Integration Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should follow Info-Tech’s M&A IT integration methodology and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Define the business’s M&A goals, assemble an IT Integration Program, and select an IT integration posture that aligns with business M&A strategy.

    • Make IT a Successful Partner in M&A Integration – Phase 1: Launch the Project
    • IT Integration Charter

    2. Conduct discovery and design the technology end-state

    Refine the current state of each IT domain in both organizations, and then design the end-state of each domain.

    • Make IT a Successful Partner in M&A Integration – Phase 2: Conduct Discovery and Design the Technology End-State
    • IT Integration Roadmap Tool

    3. Initiate operational imperatives and quick-wins

    Generate tactical operational imperatives and quick-wins, and then develop an interim action plan to maintain business function and capture synergies.

    • Make IT a Successful Partner in M&A Integration – Phase 3: Initiate Operational Imperatives and Quick-Wins

    4. Develop an integration roadmap

    Generate initiatives and put together a long-term action plan to achieve the planned technology end-state.

    • Make IT a Successful Partner in M&A Integration – Phase 4: Develop an Integration Roadmap
    [infographic]

    Workshop: Make IT a Successful Partner in M&A Integration

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the Project

    The Purpose

    Identification of staffing and skill set needed to manage the IT integration.

    Generation of an integration communication plan to highlight communication schedule during major integration events.

    Identification of business goals and objectives to select an IT Integration Posture that aligns with business strategy.

    Key Benefits Achieved

    Defined IT integration roles & responsibilities.

    Structured communication plan for key IT integration milestones.

    Creation of the IT Integration Program.

    Generation of an IT Integration Posture.

    Activities

    1.1 Define IT Integration Program responsibilities.

    1.2 Build an integration communication plan.

    1.3 Host interviews with senior management.

    1.4 Select a technology end-state and IT integration posture.

    Outputs

    Define IT Integration Program responsibilities and goals

    Structured communication plan

    Customized interview guide for each major stakeholder

    Selected technology end-state and IT integration posture

    2 Conduct Discovery and Design the Technology End-State

    The Purpose

    Identification of information sources to begin conducting discovery.

    Definition of scope of information that must be collected about target organization.

    Definition of scope of information that must be collected about your own organization.

    Refinement of the technology end-state for each IT domain of the new entity. 

    Key Benefits Achieved

    A collection of necessary information to design the technology end-state of each IT domain.

    Adequate information to make accurate cost estimates.

    A designed end-state for each IT domain.

    A collection of necessary, available information to make accurate cost estimates. 

    Activities

    2.1 Define discovery scope.

    2.2 Review the data room and conduct onsite discovery.

    2.3 Design the technology end-state for each IT domain.

    2.4 Select the integration strategy for each IT domain.

    Outputs

    Tone set for discovery

    Key information collected for each IT domain

    Refined end-state for each IT domain

    Refined integration strategy for each IT domain

    3 Initiate Tactical Initiatives and Develop an Integration Roadmap

    The Purpose

    Generation of tactical initiatives that are operationally imperative and will help build business credibility.

    Prioritization and execution of tactical initiatives.

    Confirmation of integration strategy for each IT domain and generation of initiatives to achieve technology end-states.

    Prioritization and execution of integration roadmap.

    Key Benefits Achieved

    Tactical initiatives generated and executed.

    Confirmed integration posture for each IT domain.

    Initiatives generated and executed upon to achieve the technology end-state of each IT domain. 

    Activities

    3.1 Build quick-win and operational imperatives.

    3.2 Build a tactical action plan and execute.

    3.3 Build initiatives to close gaps and redundancies.

    3.4 Finalize your roadmap and kick-start integration.

    Outputs

    Tactical roadmap to fulfill short-term M&A objectives and synergies

    Confirmed IT integration strategies

    Finalized integration roadmap

    Modernize the Network

    • Buy Link or Shortcode: {j2store}501|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $16,499 Average $ Saved
    • member rating average days saved: 8 Average Days Saved
    • Parent Category Name: Network Management
    • Parent Category Link: /network-management
    • Business units, functions, and processes are inextricably intertwined with less and less tolerance for downtime.
    • Business demands change rapidly but the refresh horizon for infrastructure remains 5-7 years.
    • The number of endpoint devices the network is expected to support is growing geometrically but historic capacity planning grew linearly.
    • The business is unable to clearly define requirements, paralyzing planning.

    Our Advice

    Critical Insight

    • Build for your needs. Don’t fall into the trap of assuming what works for your neighbor, your peer, or your competitor will work for you.
    • Deliver on what your business knows it needs as well as what it doesn’t yet know it needs. Business leaders have business vision, but this vision won’t directly demand the required network capabilities to enable the business. This is where you come in.
    • Modern technologies are hampered by vintage processes. New technologies demand new ways of accomplishing old tasks.

    Impact and Result

    • Use a systematic approach to document all stakeholder needs and rely on the network technical staff to translate those needs into design constraints, use cases, features, and management practices.
    • Spend only on those emerging technologies that deliver features offering direct benefits to specific business goals and IT needs.
    • Solidify the business case for your network modernization project by demonstrating and quantifying the hard dollar value it provides to the business.

    Modernize the Network Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should modernize the enterprise network, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Assess the network

    Identify and prioritize stakeholder and IT/networking concerns.

    • Modernize the Network – Phase 1: Assess the Network
    • Network Modernization Workbook

    2. Envision the network of the future

    Learn about emerging technologies and identify essential features of a modernized network solution.

    • Modernize the Network – Phase 2: Envision Your Future Network
    • Network Modernization Technology Assessment Tool

    3. Communicate and execute the plan

    Compose a presentation for stakeholders and prepare the RFP for vendors.

    • Modernize the Network – Phase 3: Communicate and Execute the Plan
    • Network Modernization Roadmap
    • Network Modernization Executive Presentation Template
    • Network Modernization RFP Template
    [infographic]

    Workshop: Modernize the Network

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Assess the Network

    The Purpose

    Understand current stakeholder and IT needs pertaining to the network.

    Key Benefits Achieved

    Prioritized lists of stakeholder and IT needs.

    Activities

    1.1 Assess and prioritize stakeholder concerns.

    1.2 Assess and prioritize design considerations.

    1.3 Assess and prioritize use cases.

    1.4 Assess and prioritize network infrastructure concerns.

    1.5 Assess and prioritize care and control concerns.

    Outputs

    Current State Register

    2 Analyze Emerging Technologies and Identify Features

    The Purpose

    Analyze emerging technologies to determine whether or not to include them in the network modernization.

    Identify and shortlist networking features that will be part of the network modernization.

    Key Benefits Achieved

    An understanding of what emerging technologies are suitable for including in your network modernization.

    A prioritized list of features, aligned with business needs, that your modernized network must or should have.

    Activities

    2.1 Analyze emerging technologies.

    2.2 Identify features to support drivers, practices, and pain points.

    Outputs

    Emerging technology assessment

    Prioritize lists of modernized network features

    3 Plan for Future Capacity

    The Purpose

    Estimate future port, bandwidth, and latency requirements for all sites on the network.

    Key Benefits Achieved

    Planning for capacity ensures the network is capable of delivering until the next refresh cycle and beyond.

    Activities

    3.1 Estimate port, bandwidth, and latency requirements.

    3.2 Group sites according to capacity requirements.

    3.3 Create standardized capacity plans for each group.

    Outputs

    A summary of capacity requirements for each site in the network

    4 Communicate and Execute the Plan

    The Purpose

    Create a presentation to pitch the project to executives.

    Compose key elements of RFP.

    Key Benefits Achieved

    Communication to executives, summarizing the elements of the modernization project that business decision makers will want to know, in order to gain approval.

    Communication to vendors detailing the network solution requirements so that proposed solutions are aligned to business and IT needs.

    Activities

    4.1 Build the executive presentation.

    4.2 Compose the scope of work.

    4.3 Compose technical requirements.

    Outputs

    Executive Presentation

    Request for Proposal/Quotation

    Select a Marketing Management Suite

    • Buy Link or Shortcode: {j2store}533|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $6,560 Average $ Saved
    • member rating average days saved: 50 Average Days Saved
    • Parent Category Name: Customer Relationship Management
    • Parent Category Link: /customer-relationship-management
    • Time, money, and effort are wasted on channels and campaigns that are not resonating with your customer base.
    • Email marketing, social marketing, and/or lead management alone are often not enough to meet more sophisticated marketing needs.
    • Many organizations struggle with taking a systematic approach to selection that pairs functional requirements with specific marketing workflows, and as a result they choose a marketing management suite (MMS) that is not well aligned to their needs, wasting resources and causing end-user frustration.
    • For IT managers or marketing professionals, the task to incorporate MMS technology into the organization requires not only receiving the buy-in for the MMS investment but also determining the vendor and solution that best fit the organization’s particular marketing management needs.

    Our Advice

    Critical Insight

    • An MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.
    • Selecting an MMS has become increasingly difficult because the number of players in the marketplace has ballooned. Moreover, picking the wrong marketing solution has a direct impact on revenue.
    • Determine whether the investment in an MMS is worthwhile or the funds are better allocated elsewhere. For organizations with a large audience or varied product offerings, an MMS enables complex campaigns across many channels, product lines, customer segments, and marketing groups throughout the enterprise.

    Impact and Result

    • Maximize your success and credibility with a proposal that emphasizes the areas relevant to your situation.
    • Perform more effective customer targeting and campaign management. Having an MMS equips marketers with the tools they need to make informed decisions around campaign execution, resulting in better targeting, acquisition, and customer retention. This means more revenue.
    • Maximize marketing impact with analytics-based decision making. Understanding users’/customers’ behaviors and preferences will allow you to run effective marketing initiatives.

    Select a Marketing Management Suite Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to approach selecting an MMS, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the MMS project and collect requirements

    Assess the organization’s fit for MMS technology and structure the MMS selection project.

    • Select a Marketing Management Suite – Phase 1: Launch the MMS Project and Collect Requirements
    • MMS Readiness Assessment Checklist

    2. Shortlist marketing management suites

    Produce a vendor shortlist for your MMS.

    • Select a Marketing Management Suite – Phase 2: Shortlist Marketing Management Suites

    3. Select vendor and communicate decision to stakeholders

    Evaluate RFPs, conduct vendor demonstrations, and select an MMS.

    • Select a Marketing Management Suite – Phase 3: Select Vendor and Communicate Decision to Stakeholders
    • MMS Requirements Picklist Tool
    • MMS Request for Proposal Template
    • MMS Vendor Demo Script
    • MMS Selection Executive Presentation Template
    [infographic]

    Workshop: Select a Marketing Management Suite

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Launch the MMS Project and Collect Requirements

    The Purpose

    Determine a “right-size” approach to marketing enablement applications.

    Key Benefits Achieved

    Confirmation of the goals, objectives, and direction of the organization is marketing application strategy.

    Activities

    1.1 Assess the value and identify the organization’s fit for MMS technology.

    1.2 Understand the art of the possible.

    1.3 Understand CXM strategy and identify your fit for MMS technology.

    1.4 Build procurement team and project customer experience management (CXM) strategy.

    1.5 Identify your MMS requirements.

    Outputs

    Project team list.

    Preliminary requirements list.

    2 Shortlist Marketing Management Suites

    The Purpose

    Enumerate relevant marketing management suites and point solutions.

    Key Benefits Achieved

    List of marketing enablement applications based on requirements articulated in the preliminary requirements list strategy.

    Activities

    2.1 Identify relevant use cases.

    2.2 Discuss the vendor landscape.

    Outputs

    Vendor shortlist.

    3 Select Vendor and Communicate Decision to Stakeholders

    The Purpose

    Develop a rationale for selecting a specific MMS vendor.

    Key Benefits Achieved

    MMS Vendor decision.

    A template to communicate the decision to executives.

    Activities

    3.1 Create a procurement strategy.

    3.2 Discuss the executive presentation.

    3.3 Plan the procurement process.

    Outputs

    Executive/stakeholder PowerPoint presentation.

    Selection of an MMS.

    Further reading

    Select a Marketing Management Suite

    A best-fit solution balances needs, cost, and capability.

    Table of contents

    1. Project Rationale
    2. Execute the Project/DIY Guide
    3. Appendices

    ANALYST PERSPECTIVE

    Navigate the complexity of a vast ecosystem by taking a structured approach to marketing management suite (MMS) selection.

    Marketing applications are in high demand, but it is difficult to select a suite that is right for your organization. Market offerings have grown from 50 vendors to over 800 in the past five years. Much of the process of identifying an appropriate vendor is not about the vendor at all, but rather about having a comprehensive understanding of internal needs. There are instances where a smaller-point solution is necessary to satisfy requirements and a full marketing management suite is an overinvestment.

    Likewise, a partner with differentiating features such as AI-driven workflows and a mobile software development kit can act as a powerful extension of an overall customer experience management strategy. It is crucial to make the right decision; missing the mark on an MMS selection will have a direct impact on the business’ bottom line.

    Ben Dickie
    Research Director, Enterprise Applications
    Info-Tech Research Group

    Phase milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Stop! Are you ready for this project?

    This Research Is Designed For:
    • IT applications directors and business analysts supporting their marketing teams in selecting and implementing a robust marketing solution.
    • Any organization looking to procure an MMS tool that will allow it to automate its marketing processes or learn more about the MMS vendor landscape.
    This Research Will Help You:
    • Understand today’s MMS market, specific to marketing automation, marketing intelligence, and social marketing use-case scenarios.
    • Understand MMS functionality as well as marketing terminology.
    • Follow best practices to prepare for and execute on selection, including requirements gathering and vendor evaluation.
    This Research Will Also Assist:
    • Marketing managers, brand managers, and any marketing professional looking to build a cohesive marketing platform.
    • MMS project teams or working groups tasked with managing an RFP process for vendor selection.
    This Research Will Help Them
    • Assess organizational and project readiness for embarking on MMS selection.
    • Draft an RFP, manage the vendor and product review process, and select a vendor.

    Executive summary

    Situation

    The MMS market is a landscape of vendors offering campaign management, multichannel support, analytics, and publishing tools. Many vendors specialize in some of these areas but not all. Sometimes multiple products are necessary – but determining which feature sets the organization truly needs can be a challenging task. The right technology stack is critical in order to bring automation to marketing initiatives.

    Complication

    • The first challenge is deciding whether to implement a full marketing suite or a point solution.
    • The number of marketing suites and point solutions has increased from 50 to more than 800 just in the past five years.
    • IT is receiving a growing number of marketing analytics requests and must be prepared to speak intelligently about marketing management vendor selection.

    Resolution

    • Leverage Info-Tech’s comprehensive three-phase approach to MMS selection projects: assess your organization’s preparedness to go into the selection stage, move through technology selection, and present decisions to stakeholders.
    • Conduct an MMS project preparedness assessment to ensure you maximize the value of your time, effort, and spend.
    • Determine whether your organization’s needs will best be met by a marketing management suite or a point solution.
    • Determine which use case your organization fits into and review the relevant vendor landscape, common capability, and areas of product differentiation. Consult Info-Tech’s market analysis to shortlist vendors for your RFP process.
    • Take advantage of traceable and auditable selection tools to run an effective evaluation and selection process. Be prepared to answer the retroactive question “Why this MMS?” with documentation of your selection process and outputs.

    Info-Tech Insight

    1. The new MMS market. Selecting a marketing management solution has become increasingly difficult, with the number of players in the marketplace ballooning to meet buyer demand.
    2. Direct translation to revenue. Picking the wrong marketing solution has a direct impact on the bottom line. However, the right MMS can lead to a 7.3x greater year-over-year increase in annual revenue.
    3. Don’t buy best-of-breed; buy best-for-you. Base your vendor selection on your requirements and use case, not on the vendor’s overall performance.

    MMS is a key piece of the CRM puzzle

    In order to optimize cross-sell opportunities and marketing effectiveness, there needs to be a master customer database, which belongs in the customer relationship management (CRM) suite.

    When it comes to marketing automation capabilities, using CRM is like building a car from a kit. All the parts are there, but you need the time and skill to put it all together. Using marketing automation is like buying the car you want or need, with all the features you want already installed and some gas in the tank, ready to drive. In either case, you still need to know how to drive and where you want to go.” (Mac McIntosh, Marketo Inc.) 'CRM' surrounded by its components with 'MMS' highlighted. A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

    Understand what an MMS can do for you

    Take time to learn the capabilities of modern marketing applications. Understanding the “art of the possible” will help you to get the most out of your MMS.

    MMS helps marketers in two primary ways:
    1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
    2. It allows them to analyze the outcomes of campaigns.
    Marketing suites accomplish these tasks by:
    • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns
    • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization
    A strong MMS provides marketers with the data they need for actionable insights about their customers.
    A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

    Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

    Logos of multiple vendors including 'Hubspot', 'IBM', 'Salesforce marketing cloud', etc.

    Use Info-Tech’s MMS implementation methodology as a starting point for your organization’s MMS selection

    Info-Tech’s implementation methodology is not a step-by-step approach to vendor selection, but rather it highlights the pertinent considerations for MMS selection at each of the five steps outlined below.

    1

    2

    3

    4

    5

    Establish Resources Gather Requirements Write and Assemble RFP Exercise Due Diligence Evaluate Candidate Solutions
    • Determine work initiative dependencies and project milestones.
    • Establish the project timeline.
    • Designate project resources.
    • Prioritize rollout of functionality.
    • Link business goals with the MMS selection project.
    • Determine user roles and profiles.
    • Conduct stakeholder interviews.
    • Build communication and change management plan.
    • Draft an RFP.
    • Make a plan for soliciting feedback and publishing the RFP.
    • Customize a vendor demo script and scorecard.
    • Conduct vendor demos.
    • Speak with vendor references.
    • Evaluate nonfunctional requirements.
    • Understand upgrade schedules.
    • Define a vendor evaluation framework.
    • Prepare the final evaluation.
    • Prepare a presentation for management.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Professional services provider engages Info-Tech to guide it through its MMS selection journey

    CASE STUDY

    Industry: Professional Services | Source: Info-Tech Consulting

    Challenge

    A large professional services firm specializing in knowledge development was looking to modernize an outdated marketing services stack.

    Previous investments in marketing tools ranging from email automation to marketing analytics led to system fragmentation. As a result, there was no 360-degree overview of marketing operations and no way to run campaigns at scale.

    To satisfy the organization’s aspirations, a comprehensive marketing management suite had to be selected that met needs for the foreseeable future.

    Solution

    The Info-Tech consulting team was brought in to assist in the MMS selection process.

    After meeting with several stakeholders, MMS requirements were developed and weighted. An RFP was then created from these requirements.

    Following a market scan, four vendors were selected to complete the organization’s RFP. Demonstration scripts were then developed as the RFPs were completed by vendors.

    Shortlisted vendors progressed to the demonstration phase.

    Results

    Vendor scorecards were utilized during the two-day demonstrations with the core project team to score each vendor.

    During the scoring process the team also identified the need to replace the organization’s core customer repository (a legacy CRM).

    The decision was made to select a CRM before finalizing the MMS selection. Doing so ensured uniform system architecture and strong interoperability between the firm’s MMS and its CRM.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Select a Marketing Management Suite – project overview

    1. Launch the MMS Project and Collect Requirements 2. Shortlist Marketing Management Suites 3. Select Vendor and Communicate Decision to Stakeholders
    Supporting Tool icon

    Best-Practice Toolkit

    1.1 Assess the value and identify your organization’s fit for MMS technology.

    1.2 Build your procurement team and project customer experience management (CXM) strategy.

    1.3 Identify your MMS requirements.

    2.1 Produce your shortlist

    3.1 Select your MMS

    3.2 Present selection

    Guided Implementations

    • Understand CXM strategy and identify your fit for MMS technology.
    • Identify staffing needs.
    • Plan requirements gathering steps.
    • Discuss use-case fit assessment results.
    • Discuss vendor landscape.
    • Create a procurement strategy.
    • Discuss executive presentation.
    • Conduct a proposal review.
    Associated Activity icon

    Onsite Workshop

    Module 1:
    Launch Your MMS Selection Project
    Module 2:
    Analyze MMS Requirements and Shortlist Vendors
    Module 3:
    Plan Your Procurement Process
    Phase 1 Outcome:
    • Launch of MMS selection project
    Phase 2 Outcome:
    • Shortlist of vendors
    Phase 3 Outcome:
    • Selection of MMS

    Use these icons to help direct you as you navigate this research

    Use these icons to help guide you through each step of the blueprint and direct you to content related to the recommended activities.

    A small monochrome icon of a wrench and screwdriver creating an X.

    This icon denotes a slide where a supporting Info-Tech tool or template will help you perform the activity or step associated with the slide. Refer to the supporting tool or template to get the best results and proceed to the next step of the project.

    A small monochrome icon depicting a person in front of a blank slide.

    This icon denotes a slide with an associated activity. The activity can be performed either as part of your project or with the support of Info-Tech team members who will come onsite to facilitate a workshop for your organization.

    A small monochrome icon depicting a descending bar graph.

    This icon denotes a slide that pertains directly to the Info-Tech vendor profiles on marketing management technology. Use these slides to support and guide your evaluation of the MMS vendors included in the research.

    Select a Marketing Management Suite

    PHASE 1

    Launch the MMS Project and Collect Requirements

    Phase 1 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch Your MMS Project and Collect Requirements

    Proposed Time to Completion: 3 weeks
    Step 1.2: Structure the Project Step 1.3: Gather Requirements
    Start with an analyst kick-off call:
    • Review readiness requirements for an MMS project.
    • Understand the work initiatives involved in MMS selection.
    Review findings with analyst:
    • Determine use case based on your organizational alignment.
    • Discuss core MMS requirements.
    Then complete these activities…
    • Conduct an organizational MMS readiness assessment.
    Then complete these activities…
    • Identify best-fit use case.
    • Elicit, capture, and prioritize requirements.
    With these tools & templates:
    • MMS Readiness Assessment Checklist
    With these tools & templates:
    • MMS Requirements Picklist Tool
    Phase 1 Results:
    • Completed readiness assessment.
    • Refined project plan to incorporate selection and implementation.

    Phase 1 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 1.1: Understand the MMS market

    1.1

    1.2

    1.3

    Understand the MMS Market Structure the Project Gather MMS Requirements

    This step will walk you through the following activities:

    • MMS market overview

    This step involves the following participants:

    • Project team
    • Project manager
    • Project sponsor

    Outcomes of this step

    • An understanding of the evolution of the MMS market space and how it helps today’s organizations.
    • An evaluation of new and upcoming trends sought by MMS clients.
    • Verification of whether an MMS is a fit with your organization.

    Speak the same language as the marketing department to deliver the most business value

    Marketing Management Suite Glossary

    Analytics The practice of measuring marketing performance to improve return on investment (ROI). It is often carried out through the visualization of meaningful patterns in data as a result of marketing initiatives.
    Channels The different places where marketers can reach customers (e.g. social media, print mail, television).
    Click-through rate The percentage of individuals who proceed (click-through) from one part of a marketing campaign to the next.
    Content management Curating, creating, editing, and keeping track of content and client-facing assets.
    Customer relationship management (CRM) A core enterprise application that provides a broad feature set for supporting customer interaction processes. The CRM frequently serves as a core customer data repository.
    Customer experience management (CXM) The holistic management of customer interaction processes across marketing, sales, and customer service to create valuable, mutually beneficial customer experiences.
    Engagement rate A social media metric used to describe the amount of likes, comments, shares, etc., that a piece of content receives.
    Lead An individual or organization who has shown interest in the product or service being marketed.
    Omnichannel The portfolio of interaction channels you use.

    MMS is a key piece of the customer experience ecosystem

    Within the broader CXM ecosystem, an MMS typically lives within the CRM platform. Interfacing with the CRM’s master customer database allows an MMS to optimize cross-sell opportunities and marketing effectiveness.

    A master database – the central place where all up-to-the-minute data on a customer profile is stored – is essential for MMS success. This is particularly true for real-time capability effectiveness and to minimize customer fatigue.

    If you have customer records in multiple places, you risk missing customer opportunities and potentially upsetting clients. For example, if a client has communicated preferences or disinterest through one channel, and this is not effectively recorded throughout the organization, another representative is likely to contact them in the same method again – possibly alienating the customer for good.

    A master database requires automatic synchronization with all point solutions, POS, billing systems, agencies, etc. If you don’t have up-to-the-minute information, you can’t score prospects effectively and you lose out on the benefits of the MMS.

    'CRM' surrounded by its components with 'MMS' highlighted.
    Focus on the fundamentals before proceeding. Secure organizational readiness to reduce project risk using Info-Tech’s Build a Strong Technology Foundation for CXM and Select and Implement a CRM Platform blueprints.

    Understanding the “art of the possible”

    The world of marketing technology changes rapidly! Understand how modern marketing management suites are used in most organizations.

    An MMS helps marketers in two primary ways:

    1. It allows them to efficiently execute and manage campaigns across dozens of channels and products.
    2. It allows them to analyze the outcomes of campaigns.

    Marketing suites accomplish these tasks by:

    • Leveraging workflow automation to reduce the amount of time spent creating marketing campaigns.
    • Using internal or third-party data to increase conversion effectiveness from customer databases across the organization.

    A strong MMS provides marketers with the data they need for actionable insights about their customers.

    A marketing automation solution delivers essentially all the benefits of an email marketing solution along with integrated capabilities that would otherwise need to be cobbled together using various standalone technologies.” (Marketo Inc.)

    Inform your way of thinking by understanding the capabilities of modern marketing applications.

    A tree with icons related to knowledge.

    Expect the marketing department to drive suite adoption, but don’t count out the benefits MMS will also provide to IT

    MMS adoption is driven by the need for better campaign execution and marketing intelligence. MMS technologies are adopted to create faster, easier, more intelligent, and more measurable campaigns and make managing complex channels easy and repeatable.

    Top Drivers for Adopting Marketing Management Technologies

    Bar chart of top drivers for adopting marketing management technology. The first four bars are highlighted and the largest, they are labelled 'Campaign Measurement & Effectiveness', 'Execute Multi-channel Campaigns', 'Shorten Marketing Campaign Cycle', and 'Reduce Manual Campaign Creation'.
    (Source: Info-Tech Research Group; N=23)

    The key drivers for MMS are business-related, not IT-related. However, this does not mean that there are no benefits to IT. In fact, the IT department will see numerous benefits, including time and resource savings. Further, not having an MMS creates more work for your IT department. IT must serve as a valued partner for selection and implementation.

    Additional benefits to IT driven by MMS

    Marketing management suites are ideal for large organizations with multiple product lines in complex marketing environments. IT is often more centralized than its counterparts in the business, making it uniquely positioned to encourage greater coordination by helping the business units understand the shared goals and the benefits of working together to roll out suites for marketing workflow management, intelligence, and channel management.

    Cross-Segmentation Additional Revenue Generation Real-Time Capabilities Lead Growth/ Conversion Rate
    Business Value
    • Share resources between brands and product lines.
    • Increase database size with populated client data.
    • Track customer lifetime value.
    • Increase average deal size.
    • Decrease time to execute campaigns.
    • Decrease lead acquisition costs while collecting higher quality leads.
    • Improve retention rates.
    • Reduce cost to serve.
    • Increase customer retention due to effective service.
    • Higher campaign and response rates.
    • Track, measure, and prove the value of marketing activities.
    • Broaden reach through social channels.
    IT Value
    • Reduce reliance on IT for routine tasks such as list creation and data cleansing.
    • Free up IT resources for the sectors of the business where the ROI is greatest.
    • Reduce need for IT to cleanse, modify, or merge data lists because most suites include CRM connectors.
    • Reduce need for constant customization on status reports on lead value and campaign success.

    Info-Tech Insight

    Don’t forget that MMS technologies deliver on the overarching suite value proposition: a robust solution within one integrated offering. Without an MMS in play, organizations in need of this functionality are forced to piece together point solutions (or ad hoc management). This not only increases costs but also is an integration nightmare for IT.

    Step 1.2: Structure the project

    1.1

    1.2

    1.3

    Understand the MMS MarketStructure the ProjectGather MMS Requirements

    This step will walk you through the following activities:

    • Determine if you are ready to kick off the MMS selection project.
    • Align project goals with CXM strategy and business goals.

    This step involves the following participants:

    • Core project team
    • Project manager
    • Project sponsor

    Outcomes of this step

    • Assurance that you have completed adequate preparation, obtained stakeholder and sponsor buy-in, secured sufficient resources, and completed strategy and planning activities to move forward with selection.
    • An approach to remedy organizational readiness to prepare for MMS selection.
    • An understanding of stakeholder goals.

    Identify the scope and purpose of your MMS selection process

    Vendor Profiles icon

    Sample Project Overview

    [Organization] plans to select and implement a marketing management suite in order to introduce better campaign management to the business’ processes. This procurement and implementation of an MMS tool will enable the business to improve the efficiency and effectiveness of marketing campaign execution.

    This project will oversee the assessment and shortlisting of MMS vendors, selection of an MMS tool, the configuration of the solution, and the implementation of the technology into the business environment.

    Rationale Behind the Project

    Consider the business drivers behind the interest in MMS technology.

    Be specific to business units impacted and identify key considerations (both opportunities and risks).

    Business Drivers

    • Organizational productivity
    • Customer satisfaction
    • Marketing management costs
    • Risk management

    Info-Tech Insights

    Creating repeatable and streamlined marketing processes is a common overarching business objective that is driven by multiple factors. To ensure this objective is achieved, confirm that the primary drivers are following the implementation of the first automated marketing channels.

    Activity: Understand your business’ goals for MMS by parsing your formal CXM strategy

    Associated Activity icon 1.2.1 1 hour

    INPUT: Stakeholder user stories

    OUTPUT: Understanding of ideal outcomes from MMS implementation

    MATERIALS: Whiteboard and marker or sticky notes

    PARTICIPANTS: Project sponsor, Project stakeholders, Business analysts, Business unit reps

    Instructions

    1. Outline the purpose of the future MMS tool and the drivers behind this business decision with the project’s key stakeholders.
    2. Document plans to ensure that these drivers are taken into consideration and realized following implementation. Example:
      Improve Reduce/Eliminate KPIs
      Multichannel marketing Duplication of effort Number of customer interaction channels supported
      Social integration Process inefficiencies Number of social signals received (likes, shares, etc.)

    If you do not have a well-defined CXM strategy, leverage Info-Tech’s research to Build a Strong Technology Foundation for Customer Experience Management.

    Understanding marketing suites

    Vendor Profiles icon

    This blueprint focuses on complete, integrated marketing management suites

    An integrated suite is a single product that is designed to assist with multiple marketing processes. Information from these suites is deeply connected to the core CRM. Changing a piece of information for one process will update all affected.

    'MMS' surrounded by its integrated processes, including 'Marketing Operations Management', 'Breadth of Channel Support', 'Marketing Asset Management', etc.

    Understanding marketing point solutions

    Vendor Profiles icon

    A point solution typically interfaces with a single customer interaction channel with minimal CRM integration.

    Why use a marketing point solution?

    1. A marketing point solution is a standalone application used to manage a unique process.
    2. Point solutions can be implemented and updated relatively quickly.
    3. They cost less than full-feature, integrated marketing suites.
    4. Some point solutions integrate with CRM platforms or MMS platforms.

    Refer to Phase 2 for a bird’s-eye view of the point solution marketplace.

    Marketing Point Solutions

    • Twitter Analytics
    • Search Engine Optimization
    • Customer Portals
    • Livechat
    • Marketing Attribution
    • Demand Side Platform

    Determine if MMS is right for your organization

    Vendor Profiles icon

    Adopt an MMS if:

    1. Your organization is actively pursuing a multichannel marketing strategy, particularly if its marketing campaigns are complex and multifaceted, involving consumer-specific conditional messaging.
    2. Your enterprise serves a high volume of customers and marketing needs extend to formally managing budgets and resources, lead generation and segmentation, and measuring channel effectiveness.
    3. Your organizations has multiple product lines and is interested in increasing cross-sale opportunities.

    Bypass an MMS if:

    • Your organization does not participate in multichannel campaigns and is primarily using email or web channels to generate leads. You may find the advanced features and capabilities of an MMS to be overkill and should consider lead marketing automation (LMA) or email marketing services first.
    • You are a small to midsize business (SMB) with a limited budget or fewer than five marketing professionals. Don’t buy what you don’t need; organizations with fewer than five people in the marketing department are unlikely to need an MMS.
    • Sales generation is not a priority for the business or a primary goal for the marketing department.

    Info-Tech Insight

    Using an MMS is ideal for organizations with multiple brands and product portfolios (e.g. consumer packaged goods). Ad hoc management and email marketing services are best for small organizations with a client base that requires only bare bones engagement.

    Determine if you are ready to kick off your MMS selection and implementation project

    Supporting Tool icon 1.2.2 MMS Readiness Assessment Checklist
    Use Info-Tech’s MMS Readiness Assessment Checklist to determine if your organization has sufficient process and campaign maturity to warrant the investment in a consolidated marketing management suite.

    Sections of the Tool:

    1. Goals & Objectives
    2. Project Team
    3. Current State Understanding
    4. Future State Vision
    5. Business Process Improvement
    6. Project Metrics
    7. Executive Sponsorship
    8. Stakeholder Buy-In & Change Management
    9. Risk Management
    10. Cost & Budget

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Readiness Assessment Checklist.

    Complete the MMS Readiness Assessment Checklist by following the instructions in Activity 1.2.3.

    Activity: Determine if you are ready to kick off your MMS selection project

    Associated Activity icon 1.2.3 30 minutes

    INPUT: MMS foundation, MMS strategy

    OUTPUT: Readiness remediation approach, Validation of MMS project readiness

    MATERIALS: Info-Tech’s MMS Readiness Assessment Checklist

    PARTICIPANTS: Project sponsor, Core project team

    Instructions

    1. Download the MMS Readiness Assessment Checklist.
    2. Review Section 1 of the checklist with the core project team and/or project sponsor, item by item. For completed items, tick the relative checkbox.
    3. Once the whole checklist has been reviewed, document all incomplete items in the table under Section 1 in the first table column (“Incomplete Readiness Item”).
    4. For each incomplete item, use your discretion to determine whether its completion is critical in preparation for MMS selection and implementation. This may vary given the complexity of your MMS project. If the item is critical to the project, indicate this with “Y” in the second column (“Criticality (Y/N)”).
    5. For each critical item, reflect on the barriers that have prevented or are preventing its completion. Possible barriers include incomplete task dependencies, low value-to-effort determination, lack of organizational knowledge or resources, pressure of deadlines, etc. Document these barriers in the third column (“Barriers to Completion”).
    6. Based on the barriers determined in Step 5, determine a remediation approach for each item. Document the approach in the fourth column (“Remediation Approach”).
    7. For each remediation activity, designate a due date and remediation owner. Document this in the fifth column (“Due Date & Owner”).
    8. Carry out the remediation of critical tasks and return to this blueprint to kickstart your selection and implementation project.

    Step 1.3: Gather MMS requirements

    1.1

    1.2

    1.3

    Understand the MMS MarketStructure the ProjectGather MMS Requirements

    This step will walk you through the following activities:

    • Understand your MMS use case.
    • Elicit and capture your MMS requirements.
    • Prioritize your solution requirements.

    This step involves the following participants:

    • Core project team
    • Project manager
    • Business analysts
    • Procurement subject-matter experts (SMEs)

    Outcomes of this step

    • Project alignment with MMS market use case.
    • Inventory of categorized and prioritized MMS business requirements.

    Understand the dominant use-case scenarios for MMS across organizations

    Vendor Profiles icon

    USE CASES

    While an organization may be product- or service-centric, most fall into one of the three use cases described on this slide.

    1) Marketing Automation

    Workflow Management

    Managing complex marketing campaigns and building and tracking marketing workflows are the mainstay responsibilities of brand managers and other senior marketing professionals. In this category, we evaluated vendors that provide marketers with comprehensive tools for marketing campaign automation, workflow building and tracking, lead management, and marketing resource planning for campaigns that need to reach a large segment of customers.

    Omnichannel Management

    The proliferation of marketing channels has created significant challenges for many organizations. In this use case, we executed a special evaluation of vendors that are well suited for the intricacies of juggling multiple channels, particularly mobile, social, and email marketing.

    2) Marketing Intelligence

    Sifting through data from a myriad of sources and coming up with actionable intelligence and insights remains a critical activity for marketing departments, particularly for market researchers. In this category, we evaluated solutions that aggregate, analyze, and visualize complex marketing data from multiple sources to allow decision makers to execute informed decisions.

    3) Social Marketing

    The proliferation of social networks, customer data, and use cases has made ad hoc social media management challenging. In this category we evaluated vendors that bring uniformity to an organization’s social media capabilities and contribute to a 360-degree customer view.

    Activity: Understand which type of MMS you need

    Associated Activity icon 1.3.1 30 minutes

    INPUT: Use-case breakdown

    OUTPUT: Project use-case alignments

    Materials: Whiteboard, markers

    Participants: Project manager, Core project team (optional)

    Instructions

    1. Familiarize your team with Info-Tech’s MMS use-case breakdown from the previous slide.
    2. Determine which use case is best aligned with your organization’s MMS project objectives. If you need assistance with this, consider the relevance of the cases studies and statements on the following slides.
    3. If your team agrees with most or all statements under a given use case, this indicates strong alignment towards that use case. It is possible for an organization to align with more than one use case. Your use-case alignment will guide you in creating a vendor shortlist later in this project.

    Use Info-Tech’s vendor research and use-case scenarios to support your organization’s vendor analysis

    The use-case view of vendor and product performance provides multiple opportunities for vendors to fit into your application architecture depending on their product and market performance. The use cases selected are based on market research and client demand.

    Determining your use case is crucial for:

    1. Selecting an application that is the right fit
    2. Establishing a business case for MMS

    The following slides illustrate how the three most common use cases (marketing automation, marketing intelligence, and social marketing) align with business needs. As shown by the case studies, the right MMS can result in great benefits to your organization.

    Use-case alignment and business need

    Vendor Profiles icon

    Marketing Automation

    Marketing Need Manage customer experience across multiple channels Manage multiple campaigns simultaneously Integrate web-enabled devices (IoT) into marketing campaigns Run and track email marketing campaigns
    A line of arrows pointing down.
    Corresponding Feature End-to-end management of email marketing Visual workflow editor Customer journey mapping Business rules engine A/B tracking

    The Portland Trail Blazers utilize an MMS to amplify their message with marketing automation technology

    CASE STUDY

    Industry: Entertainment | Source: Marketo

    Challenge

    The Portland Trail Blazers, an NBA franchise, were looking to expand their appeal beyond the city of Portland and into the greater Pacific Northwest Region.

    The team’s management group also wanted to showcase the full range of events that were hosted in the team’s multipurpose stadium.

    The Trail Blazers were looking to engage fans in a more targeted fashion than their CRM allowed for. Ultimately, they hoped to move from “batch and blast” email campaigns to an automated and targeted approach.

    Solution

    The Trail Blazers implemented an MMS that allowed it to rapidly build different types of campaigns. These campaigns could be executed across a variety of channels and target multiple demographics at various points in the fan journey.

    Contextual ads were implemented using the marketing suite’s automated customer journey mapping feature. Targeted ads were served based on a fan’s location in the journey and interactions with the Trail Blazers’ online collateral.

    Results

    The automated campaigns led to a 75% email open rate, which contributed to a 96% renewal rate for season ticket holders – a franchise record.

    Other benefits resulting from the improved conversion rate included an increased cohesion between the Trail Blazers’ marketing, analytics, and ticket sales operations.

    Use-case alignment and business need

    Vendor Profiles icon

    Marketing Intelligence

    Marketing Need Capture marketing- and customer-related data from multiple sources Analyze large quantities of marketing data Visualize marketing-related data in a manner that is easy for decision makers to consume Perform trend and predictive analysis
    A line of arrows pointing down.
    Corresponding Feature Integrate data across customer segments Analysis through machine learning Assign attributers to unstructured data Displays featuring data from external sources Create complex customer data visualizations

    Chico’s FAS uses marketing intelligence to drive customer loyalty

    CASE STUDY

    Industry: Retail | Source: SAS

    Challenge

    Women’s apparel retailer Chico’s FAS was looking to capitalize on customer data from in-store and online experiences.

    Chico’s hoped to consolidate customer data from multiple online and brick-and-mortar retail channels to get a complete view of the customer.

    Doing so would satisfy Chico’s need to create more highly segmented, cost-effective marketing campaigns

    Solution

    Chico’s selected an MMS with strong marketing intelligence, analysis, and data visualization capability.

    The MMS could consolidate and analyze customer and transactional information. The suite’s functionality enabled Chico’s marketing team to work directly with the data, without help from statisticians or IT staff.

    Results

    The approach to marketing indigence led to customers getting deals on products that were actually relevant to them, increasing sales and brand loyalty.

    Moreover, the time it took to perform data consolidation decreased dramatically, from 17 hours to two hours, allowing the process to be performed daily instead of weekly.

    Use-case alignment and business need

    Vendor Profiles icon

    Social Marketing

    Marketing Need Understand customers' likes and dislikes Manage and analyze social media channels like Facebook and Twitter Foster a conversation around specific products Engage international audiences through regional messaging apps
    A line of arrows pointing down.
    Corresponding Feature Social listening capabilities Tools for curating customer community content Ability to aggregate social data Integration with popular social networks Ability to conduct trend reporting

    Bayer leverages MMS technology to cultivate a social presence

    CASE STUDY

    Industry: Life Sciences | Source: Adobe

    Challenge

    Bayer, a Fortune 500 health and life sciences company, was looking for a new way to communicate its complex medical breakthroughs to the general public.

    The decision was made to share the science behind its products via social channels in order to generate excitement.

    Bayer needed tools to publish content across a variety of social media platforms while fostering conversations that were more focused on the science behind products.

    Solution

    Based on the requirements, Bayer decided that an MMS would be the best fit.

    After conducting a market scan, the company selected an MMS with a comprehensive social media suite.

    The suite included tools for social listening and moderation and tools to guide conversations initiated by both marketers and customers.

    Results

    The MMS provided Bayer with the toolkit to engage its audience.

    Bayer took control of the conversation about its products by serving potential customers with relevant video content on social media.

    Its social strategy coupled with advanced engagement tools resulted in new business opportunities and more than 65,000 views on YouTube and more than 87,000 Facebook views in a single month.

    Leverage Info-Tech’s requirements gathering framework to serve as the basis for capturing your MMS requirements

    An important step in selecting an MMS that will have widespread user adoption is creating archetypal customer personas. This will enable you to talk concretely about them as consumers of the application you select and allow you to build buyer scenarios around them.
    REQUIREMENTS GATHERING
    Info-Tech’s requirements gathering framework is a comprehensive approach to requirements management that can be scaled to any size of project or organization. This framework ensures that the application created will capture the needs of all stakeholders and deliver business value. Develop and right-size a proven standard operating procedure for requirements gathering with Info-Tech’s blueprint Build a Strong Approach to Business Requirements Gathering.
    Stock photo of a Jenga tower with title: Build a Strong Approach to Business Requirements Gathering
    KEY INPUTS TO MMS REQUIREMENTS GATHERING
    Requirements Gathering Methodology

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Slide 25: Understand the best-practice framework for requirements gathering for enterprise applications projects.

    Requirements Gathering SOP

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Activities 1.2.2-1.2.5, 2.1.1, 2.1.2, 3.1.1, 3.2.1, 4.1.1-4.1.3, 4.2.2: Consolidate outputs to right-size a best-practice SOP for your organization.

    Project Level Selection Tool

    Sample of Requirements Gathering Blueprint.

    Requirements Gathering Blueprint Activity 1.2.4: Determine project-level selection guidelines to inform the due diligence required in your MMS requirements gathering.

    Activity: Elicit and capture your MMS requirements

    Associated Activity icon 1.3.2 Varies

    INPUT: MMS tool user expertise, MMS Requirements Picklist Tool

    OUTPUT: A list of needs from the MMS tool user perspective

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: MMS users in the organization, MMS selection committee

    Instructions

    1. Identify stakeholders for the requirements gathering exercise. Consider holding one-on-one sessions or large focus groups with key stakeholders or the project sponsor to gather business requirements for an MMS.
    2. Use the MMS Requirements Picklist Tool as a starting point for conducting the requirements elicitation session(s).
    3. Begin by reading the instructions in the template and then move to the “Requirements” worksheet. Read each defined requirement in the worksheet and indicate in the “Requirement Status” column whether the requirement is a “Must,” “High,” or “Low.” Confirming the status is an important part of the exercise. The status will help filter vendors for final selection later on in the process.
    4. Decide whether additional requirements are necessary by asking the MMS tool users. If so, add the requirements to the bottom of the “Requirements” worksheet and indicate their “Requirement Status.”

    Download the MMS Requirements Picklist Tool to help with completing this activity.

    Show the measurable benefits of MMS with metrics

    The return on investment (ROI) and perceived value of the organization’s marketing solution will be a critical indication of the likelihood of success of the suite’s selection and implementation.

    EXAMPLE
    METRICS

    MMS and Technology Adoption

    Marketing Performance Metrics
    Average revenue gain per campaign Quantity and quality of marketing insights
    Average time to execute a campaign Customer acquisition rates
    Savings from automated processes Marketing cycle times
    User Adoption and Business Feedback Metrics
    User satisfaction feedback User satisfaction survey with the technology
    Business adoption rates Application overhead cost reduction

    Info-Tech Insight

    Even if marketing metrics are difficult to track right now, the implementation of an MMS brings access to valuable customer intelligence from data that was once kept in silos.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech Workshop Associated Activity icon

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analyst will join you and your team onsite at your location or welcome you to Info-Tech's historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.2.1

    Sample of activity 1.2.1 'Understand your business' goals for MMS by parsing your formal CXM strategy'. Align the CXM strategy value proposition to MMS capabilities

    Our facilitator will help your team identify the IT CXM strategy and marketing goals. The analyst will then work with the team to map the strategy to technological drivers available in the MMS market.

    1.3.2

    Sample of activity 1.3.2 'Elicit and capture your MMS requirements'. Define the needs of MMS users

    Our facilitator will work with your team to identify user requirements for the MMS Requirements Picklist Tool. The analyst will facilitate a discussion with your team to prioritize identified requirements.

    Select a Marketing Management Suite

    PHASE 2

    Shortlist Marketing Management Suites

    Phase 2 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Shortlist Marketing Management Suites

    Proposed Time to Completion: 1-3 months
    Step 2.1: Analyze and Shortlist MMS Vendors
    Start with an analyst kick-off call:
    • Review requirements gathering findings.
    • Review the MMS market space.
    Then complete these activities…
    • Review vendor profiles and analysis.
    • Weigh the evaluation criteria’s importance in product capabilities and vendor characteristics.
    • Shortlist MMS vendors.
    With these tools & templates:
    Phase 2 Results:
    • Shortlist of MMS tools

    Phase 2 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 2.1: Analyze and shortlist MMS vendors

    2.1

    Analyze and Shortlist MMS Vendors

    This step will walk you through the following activities:

    • Review MMS vendor landscape.
    • Take note of relevant point solutions.
    • Shortlist vendors for the RFP process.

    This step involves the following participants:

    • Core project team

    Outcomes of this step

    • Understanding of Info-Tech’s use-case scenarios for MMS: marketing automation, marketing intelligence, and social marketing.
    • Familiarity with the MMS vendor landscape.
    • Shortlist of MMS vendors for RFP process.

    Familiarize yourself with the MMS market: How it got here

    Vendor Profiles icon

    Loosely Tied Together

    Originally the sales and marketing enterprise application space was highly fragmented, with disparate best-of-breed point solutions patched together. Soon after, vendors in the late 1990s started bundling automation technologies into a single suite offering. Marketing capabilities of CRM suites were minimal at best and often restricted to web and email only.

    Limited to Large Enterprises

    Many vendors started to combine all marketing tools into a single, comprehensive marketing suite, but cost and complexity limited them to large enterprises and marketing agencies.

    Best-of-breed solutions targeting new channels and new goals, like closed-loop sales and marketing, continued driving new marketing software genres, like dedicated lead management suites.

    In today’s volatile business environment, judgment built from past experience is increasingly unreliable. With consumer behaviors in flux, once-valid assumptions (e.g. ‘older consumers don’t use Facebook or send text messages’) can quickly become outdated.” (SAS Magazine)

    Info-Tech Insight

    As the market evolves, capabilities that were once cutting edge become default and new functionality becomes differentiating. Some features, like basic CRM integration, have become table stakes capabilities. Focus on advanced analytics features and omnichannel integration capabilities to get the best fit for your requirements.

    Familiarize yourself with the MMS market: Where it’s going

    Vendor Profiles icon

    AI and Machine Learning

    Vendors are beginning to offer AI capabilities across MMS for data-driven customer engagement scoring and social listening insights. Machine learning capability is being leveraged to determine optimal customer journey and suggest next steps to users.

    Marketplace Fragmentation

    The number of players in the marketing application space has grown exponentially. The majority of these new vendors offer point solutions rather than full-blown marketing suites. Fragmentation is leading to tougher choices when looking to augment an existing platform with specific functionality.

    Improving Application Integration

    MMS vendors are fostering deeper integrations between their marketing products and core CRM products, leading to improved data hygiene. At the same time, vendors are improving flexibility in the marketing suite so that new channels can be added easily.

    Greater Self-Service

    Vendors have an increased emphasis on application usability. Their goal is to enable marketers to execute campaigns without relying on specialists.

    There’s a firehose of customer data coming at marketers today, and with more interconnected devices emerging (wearables, smart watches, etc.), cultivating a seamless customer experience is likely to grow even more challenging.

    Building out a data-driven marketing strategy and technology stack that enables you to capture behaviors across channels is key.” (IBM, Ideas for Exceeding Customer Expectations)

    Review Info-Tech’s vendor profiles of the MMS market to identify vendors that meet your requirements

    Vendors & Products Evaluated

    Vendor logos including 'Adobe', 'ORACLE', and 'IBM'.

    VENDOR PROFILES

    Review the MMS Vendor Evaluation

    Large icon of a descending bar graph for vendor profiles title page.

    Table stakes are the minimum standard; without these, a product doesn’t even get reviewed

    Vendor Profiles icon

    TABLE STAKES

    Feature Table Stake Functionality
    Basic Workflow Automation Simple automation of common marketing tasks (e.g. handling inbound leads).
    Basic Channel Integration Integration with minimum two or more marketing channels (e.g. email and direct mail).
    Customizable User Interface A user interface that can be changed and optimized to users’ preferences. This includes customizable dashboards for displaying relevant marketing metrics.
    Basic Mobile UX Accessible from a mobile device in some fashion.
    Cloud Compatibility Able to offer integration within pre-existing or proprietary cloud server. Many vendors only have SaaS products.

    What does this mean?

    The products assessed in these vendor profiles meet, at the very least, the requirements outlined as table stakes.

    Many of the vendors go above and beyond the outlined table stakes; some even do so in multiple categories. This section aims to highlight the products’ capabilities in excess of the criteria listed here.

    Info-Tech Insight

    If table stakes are all you need from your MMS, determine whether your existing CRM platform already satisfies your requirements. Otherwise, dig deeper to find the best price-to-value ratio for your needs.

    Take a holistic approach to vendor and product evaluation

    Almost – or equally – as important as evaluating vendor feature capabilities is the need to evaluate vendor viability and non-functional aspects of the MMS. Include an evaluation of the following criteria in your vendor scoring methodology:

    Vendor Attribute Description
    Vendor Stability and Variability The vendor’s proven ability to execute on constant product improvement, deliberate strategic direction, and overall commitment to research and development efforts in responding to emerging trends.
    Security Model The potential to integrate the application to existing security models and the vendor's approach to handling customer data.
    Deployment Style The choice to deploy a single or multi-tenant SaaS environment via a perpetual license.
    Ease of Customization The relative ease with which a system can be customized to accommodate niche or industry-specific business or functional needs.
    Vendor Support Options The availability of vendor support options, including selection consulting, application development resources, implementation assistance, and ongoing support resources.
    Size of Partner Ecosystem The quantity of enterprise applications and third-party add-ons that can be linked to the MMS, as well as the number of system integrators available.
    Ease of Data Integration The relative ease with which the system can be integrated with an organization’s existing application environment, including legacy systems, point solutions, and other large enterprise applications.

    Info-Tech Insight

    Evaluate vendor capabilities, not just product capabilities. An MMS is typically a long-term commitment; ensure that your organization is teaming up with a vendor or provider that you feel you can work well with and depend on.

    Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

    Vendor Profiles icon

    Evaluation Methodology

    These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

    Feature Advanced Functionality
    Advanced Campaign Management End-to-end marketing campaign management: customer journey mapping, campaign initiation, monitoring, and dynamic reporting and adjustment.
    Marketing Asset Management Content repository functionality (or tight ECM integration) for marketing assets and campaign collateral (static, multimedia, e-commerce–related, etc.).
    Marketing Analytics
    • Predictive analytics; machine learning; capabilities for data ingestion and visualization across various marketing research/marketing intelligence categories (demographic, psychographic, etc.).
    • Data segmentation; drill-down ability to assign attributes to unstructured data; ability to construct complex customer/competitive data visualizations from segmented data.
    Breadth of Channel Support Ability to support and manage a wide range of marketing channels (e-commerce, SEO/SEM, paid advertising, email, traditional [print, multimedia], etc.).
    Marketing Workflow Management Visual workflow editors and business rules engine creation.

    Advanced features are the capabilities that allow for granular differentiation of market players and use-case performance

    Vendor Profiles icon

    Evaluation Methodology

    These product features were assessed as part of the classification of vendors into use cases. In determining use-case leaders and players, select features were considered based on best alignment with the use case.

    Feature Advanced Functionality
    Community Marketing Management Branded customer communities (e.g. community support forums) and DMB/DSP.
    Email Marketing Automation End-to-end management of email marketing: email templates, email previews, spam testing, A/B tracking, multivariate testing, and email metrics tracking.
    Social Marketing Ability to integrate with popular social media networks and manage social properties and to aggregate and analyze social data for trend reporting.
    Mobile Marketing Ability to manage SMS, push, and mobile application marketing.
    Marketing Operations Management Project management tools for marketers (timelines, performance indicators, budgeting/resourcing tools, etc.).

    Use the information in the MMS vendor profiles to streamline your vendor analysis process

    Vendor Profiles icon This section includes profiles of the vendors evaluated against the previously outlined framework.
    Review the use-case scenarios relevant to your organization’s use case to identify a vendor’s fit to your organization’s MMS needs.
    • L = Use-case leader
    • P = Use-case player
    Three column headers: 'Marketing Automation', 'Marketing Intelligence', and 'Social Media Marketing'.
    Understand your organization’s size and whether it falls within the product’s market focus.
    • Large enterprise: 2,000+ employees and revenue of $250M+
    • Small-medium enterprise: 30-2,000 employees and revenue of $25M-$250M
    Column header 'MARKET FOCUS' with row headers 'Small-Medium' and 'Large Enterprise'.
    Review the differentiating features to identify where the application performs best. A list of features.
    Colors signify a feature’s performance. A key for color-coding: Blue - 'Best of Breed', Green - 'Present: Competitive Strength', Yellow-Green - 'Present: Competitive Parity', Yellow - 'Semi-Present', Grey - 'Absent'.

    Adobe Marketing Cloud

    Vendor Profiles icon
    Logo for Adobe. FUNCTIONAL SPOTLIGHT

    Creative Cloud Integration: To make for a more seamless cross-product experience, projects can be sent between Marketing Cloud and Creative Cloud apps such as Photoshop and After Effects.

    Sensei: Adobe has revamped its machine learning and AI platform in an effort to integrate AI into all of its marketing applications. Sensei includes data from Microsoft in a new partnership program.

    Anomaly Detection: Adobe’s Anomaly Detection contextualizes data and provides a statistical method to determine how a given metric has changed in relation to previous metrics.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Adobe’s goal with Marketing Cloud is to help businesses provide customers with cohesive, seamless experiences by surfacing customer profiles in relevant situations quickly. Adobe Marketing Cloud has traditionally been used in the B2C space but has seen an increase in B2C use cases driven by the finance and technology sectors. FEATURES
    Color-coded ranking of each feature for Adobe.
    Employees (2018): 17,000 Presence: Global Founded: 1982 NASDAQ: ADBE

    HubSpot

    Vendor Profiles icon

    Logo for Hubspot.FUNCTIONAL SPOTLIGHT

    Content Optimization System (COS): The fully integrated system stores assets and serves them to their designated channels at relevant times. The COS is integrated into HubSpot's marketing platform.

    Email Automation: HubSpot provides basic email that can be linked to a specific part of an organization’s marketing funnel. These emails can also be added to pre-existing automated workflows.

    Email Deliverability Tool: HubSpot identifies HTML or content that will be flagged by spam filters. It also validates links and minimizes email load times.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Hubspot’s primary focus has been on email marketing campaigns. It has put effort into developing solid “click not code” email marketing capabilities. Also, Hubspot has an official integration with Salesforce for expanded operations management and analytics capabilities. FEATURES
    Color-coded ranking of each feature for Hubspot.
    Employees (2018): 1,400 Presence: Global Founded: 2006 NYSE: HUBS

    IBM Marketing Cloud

    Vendor Profiles icon

    Logo for IBM.FUNCTIONAL SPOTLIGHT

    Watson: IBM is leveraging its popular Watson AI brand to generate marketing insights for automated campaigns.

    Weather Effects: Set campaign rules based on connections between weather conditions and customer behavior relative to zip code made by Watson.

    Real-Time Personalization: IBM has made efforts to remove campaign interaction latency and optimize live customer engagement by acting on information about what customers are doing in the current moment.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    IBM has remained ahead of the curve by incorporating its well-known AI technology throughout Marketing Cloud. The application’s integration with the wide array of IBM products makes it a powerful tool for users already in the IBM ecosystem. FEATURES
    Color-coded ranking of each feature for IBM.
    Employees (2018): 380,000 Presence: Global Founded: 1911 NYSE: IBM

    Marketo

    Vendor Profiles icon

    Logo for Marketo.FUNCTIONAL SPOTLIGHT

    Content AI: Marketo has leveraged its investments in machine learning to intelligently fetch marketing assets and serve them to customers based on their interactions with a campaign.

    Email A/B Testing: To improve lead generation from email campaigns, Marketo features the ability to execute A/B testing for customized campaigns.

    Partnership with Google: Marketo is now hosted on Google’s cloud platform, enabling it to provide support for larger enterprise clients and improve GDPR compliance.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Marketo has strong capabilities for lead management but has recently bolstered its analytics capabilities. Marketo is hoping to capture some of the analytics application market share by offering tools with varying complexity and to cater to firms with a wide range of analytics needs. FEATURES
    Color-coded ranking of each feature for Marketo.
    Employees (2018): 1,000 Presence: Global Founded: 2006 Private Corporation

    Oracle Marketing Cloud

    Vendor Profiles icon

    Logo for Oracle.FUNCTIONAL SPOTLIGHT

    Data Visualization: To make for a more seamless cross-product experience, marketing projects can be sent between Marketing Cloud and Creative Cloud apps such as Dreamweaver.

    ID Graph: Use ID Graph to unite disparate data sources to form a singular profile of leads, making the personalization and contextualization of campaigns more efficient.

    Interest-Based Messaging: Pause a campaign to update a segment or content based on aggregated customer activity and interaction data.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Oracle Marketing Cloud is known for its balance between campaigns and analytics products. Oracle has taken the lead on expanding its marketing channel mix to include international options such as WeChat. Users already using Oracle’s CRM/CEM products will derive the most value from Marketing Cloud. FEATURES
    Color-coded ranking of each feature for Oracle.
    Employees (2018): 138,000 Presence: Global Founded: 1977 NYSE: ORCL

    Salesforce Marketing Cloud

    Vendor Profiles icon

    Logo for Salesforce Marketing Cloud.FUNCTIONAL SPOTLIGHT

    Einstein: Salesforce is putting effort into integrating AI into all of its applications. The Einstein AI platform provides marketers with predictive analytics and insights into customer behavior.

    Mobile Studio: Salesforce has a robust mobile marketing offering that encompasses SMS/MMS, in-app engagement, and group messaging platforms.

    Journey Builder: Salesforce created Journey Builder, which is a workflow automation tool. Its user-friendly drag-and-drop interface makes it easy to automate responses to customer actions.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    L

    P

    L

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Salesforce Marketing Cloud is primarily used by organizations in the B2C space. It has strong Sales Cloud CRM integration. Pardot is positioning itself as a tool for sales teams in addition to marketers. FEATURES
    Color-coded ranking of each feature for Salesforce Marketing Cloud.
    Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

    Salesforce Pardot

    Vendor Profiles icon

    Logo for Salesforce Pardot.FUNCTIONAL SPOTLIGHT

    Engagement Studio: Salesforce is putting marketing capabilities in the hands of sales reps by giving them access to a team email engagement platform.

    Einstein: Salesforce’s Einstein AI platform helps marketers and sales reps identify the right accounts to target with predictive lead scoring.

    Program Steps: Salesforce developed a distinct own workflow building tool for Pardot. Workflows are made of “Program Steps” that have the functionality to initiate campaigns based on insights from Einstein.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    P

    -

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    Pardot is Salesforce’s B2B marketing solution. Pardot has focused on developing tools that enable sales teams and marketers to work in lockstep in order to achieve lead-generation goals. Pardot has deep integration with Salesforce’s CRM and customer service management products. FEATURES
    Color-coded ranking of each feature for Salesforce Pardot.
    Employees (2018): 1,800 Presence: Global Founded: 2000 NYSE: CRM

    SAP Hybris Marketing

    Vendor Profiles icon

    Logo for SAP.FUNCTIONAL SPOTLIGHT

    CMO Dashboard: The specialized dashboard is aimed at providing overviews for the executive level. It includes the ability to coordinate marketing activities and project budgets, KPIs, and timelines.

    Loyalty Management: SAP features in-app tools to manage campaigns specifically geared toward customer loyalty with digital coupons and iBeacons.

    Customer Segmentation: SAP’s predictive capabilities dynamically suggest relevant customer profiles for new campaigns.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    L

    P

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    SAP Hybris Marketing Cloud optimizes marketing strategies in real time with accurate attribution and measurements. SAP’s operations management capabilities are robust, including the ability to view consolidated data streams from ongoing marketing plans, performance targets, and budgets. FEATURES
    Color-coded ranking of each feature for SAP.
    Employees (2018): 84,000 Presence: Global Founded: 1972 NYSE: SAP

    SAS Marketing Intelligence

    Vendor Profiles icon

    Logo for SAS.FUNCTIONAL SPOTLIGHT

    Activity Map: A user-friendly workflow builder that can be used to execute campaigns. Multiple activities can be simultaneously A/B tested within the Activity Map UI. The outcome of the test can automatically adjust the workflow.

    Spots: A native digital asset manager that can store property that is part of existing and future campaigns.

    Viya: A framework for fully integrating third-party data sources into SAS Marketing Intelligence. Viya assists with pairing on-premises databases with a cloud platform for use with the SAS suite.

    USE-CASE PERFORMANCE
    Marketing
    Automation
    Marketing
    Intelligence
    Social
    Marketing

    P

    L

    MARKET FOCUS
    Small-Medium
    Large Enterprise
    SAS has been a leading BI and analytics provider for more than 35 years. Rooted in statistical analysis of data, SAS products provide forward-looking strategic insights. Organizations that require extensive customer intelligence capabilities and the ability to “slice and dice” segments should have SAS on their shortlist. FEATURES
    Color-coded ranking of each feature for SAS.
    Employees (2018): 14,000 Presence: Global Founded: 1976 Private Corporation

    Consider alternative MMS vendors not included in Info-Tech’s vendor profiles

    Info-Tech evaluated only a portion of vendors in the MMS market. In order for a vendor to be included in this landscape, the company needed to meet three baseline criteria:
    1. Our clients must be talking about the solution.
    2. Our analysts must believe the solution will play well within the evaluation.
    3. The vendor must meet table stakes criteria.
    Below is a list of notable vendors in the space that did not meet all of Info-Tech’s inclusion requirements.

    Additional vendors in the MMS market:

    Logo for act-on. Logo for SharpSpring.

    See the next slides for suggested point solutions.

    Leverage Info-Tech’s WXM and SMMP vendor landscapes to select platforms that fit with your CXM strategy

    Web experience management (WXM) and social media management platforms (SMMP) act in concert with your MMS to execute complex campaigns.

    Social Media Management

    Info-Tech’s SMMP selection guide enables you to find a solution that satisfies your objectives across marketing, sales, public relations, HR, and customer service. Create a unified framework for driving successful implementation and adoption of your SMMP that fully addresses CRM and marketing automation integration, end-user adoption, and social analytics with Info-Tech’s blueprint Select and Implement a Social Media Management Platform.

    Stock image with the title Select and Implement a Social Media Management Platform.
    Web Experience Management

    Info-Tech’s approach to WXM ensures you have the right suite of tools for web content management, experience design, and web analytics. Put your best foot forward by conducting due diligence as the selection project advances. Ensure that your organization will see quick results with Info-Tech’s blueprint Select and Implement a Web Experience Management Solution.

    Stock image with the title Select and Implement a Web Experience Management Solution.

    POINT SOLUTION PROFILES

    Review this cursory list of point solutions by use case

    Consider point solutions if a full suite is not required

    Large icon of a target for point solution profiles title page.

    Consider point solutions if a full suite is not required

    Email Marketing

    Logos of companies for Email Marketing including MailChimp and emma.

    Consider point solutions if a full suite is not required

    Search Engine Optimization (SEO)

    Logos of companies for Search Engine Optimization including SpyFu and SerpStat.

    Consider point solutions if a full suite is not required

    Demand-Side Platform (DSP)

    Logos of companies for Demand-Side Platform including MediaMath and rocketfuel.

    Consider point solutions if a full suite is not required

    Customer Portal Software

    Logos of companies for Customer Portal Software including LifeRay and lithium.

    Select a Marketing Management Suite

    PHASE 3

    Select Vendor and Communicate Decision to Stakeholders

    Phase 3 outline

    Associated Activity icon Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Plan Your MMS Implementation

    Proposed Time to Completion: 2 weeks
    Step 3.1: Select Your MMS Step 3.2: Communicate the Decision to Stakeholders
    Start with an analyst kick-off call:
    • Review the MMS shortlist.
    • Discuss how to link RFP questions and demo script scenarios to gathered requirements.
    Review findings with analyst:
    • Review the alignment between MMS capability and the business’ CXM strategy.
    • Discuss how to present the decision to stakeholders.
    Then complete these activities…
    • Build a vendor response template.
    • Evaluate RFP responses from vendors.
    • Build demo scripts and set up product demonstrations.
    • Establish evaluation criteria.
    • Select MMS product and vendor.
    Then complete these activities…
    • Present decision rationale to stakeholders.
    With these tools & templates:
    • MMS Request for Proposal Template
    • MMS Vendor Demo Script
    With these tools & templates:
    • MMS Selection Executive Presentation Template
    Phase 3 Results
    • Select an MMS that meets requirements and is approved by stakeholders.

    Phase 3 milestones

    Launch the MMS Project and Collect Requirements — Phase 1

    • Understand the MMS market space.
    • Assess organizational and project readiness for MMS selection.
    • Structure your MMS selection and implementation project by refining your MMS roadmap.
    • Align organizational use-case fit with market use cases.
    • Collect, prioritize, and document MMS requirements.

    Shortlist MMS Tool — Phase 2

    • Review MMS market leaders and players within your aligned use case.
    • Review MMS vendor profiles and capabilities.
    • Shortlist MMS vendors based on organizational fit.

    Select an MMS — Phase 3

    • Submit request for proposal (RFP) to shortlisted vendors.
    • Evaluate vendor responses and develop vendor demonstration scripts.
    • Score vendor demonstrations and select the final product.

    Step 2.1: Analyze and shortlist MMS vendors

    3.1

    3.2

    Select Your MMS Communicate Decision to Stakeholders

    This step will walk you through the following activities:

    • Build a response template to standardize potential vendor responses and streamline your evaluation process.
    • Evaluate the RFPs you receive with a clear scoring process and evaluation framework.
    • Build a demo script to evaluate product demonstrations by vendors.
    • Select your solution.

    This step involves the following participants:

    • Core project team
    • Procurement SMEs
    • Project sponsor

    Outcomes of this step

    • Completed MMS RFP vendor response template
    • Completed MMS demo script(s)
    • Established product and vendor evaluation criteria
    • Final MMS selection

    Activity: Shortlist vendors for the RFP process

    Associated Activity icon 3.1.1 30 minutes

    INPUT: Organizational use-case fit

    OUTPUT: MMS vendor shortlist

    Materials: Info-Tech’s MMS use cases, Info-Tech’s vendor profiles, Whiteboard, markers

    Participants: Core project team

    Instructions

    1. Collectively with the core project team, determine any knock-out criteria for shortlisting MMS vendors. For example, if your team is executing on a strategy that favors mobile deployment, vendors who do not have a mobile offering may be off the table.
    2. Based on the results in Activity 1.3.2, write a longlist of vendors. In most cases, this list will consist of all the vendors that fall into your organization’s use-case scenario. If your organization fits into more than one use case (e.g. your organization has both product-centric and service-centric MMS needs), look for the overlap of vendors between the use cases.
    3. Review the profiles of the vendors that fall into your use-case scenario. Based on your knock-out criteria established in Step 1, eliminate any vendors as applicable.
    4. Finalize and record your shortlist of MMS vendors.

    Use Info-Tech’s MMS Request for Proposal Template to document and communicate your requirements to vendors

    Supporting Tool icon 3.1.2 MMS Request for Proposal Template

    Use the MMS Request for Proposal Template as a step-by-step guide on how to request interested vendors to submit written proposals that meet your set of requirements.

    If interested in bidding for your project, vendors will respond with a description of the techniques they would employ to address your organizational challenges and meet your requirements, along with a plan of work and detailed budget for the project.

    The RFP is an important piece of setting and aligning your expectations with the vendors’ product offerings. Make sure to address the following elements in the RFP:

    Sections of the Tool:

    1. Statement of work
    2. General information
    3. Proposal preparation instructions
    4. Scope of work, specifications, and requirements
    5. Vendor qualifications and references
    6. Budget and estimated pricing
    7. Additional terms and conditions
    8. Vendor certification

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Request Proposal Template.

    Complete the MMS Request for Proposal Template by following the instructions in Activity 3.1.3.

    Activity: Create an RFP to submit to MMS vendors

    Associated Activity icon 3.1.3 1-2 hours

    INPUT: Business requirements document, Procurement procedures

    OUTPUT: MMS RFP

    Materials: Internal RFP tools or templates (if available), Info-Tech’s MMS Request for Proposal Template (optional)

    Participants: Procurement SMEs, Project manager, Core project team (optional)

    Instructions

    1. Download Info-Tech’s MMS Request for Proposal Template or prepare internal best-practice RFP tools.
    2. Build your RFP:
      1. Complete the statement of work and general information sections to provide organizational context to your longlisted vendors.
      2. Outline the organization’s procurement instructions for vendors, including due diligence, assessment criteria, and dates.
      3. Input the business requirements document as created in Activity 1.3.2.
      4. Create a scenario overview to provide vendors with an opportunity to give an estimate price.
    3. Obtain approval for your RFP. Each organization has a unique procurement process; follow your own organization’s process as you submit your RFPs to vendors. Ensure compliance with your organization’s standards and gain approval for submitting your RFP.

    Establish vendor evaluation criteria

    Vendor demonstrations are an integral part of the selection process. Having clearly defined selection criteria will help with setting up relevant demos as well as inform the vendor scorecards.

    EXAMPLE EVALUATION CRITERIAPie chart indicating the weight of each 'Vendor Evaluation Criteria': 'Functionality, 30%', 'Ease of Use, 25%', 'Cost, 15%', 'Vendor, 15%', and 'Technology, 15%'.
    Functionality (30%)
    • Breadth of capability
    • Tactical capability
    • Operational capability
    Ease of Use (25%)
    • End-user usability
    • Administrative usability
    • UI attractiveness
    • Self-service options
    Cost (15%)
    • Maintenance
    • Support
    • Licensing
    • Implementation (internal and external costs)
    Vendor (15%)
    • Support model
    • Customer base
    • Sustainability
    • Product roadmap
    • Proof of concept
    • Implementation model
    Technology (15%)
    • Configurability options
    • Customization requirements
    • Deployment options
    • Security and authentication
    • Integration environment
    • Ubiquity of access (mobile)

    Info-Tech Insight

    Base your vendor evaluations not on the capabilities of the solutions but instead on how the solutions align with your organization’s process automation requirements and considerations.

    Vendor demonstrations

    Examine how the vendor’s solution performs against your evaluation framework.

    What is the value of a vendor demonstration?

    Vendor demonstrations create a valuable opportunity for your organization to confirm that the vendor’s claims in the RFP are actually true.

    A display of the vendor’s functional capabilities and its execution of the scenarios given in your demo script will help to support your assessment of whether a vendor aligns with your MMS requirements.

    What should be included in a vendor demonstration?

    1. Vendor’s display of its solution for the scenarios provided in the demo script.
    2. Display of functional capabilities of the tool.
    3. Briefing on integration capabilities.

    Activity: Invite top performing vendors for product demonstrations

    Associated Activity icon 3.1.4 1-2 hours

    INPUT: Business requirements document, Logistical considerations, Usage scenarios by functional area

    OUTPUT: MMS demo script

    Materials: Info-Tech’s MMS Vendor Demo Script

    Participants: Procurement SMEs, Core project team

    Instructions

    1. Have your evaluation team (selected at the onset of the project) present to evaluate each vendor’s presentation. In some cases you may choose to bring in a subject matter expert (SME) to evaluate a specific area of the tool.
    2. Outline the logistics of the demonstration in the Introduction section of the template. Be sure to outline the total length of the demo and the amount of time that should be dedicated to the following:
      • Product demonstration in response to the demo script
      • Showcase of unique product elements, not reflective of the demo script
      • Question and answer session
      • Breaks and other potential interruptions
    3. Provide prompts for the vendor to display the capabilities by listing and describing usage scenarios by functional area. For example, when asking a vendor to demo financial and accounting management capabilities, you may break scenarios out by task (e.g. general ledger, accounts payable) or user role (e.g. finance manager, administrator).

    Info-Tech Insight

    Challenge vendor project teams during product demonstrations. Asking the vendor to make adjustments or customizations on the fly will allow you to get an authentic feel of product capability and flexibility, as well as of the degree of adaptability of the vendor project team. Ask the vendor to demonstrate how to do things not listed in your user scenarios, such as change system visualizations or design, change underlying data, add additional datasets, demonstrate analytics capabilities, or channel specific automation.

    Use Info-Tech’s MMS Vendor Demo Script template to set expectations for vendor product demonstration

    Vendor Profiles icon MMS Vendor Demo Script

    Customize and use Info-Tech’s MMS Vendor Demo Script to help identify how a vendor’s solution will fit your organization’s particular business capability needs.

    This tool assists with outlining logistical considerations for the demo itself and the scenarios with which the vendors should script their demonstration.

    Sections of the Tool:

    1. Introduction
    2. Demo scenarios by functional area

    Info-Tech Best Practice

    Avoid providing vendors with a rigid script for product demonstration; instead, provide user scenarios. Part of the value of a vendor demonstration is the opportunity to assess whether or not the vendor project team has a solid understanding of your organization’s MMS challenges and requirements and can work with your team to determine the best solution possible. A rigid script may result in your inability to assess whether the vendor will adjust for and scale with your project and organization as a technology partner.

    INFO-TECH DELIVERABLE

    Sample of Info-Tech's MMS Vendor Demo Script.

    Use the MMS Vendor Demo Script by following the instructions in Activity 3.1.4.

    Leverage Info-Tech’s vendor selection and negotiation models as the basis for a streamlined MMS selection process

    Design a procurement process that is robust, ruthless, and reasonable. Rooting out bias during negotiation is vital to making unbiased vendor selections.

    Vendor Selection

    Info-Tech’s approach to vendor selection gets you to design a procurement process that is robust, ruthless, and reasonable. This approach enables you to take control of vendor communications. Implement formal processes with an engaged team to achieve the right price, the right functionality, and the right fit for the organization with Info-Tech's blueprint Implement a Proactive and Consistent Vendor Selection Process.

    Stock image with the title Implement a Proactive and Consistent Vendor Selection Process.
    Vendor Negotiation

    Info-Tech’s SaaS negotiation strategy focuses on taking control of implementation from the beginning. The strategy allows you to work with your internal stakeholders to make sure they do not team up with the vendor instead of you. Reach an agreement with your vendor that takes into account both parties’ best interests with Info-Tech’s blueprint Negotiate SaaS Agreements That Are Built to Last.

    Stock image with the title Negotiate SaaS Agreements That Are Built to Last.

    Step 3.2: Communicate decision to stakeholders

    3.1

    3.2

    Select Your MMS Communicate Decision to Stakeholders

    This step will walk you through the following activities:

    • Collect project rationale documentation.
    • Create a presentation to communicate your selection decision to stakeholders.

    This step involves the following participants:

    • Core project team
    • Procurement SMEs
    • Project sponsor
    • Business stakeholders
    • Relevant management

    Outcomes of this step

    • Completed MMS Selection Executive Presentation Template
    • Affirmation of MMS selection by stakeholders

    Inform internal stakeholders of the final decision

    Ensure traceability from the selected tool to the needs identified in the first phase. Internal stakeholders must understand the reasoning behind the final selection and see the alignment to their defined requirements and needs.

    Document the selection process to show how the selected tool aligns to stakeholder needs:

    A large arrow labelled 'Application Benefits', underlaid beneath two smaller arrows labelled 'MMS stakeholder needs' and 'MMS technology needs', all pointing to the right.

    Documentation will assist with:

    1. Adopting the selected MMS.
    2. Demonstrating that proper due diligence was performed during the selection process.
    3. Providing direct traceability between the selected applications and internal stakeholder needs.

    Activity: Prepare a presentation deck to communicate the selection process and decision to internal stakeholders

    Associated Activity icon 3.2.1 1 week

    INPUT: MMS tool selection committee expertise

    OUTPUT: Decision to invest or not invest in an MMS tool

    Materials: Note-taking materials, Whiteboard or flip chart, markers

    Participants: MMS tool selection committee

    Instructions

    1. Download Info-Tech’s MMS Selection Executive Presentation Template.
    2. Read the instructions on slide 2 of the template. Then, on slide 3, decide if any portion of the selection process should be removed from the communication. Discuss with the team and make adjustments to slide 3 as necessary.
    3. Work with the MMS selection committee to populate the slides that remain after the adjustments. Follow the instructions on each slide to help complete the content.
    4. Refer to the square brackets on each slide (e.g. [X.X]) to identify the activity numbers in this storyboard that correspond to the slide in the MMS Selection Executive Presentation Template. Use the outputs produced from the corresponding activities in this deck and populate each slide in the MMS Selection Executive Presentation Template.
    5. Use the completed template to present to internal stakeholders.

    Info-Tech Insight

    Documenting the process of how the selection decision was made will avoid major headaches down the road. Without a documented process, internal stakeholders and even vendors can challenge and discredit the selection process.

    Vendor participation

    Vendors Who Briefed with Info-Tech Research Group

    Logos of vendors who participated in this blueprint: Salesforce Pardot, SAS, Adobe, Marketo, and Salesforce Marketing Cloud.

    Professionals Who Contributed to Our Evaluation and Research

    • Sara Camden, Digital Change Agent, Equifax
    • Caren Carrasco, Lifecycle Marketing and Automation, Benjamin David Group
    • 10 anonymous contributors participated in the vendor briefings

    Works cited

    Adobe Systems Incorporated. “Bayer builds understanding, socially.” Adobe.com, 2017. Web.

    IBM Corporation, “10 Key Marketing Trends for 2017.” IBM.com, 2017. Web.

    Marketo, Inc. “The Definitive Guide to Marketing Automation.” Marketo.com, 2013. Web.

    Marketo, Inc. “NBA franchise amplifies its message with help from Marketo’s marketing automation technology.” Marketo.com, 2017. Web.

    Salesforce Pardot. “Marketing Automation & Your CRM: The Dynamic Duo.” Pardot.com, 2017. Web.

    SAS Institute Inc. “Marketing Analytics: How, why and what’s next.” SAS Magazine, 2013. Web.

    SAS Institute Inc. “Give shoppers offers they’ll love.” SAS.com, 2017. Web.

    2021 IT Talent Trend Report

    • Buy Link or Shortcode: {j2store}516|cart{/j2store}
    • member rating overall impact (scale of 10): 10.0/10 Overall Impact
    • member rating average dollars saved: $9,919 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Lead
    • Parent Category Link: /lead
    • In March 2020, many organizations were forced to switch to a virtual working world. IT enabled organizations to be successful while working from home. Ultimately, this shift changed the way that we all work, and in turn, the way IT leaders manage talent.
    • Many organizations are considering long-term remote work (Kelly, 2020).
    • Change is starting but is lagging.

    Our Advice

    Critical Insight

    • Increase focus on employee experience to navigate new challenges.
    • A good employee experience is what is best for the IT department.

    Impact and Result

    • The data shows IT is changing in the area of talent management.
    • IT has a large role in enabling organizations to work from home, especially from a technological and logistics perspective. There is evidence to show that they are now expanding their role to better support employees when working from home.
    • Survey respondents identified efforts already underway for IT to improve employee experience and subsequently, IT effectiveness.

    2021 IT Talent Trend Report Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should focus on the employee experience and get an overview of what successful IT leaders are doing differently heading into 2021 – the five new talent management trends.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. DEI: A top talent objective

    The focus on diversity, equity, and inclusion (DEI) initiatives spans the entire organization beyond just HR. Learn which DEI efforts are underway with IT.

    • 2021 IT Talent Trend Report – Trend 1: DEI: A Top Talent Objective

    2. Remote work is here to stay

    Forced work-from-home demonstrated to organizations that employees can be productive while working away from the physical office. Learn more about how remote work is changing work.

    • 2021 IT Talent Trend Report – Trend 2: Remote Work Is Here to Stay

    3. A greater emphasis on wellbeing

    When the pandemic hit, organizations were significantly concerned about how employees were doing. Learn more about wellbeing.

    • 2021 IT Talent Trend Report – Trend 3: A Greater Emphasis on Wellbeing

    4. A shift in skills priorities

    Upskilling and finding sought after skills were challenging before the pandemic. How has it changed since? Learn more about skills priorities.

    • 2021 IT Talent Trend Report – Trend 4: A Shift in Skills Priorities

    5. Uncertainty unlocks performance

    The pandemic and remote work has affected performance. Learn about how uncertainty has impacted performance management.

    • 2021 IT Talent Trend Report – Trend 5: Uncertainty Unlocks Performance
    [infographic]

    ChatGPT Beyond the hype. What can it do for you?

    Summary of the deck.

    ChatGPT is a generative AI tool developed by OpenAI, a non-profit founded by Silicon Valley titans, including Elon Musk and Sam Altman. It is designed to interact with users in a way that mimics human dialogue. The tool became available via a research release on November 30, 2022, and was an immediate hit – within a week; it attracted more than a million users. Functionally, ChatGPT is designed to answer questions, but it is not the first one. The concept has existed for decades. While it is very powerful, it has also attracted criticism. 

    IT Operations, strategy

    Register to read more …

    Initiate Your Service Management Program

    • Buy Link or Shortcode: {j2store}398|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • IT organizations continue attempting to implement service management, often based on ITIL, with limited success and without visible value.
    • More than half of service management implementations have failed beyond simply implementing the service desk and the incident, change, and request management processes.
    • Organizational structure, goals, and cultural factors are not considered during service management implementation and improvement.
    • The business lacks engagement and understanding of service management.

    Our Advice

    Critical Insight

    • Service management is an organizational approach. Focus on producing successful and valuable services and service outcomes for the customers.
    • All areas of the organization are accountable for governing and executing service management. Ensure that you create a service management strategy that improves business outcomes and provides the value and quality expected.

    Impact and Result

    • Identified structure for how your service management model should be run and governed.
    • Identified forces that impact your ability to oversee and drive service management success.
    • Mitigation approach to restraining forces.

    Initiate Your Service Management Program Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why service management implementations often fail and why you should establish governance for service management.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify the level of oversight you need

    Use Info-Tech’s methodology to establish an effective service management program with proper oversight.

    • Service Management Program Initiation Plan
    [infographic]

    Optimize IT Project Intake, Approval, and Prioritization

    • Buy Link or Shortcode: {j2store}433|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $124,419 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Companies are approving more projects than they can deliver. Most organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to.
    • While organizations want to achieve a high throughput of approved projects, many are unable or unwilling to allocate an appropriate level of IT resourcing to adequately match the number of approved initiatives.
    • Portfolio management practices must find a way to accommodate stakeholder needs without sacrificing the portfolio to low-value initiatives that do not align with business goals.

    Our Advice

    Critical Insight

    • Approve only the right projects that you have capacity to deliver. Failure to align projects with strategic goals and resource capacity are the most common causes of portfolio waste across organizations.
    • More time spent with stakeholders during the ideation phase to help set realistic expectations for stakeholders and enhance visibility into IT’s capacity and processes is key to both project and organizational success.
    • Too much intake red tape will lead to an underground economy of projects that escape portfolio oversight, while too little intake formality will lead to a wild west of approvals that could overwhelm the PMO. Finding the right balance of intake formality for your organization is the key to establishing a PMO that has the ability to focus on the right things.

    Impact and Result

    • Establish an effective scorecard to create transparency into IT’s capacity and processes. This will help set realistic expectations for stakeholders, eliminate “squeaky wheel” prioritization, and give primacy to the highest value requests.
    • Build a centralized process that funnels requests into a single intake channel to eliminate confusion and doubt for stakeholders and staff while also reducing off-the-grid initiatives.
    • Clearly define a series of project approval steps, and communicate requirements for passing them.
    • Develop practices that incorporate the constraint of resource capacity to cap the amount of project approvals to that which is realistic to help improve the throughput of projects through the portfolio.

    Optimize IT Project Intake, Approval, and Prioritization Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should optimize project intake, approval, and prioritization process, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set realistic goals for optimizing project intake, approval, and prioritization process

    Get value early by piloting a scorecard for objectively determining project value, and then examine your current state of project intake to set realistic goals for optimizing the process.

    • Optimize Project Intake, Approval, and Prioritization – Phase 1: Set Realistic Goals for Optimizing Process
    • Project Value Scorecard Development Tool
    • Project Intake Workflow Template - Visio
    • Project Intake Workflow Template - PDF
    • Project Intake, Approval, and Prioritization SOP

    2. Build an optimized project intake, approval, and prioritization process

    Take a deeper dive into each of the three processes – intake, approval, and prioritization – to ensure that the portfolio of projects is best aligned to stakeholder needs, strategic objectives, and resource capacity.

    • Optimize Project Intake, Approval, and Prioritization – Phase 2: Build New Optimized Processes
    • Light Project Request Form
    • Detailed Project Request Form
    • Project Intake Classification Matrix
    • Benefits Commitment Form Template
    • Proposed Project Technology Assessment Tool
    • Fast Track Business Case Template
    • Comprehensive Business Case Template
    • Project Intake and Prioritization Tool

    3. Integrate the new optimized processes into practice

    Plan a course of action to pilot, refine, and communicate the new optimized process using Info-Tech’s expertise in organizational change management.

    • Optimize Project Intake, Approval, and Prioritization – Phase 3: Integrate the New Processes into Practice
    • Intake Process Pilot Plan Template
    • Project Backlog Manager
    • Intake and Prioritization Impact Analysis Tool
    [infographic]

    Workshop: Optimize IT Project Intake, Approval, and Prioritization

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Refocus on Project Value to Set Realistic Goals

    The Purpose

    Set the course of action for optimizing project intake, approval, and prioritization by examining the current state of the process, the team, the stakeholders, and the organization as a whole.

    Key Benefits Achieved

    The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Activities

    1.1 Define the criteria with which to determine project value.

    1.2 Envision your target state for your optimized project intake, approval, and prioritization process.

    Outputs

    Draft project valuation criteria

    Examination of current process, definition of process success criteria

    2 Examine, Optimize, and Document the New Process

    The Purpose

    Drill down into, and optimize, each of the project intake, approval, and prioritization process.

    Key Benefits Achieved

    Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity, to effectively address the challenges of establishing organizational discipline for project intake.

    Activities

    2.1 Conduct retrospectives of each process against Info-Tech’s best practice methodology for project intake, approval, and prioritization process.

    2.2 Pilot and customize a toolbox of deliverables that effectively captures the right amount of data developed for informing the appropriate decision makers for approval.

    Outputs

    Documentation of new project intake, approval, and prioritization process

    Tools and templates to aid the process

    3 Pilot, Plan, and Communicate the New Process

    The Purpose

    Reduce the risks of prematurely implementing an untested process.

    Methodically manage the risks associated with organizational change and maximize the likelihood of adoption for the new process.

    Key Benefits Achieved

    Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Activities

    3.1 Create a plan to pilot your intake, approval, and prioritization process to refine it before rollout.

    3.2 Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in.

    Outputs

    Process pilot plan

    Organizational change communication plan

    Further reading

    Optimize IT Project Intake, Approval, and Prioritization

    Decide which IT projects to approve and when to start them.

    ANALYST PERSPECTIVE

    Capacity-constrained intake is the only sustainable path forward.

    "For years, the goal of project intake was to select the best projects. It makes sense and most people take it on faith without argument. But if you end up with too many projects, it’s a bad strategy. Don’t be afraid to say NO or NOT YET if you don’t have the capacity to deliver. People might give you a hard time in the near term, but you’re not helping by saying YES to things you can’t deliver."

    Barry Cousins,

    Senior Director, PMO Practice

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • PMO Directors who have trouble with project throughput
    • CIOs who want to improve IT’s responsive-ness to changing needs of the business
    • CIOs who want to maximize the overall business value of IT’s project portfolio

    This Research Will Help You:

    • Align project intake and prioritization with resource capacity and strategic objectives
    • Balance proactive and reactive demand
    • Reduce portfolio waste on low-value projects
    • Manage project delivery expectations and satisfaction of business stakeholders
    • Get optimized project intake processes off the ground with low-cost, high-impact tools and templates

    This Research Will Also Assist:

    • C-suite executives and steering committee members who want to ensure IT’s successful delivery of projects with high business impact
    • Project sponsors and product owners who seek visibility and transparency toward proposed projects

    This Research Will Help Them:

    • Ensure that high-impact projects are approved and delivered in a timely manner
    • Gain clarity and visibility in IT’s project approval process
    • Improve your understanding of IT’s capacity to set more realistic expectations on what gets done

    Executive summary

    Situation

    • As a portfolio manager, you do not have the authority to decline or defer new projects – but you also lack the capacity to realistically say yes to more project work.
    • Stakeholders have unrealistic expectations of what IT can deliver. Too many projects are approved, and it may be unclear why their project is delayed or in a state of suspended animation.

    Complication

    • The cycle of competition is making it increasingly difficult to follow a longer-term strategy during project intake, making it unproductive to approve projects for any horizon longer than one to two years.
    • As project portfolios become more aligned to “transformative” projects, resourcing for smaller, department-level projects becomes increasingly opaque.

    Resolution

    • Establish an effective scorecard to create transparency into IT’s capacity and processes. This will help set realistic expectations for stakeholders, eliminate “squeaky wheel” prioritization, and give primacy to the highest value requests.
    • Build a centralized process that funnels requests into a single intake channel to eliminate confusion and doubt for stakeholders and staff while also reducing off-the-grid initiatives.
    • Clearly define a series of project approval steps, and communicate requirements for passing them.
    • Developing practices that incorporate the constraint of resource capacity to cap the amount of project approvals to that which is realistic will help improve the throughput of projects through the portfolio.

    Info-Tech Insight

    1. Approve only the right projects… Counterbalance stakeholder needs with strategic objectives of the business and that of IT, in order to maintain the value of your project portfolio at a high level.
    2. …that you have capacity to deliver. Resource capacity-informed project approval process enables you to avoid biting off more than you can chew and, over time, build a track record of fulfilling promises to deliver on projects.

    Most organizations are good at approving projects, but bad at starting them – and even worse at finishing them

    Establishing project intake discipline should be a top priority from a long-term strategy and near-term tactical perspective.

    Most organizations approve more projects than they can finish. In fact, many approve more than they can even start, leading to an ever-growing backlog where project ideas – often good ones – are never heard from again.

    The appetite to approve more runs directly counter to the shortage of resources that plagues most IT departments. This tension of wanting more from less suggests that IT departments need to be more disciplined in choosing what to take on.

    Info-Tech’s data shows that most IT organizations struggle with their project backlog (Source: N=397 organizations, Info-Tech Research Group PPM Current State Scorecard, 2017).

    “There is a minimal list of pending projects”

    A bar graph is depicted. It has 5 bars to show that when it comes to minimal lists of pending projects, 34% strongly disagree, 35% disagree, and 21% are ambivalent. Only 7% agree and 3% strongly agree.

    “Last year we delivered the number of projects we anticipated at the start of the year”

    A bar graph is depicted. It has 5 bars to show that when it comes to the number of projects anticipated at the start of the year, they were delivered. Surveyors strongly disagreed at 24%, disagreed at 31%, and were ambivalent at 30%. Only 13% agreed and 2% strongly agreed.

    The concept of fiduciary duty demonstrates the need for better discipline in choosing what projects to take on

    Unless someone is accountable for making the right investment of resource capacity for the right projects, project intake discipline cannot be established effectively.

    What is fiduciary duty?

    Officers and directors owe their corporation the duty of acting in the corporation’s best interests over their own. They may delegate the responsibility of implementing the actions, but accountability can't be delegated; that is, they have the authority to make choices and are ultimately answerable for them.

    No question is more important to the organization’s bottom line. Projects directly impact the bottom line because they require investment of resource time and money for the purposes of realizing benefits. The scarcity of resources requires that choices be made by those who have the right authority.

    Who approves your projects?

    Historically, the answer would have been the executive layer of the organization. However, in the 1990s management largely abdicated its obligation to control resources and expenditures via “employee empowerment.”

    Controls on approvals became less rigid, and accountability for choosing what to do (and not do) shifted onto the shoulders of the individual worker. This creates a current paradigm where no one is accountable for the malinvestment…

    …of resources that comes from approving too many projects. Instead, it’s up to individual workers to sink or swim as they attempt to reconcile, day after day, seemingly infinite organizational demand with their finite supply of working hours.

    Ad hoc project selection schemes do not work

    Without active management, reconciling the imbalance between demand with available work hours is a struggle that results largely in one of these two scenarios:

    “Squeaky wheel”: Projects with the most vocal stakeholders behind them are worked on first.

    • IT is seen to favor certain lines of business, leading to disenfranchisement of other stakeholders.
    • Everything becomes the highest priority, which reinforces IT’s image as a firefighter, rather than a business value contributor
    • High-value projects without vocal support never get resourced; opportunities are missed.

    “First in, first out”: Projects are approved and executed in the order they are requested.

    • Urgent or important projects for the business languish in the project backlog; opportunities are missed.
    • Low-value projects dominate the project portfolio.
    • Stakeholders leave IT out of the loop and resort to “underground economy” for getting their needs addressed.

    80% of organizations feel that their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

    Approve the right projects that you have capacity to deliver by actively managing the intake of projects

    Project intake, approval, and prioritization (collectively “project intake”) reconciles the appetite for new projects with available resource capacity and strategic goals.

    Project intake is a key process of project portfolio management (PPM). The Project Management Institute (PMI) describes PPM as:

    "Interrelated organizational processes by which an organization evaluates, selects, prioritizes, and allocates its limited internal resources to best accomplish organizational strategies consistent with its vision, mission, and values."

    (PMI, Standard for Portfolio Management, 3rd ed.)

    Triple Constraint Model of the Project Portfolio

    Project Intake:

    • Stakeholder Need
    • Strategic Objectives
    • Resource Capacity

    All three components are required for the Project Portfolio

    Organizations practicing PPM recognize available resource capacity as a constraint and aim to select projects – and commit the said capacity – to projects that:

    1. Best satisfy the stakeholder needs that constantly change with the market
    2. Best align to the strategic objectives and contribute the most to business
    3. Have sufficient resource capacity available to best ensure consistent project throughput

    92% vs. 74%: 92% of high-performing organizations in PPM report that projects are well aligned to strategic initiatives vs. 74% of low performers (PMI, 2015).

    82% vs. 55%: 82% of high-performing organizations in PPM report that resources are effectively reallocated across projects vs. 55% of low performers (PMI, 2015)

    Info-Tech’s data demonstrates that optimizing project intake can also improve business leaders’ satisfaction of IT

    CEOs today perceive IT to be poorly aligned to business’ strategic goals:

    43% of CEOs believe that business goals are going unsupported by IT (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

    60% of CEOs believe that improvement is required around IT’s understanding of business goals (Source: Info-Tech’s CEO-CIO Alignment Survey (N=124)).

    Business leaders today are generally dissatisfied with IT:

    30% of business stakeholders are supporters of their IT departments (Source: Info-Tech’s CIO Business Vision Survey (N=21,367)).

    The key to improving business satisfaction with IT is to deliver on projects that help the business achieve its strategic goals:

    A chart is depicted to show a list of reported important projects, and then reordering the projects based on actual importance.
    Source: Info-Tech’s CIO Business Vision Survey (N=21,367)

    Optimized project intake not only improves the project portfolio’s alignment to business goals, but provides the most effective way to improve relationships with IT’s key stakeholders.

    Benchmark your own current state with overall & industry-specific data using Info-Tech’s Diagnostic Program.

    However, establishing organizational discipline for project intake, approval, and prioritization is difficult

    Capacity awareness

    Many IT departments struggle to realistically estimate available project capacity in a credible way. Stakeholders question the validity of your endeavor to install capacity-constrained intake process, and mistake it for unwillingness to cooperate instead.

    Many moving parts

    Project intake, approval, and prioritization involve the coordination of various departments. Therefore, they require a great deal of buy-in and compliance from multiple stakeholders and senior executives.

    Lack of authority

    Many PMOs and IT departments simply lack the ability to decline or defer new projects.

    Unclear definition of value

    Defining the project value is difficult because there are so many different and conflicting ways that are all valid in their own right. However, without it, it's impossible to fairly compare among projects to select what's "best."

    Establishing intake discipline requires a great degree of cooperation and conformity among stakeholders that can be cultivated through strong processes.

    Info-Tech’s intake, approval, and prioritization methodology systemically fits the project portfolio to its triple constraint

    Info-Tech’s Methodology

    Info-Tech’s Methodology
    Project Intake Project Approval Project Prioritization
    Project requests are submitted, received, triaged, and scoped in preparation for approval and prioritization. Business cases are developed, evaluated, and selected (or declined) for investment, based on estimated value and feasibility. Work is scheduled to begin, based on relative value, urgency, and availability of resources.
    Stakeholder Needs Strategic Objectives Resource Capacity
    Project Portfolio Triple Constraint

    Info-Tech’s methodology for optimizing project intake delivers extraordinary value, fast

    In the first step of the blueprint, you will prototype a set of scorecard criteria for determining project value.

    Our methodology is designed to tackle your hardest challenge first to deliver the highest-value part of the deliverable. Since the overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects, one must define how “the best projects” are determined.

    In nearly all instances…a key challenge for the PPM team is reaching agreement over how projects should rank.

    – Merkhofer

    A Project Value Scorecard will help you:

    • Evolve the discussions on project and portfolio value beyond a theoretical concept
    • Enable apples-to-apples comparisons amongst many different kinds of projects

    The Project Value Scorecard Development Tool is designed to help you develop the project valuation scheme iteratively. Download the pre-filled tool with content that represents a common case, and then, customize it with your data.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    This blueprint provides a clear path to maximizing your chance of success in optimizing project intake

    Info-Tech’s practical, tactical research is accompanied by a suite of tools and templates to accelerate your process optimization efforts.

    Organizational change and stakeholder management are critical elements of optimizing project intake, approval, and prioritization processes because they require a great degree of cooperation and conformity among stakeholders, and the list of key stakeholders are long and far-reaching.

    This blueprint will provide a clear path to not only optimize the processes themselves, but also for the optimization effort itself. This research is organized into three phases, each requiring a few weeks of work at your team’s own pace – or all in one week, through a workshop facilitated by Info-Tech analysts.

    Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization

    Tools and Templates:

    • Project Value Scorecard Development Tool (.xlsx)
    • PPM Assessment Report (Info-Tech Diagnostics)
    • Standard Operating Procedure Template (.docx)

    Build Optimized Project Intake, Approval, and Prioritization Processes

    Tools and Templates:

    • Project Request Forms (.docx)
    • Project Classification Matrix (.xlsx)
    • Benefits Commitment Form (.xlsx)
    • Proposed Project Technology Assessment Tool (.xlsx)
    • Business Case Templates (.docx)
    • Intake and Prioritization Tool (.xlsx)

    Integrate the Newly Optimized Processes into Practice

    Tools and Templates:

    • Process Pilot Plan Template (.docx)
    • Impact Assessment and Communication Planning Tool (.xlsx)

    Info-Tech’s approach to PPM is informed by industry best practices and rooted in practical insider research

    Info-Tech uses PMI and ISACA frameworks for areas of this research.

    The logo for PMI is in the picture.

    PMI’s Standard for Portfolio Management, 3rd ed. is the leading industry framework, proving project portfolio management best practices and process guidelines.

    The logo for COBIT 5 is in the picture.

    COBIT 5 is the leading framework for the governance and management of enterprise IT.

    In addition to industry-leading frameworks, our best-practice approach is enhanced by the insights and guidance from our analysts, industry experts, and our clients.

    Info-Tech's logo is shown.

    33,000+

    Our peer network of over 33,000 happy clients proves the effectiveness of our research.

    1,000+

    Our team conducts 1,000+ hours of primary and secondary research to ensure that our approach is enhanced by best practices.

    Deliver measurable project intake success for your organization with this blueprint

    Measure the value of your effort to track your success quantitatively and demonstrate the proposed benefits, as you aim to do so with other projects through improved PPM.

    Optimized project intake, approval, and prioritization processes lead to a high PPM maturity, which will improve the successful delivery and throughput of your projects, resource utilization, business alignment, and stakeholder satisfaction ((Source: BCG/PMI).

    A double bar graph is depicted to show high PPM maturity yields measurable benefits. It covers 4 categories: Management for individual projects, financial performance, strategy implementation, and organizational agility.

    Measure your success through the following metrics:

    • Reduced turnaround time between project requests and initial scoping
    • Number of project proposals with articulated benefits
    • Reduction in “off-the-grid” projects
    • Team satisfaction and workplace engagement
    • PPM stakeholder satisfaction score from business stakeholders: see Info-Tech’s PPM Customer Satisfaction Diagnostics

    $44,700: In the past 12 months, Info-Tech clients have reported an average measured value of $44,700 from undertaking a guided implementation of this research.

    Add your own organization-specific goals, success criteria, and metrics by following the steps in the blueprint.

    Case Study: Financial Services PMO prepares annual planning process with Project Value Scorecard Development Tool

    CASE STUDY

    Industry: Financial Services

    Source: Info-Tech Client

    Challenge

    PMO plays a diverse set of roles, including project management for enterprise projects (i.e. PMI’s “Directive” PMO), standards management for department-level projects (i.e. PMI’s “Supportive” PMO), process governance of strategic projects (i.e. PMI’s “Controlling” PMO), and facilitation / planning / reporting for the corporate business strategy efforts (i.e. Enterprise PMO).

    To facilitate the annual planning process, the PMO needed to develop a more data-driven and objective project intake process that implicitly aligned with the corporate strategy.

    Solution

    Info-Tech’s Project Value Scorecard tool was incorporated into the strategic planning process.

    Results

    The scorecard provided a simple way to list the competing strategic initiatives, objectively score them, and re-sort the results on demand as the leadership chooses to switch between ranking by overall score, project value, ability to execute, strategic alignment, operational alignment, and feasibility.

    The Project Value Scorecard provided early value with multiple options for prioritized rankings.

    A screenshot of the Project Value Scorecard is shown in the image.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Optimize Project Intake, Approval, and Prioritization – project overview

    1. Set Realistic Goals for Optimizing Process 2. Build New Optimized Processes 3. Integrate the New Processes into Practice
    Best-Practice Toolkit

    1.1 Define the criteria with which to determine project value.


    2.1 Streamline intake to manage stakeholder expectations.

    2.2 Set up steps of project approval to maximize strategic alignment while right-sizing the required effort.

    2.3 Prioritize projects to maximize the value of the project portfolio within the constraint of resource capacity.

    3.1 Pilot your intake, approval, and prioritization process to refine it before rollout.

    3.2 Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in.

    Guided Implementations
    • Introduce Project Value Scorecard Development Tool and pilot Info-Tech’s example scorecard on your own backlog.
    • Map current project intake, approval, and prioritization process and key stakeholders.
    • Set realistic goals for process optimization.
    • Improve the management of stakeholder expectations with an optimized intake process.
    • Improve the alignment of the project portfolio to strategic objectives with an optimized approval process.
    • Enable resource capacity-constrained greenlighting of projects with an optimized prioritization process.
    • Create a process pilot strategy with supportive stakeholders.
    • Conduct a change impact analysis for your PPM stakeholders to create an effective communication strategy.
    • Roll out the new process and measure success.
    Onsite Workshop

    Module 1:

    Refocus on Project Value to Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization Process

    Module 2:

    Examine, Optimize, and Document the New Project Intake, Approval, and Prioritization Process

    Module 3:

    Pilot, Plan, and Communicate the New Process and Its Required Organizational Changes

    Phase 1 Outcome:
    • Draft project valuation criteria
    • Examination of current process
    • Definition of process success criteria
    Phase 2 Outcome:
    • Documentation of new project intake, approval, and prioritization process
    • Tools and templates to aid the process
    Phase 3 Outcome:
    • Process pilot plan
    • Organizational change communication plan

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Workshop Day 1 Workshop Day 2 Workshop Day 3 Workshop Day 4 Workshop Day 5
    Activities

    Benefits of optimizing project intake and project value definition

    1.1 Complete and review PPM Current State Scorecard Assessment

    1.2 Define project value for the organization

    1.3 Engage key PPM stakeholders to iterate on the scorecard prototype

    Set realistic goals for process optimization

    2.1 Map current intake, approval, and prioritization workflow

    2.2 Enumerate and prioritize process stakeholders

    2.3 Determine the current and target capability levels

    2.4 Define the process success criteria and KPIs

    Optimize project intake and approval processes

    3.1 Conduct focused retrospectives for project intake and approval

    3.2 Define project levels

    3.3 Optimize project intake processes

    3.4 Optimize project approval processes

    3.5 Compose SOP for intake and approval

    3.6 Document the new intake and approval workflow

    Optimize project prioritization process plan for a process pilot

    4.1 Conduct focused retrospective for project prioritization

    4.2 Estimate available resource capacity

    4.3 Pilot Project Intake and Prioritization Tool with your project backlog

    4.4 Compose SOP for prioritization

    4.5 Document the new prioritization workflow

    4.6 Discuss process pilot

    Analyze stakeholder impact and create communication strategy

    5.1 Analyze stakeholder impact and responses to impending organization change

    5.2 Create message canvas for at-risk change impacts and stakeholders

    5.3 Set course of action for communicating change

    Deliverables
    1. PPM Current State Scorecard
    2. Project Value Scorecard prototype
    1. Current intake, approval, and prioritization workflow
    2. Stakeholder register
    3. Intake process success criteria
    1. Project request form
    2. Project level classification matrix
    3. Proposed project deliverables toolkit
    4. Customized intake and approval SOP
    5. Flowchart for the new intake and approval workflow
    1. Estimated resource capacity for projects
    2. Customized Project Intake and Prioritization Tool
    3. Customized prioritization SOP
    4. Flowchart for the new prioritization workflow
    5. Process pilot plan
    1. Completed Intake and Prioritization Impact Analysis Tool
    2. Communication strategy and plan

    Phase 1

    Set Realistic Goals for Optimizing Project Intake, Approval, and Prioritization Process

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Set Realistic Goals for Project Intake, Approval, and Prioritization Process Proposed Time to Completion: 1-2 weeks

    Step 1.1: Define the project valuation criteria

    Start with an analyst kick-off call:

    • Discuss how a project value is currently determined
    • Introduce Info-Tech’s scorecard-driven project valuation approach

    Then complete these activities…

    • Create a first-draft version of a project value-driven prioritized list of projects
    • Review and iterate on the scorecard criteria

    With these tools & templates:

    Project Value Scorecard Development Tool

    Step 1.2: Envision your process target state

    Start with an analyst kick-off call:

    • Introduce Info-Tech’s project intake process maturity model
    • Discuss the use of Info-Tech’s Diagnostic Program for an initial assessment of your current PPM processes

    Then complete these activities…

    • Map your current process workflow
    • Enumerate and prioritize your key stakeholders
    • Define process success criteria

    With these tools & templates:

    Project Intake Workflow Template

    Project Intake, Approval, and Prioritization SOP Template

    Phase 1 Results & Insights:
    • The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Get to value early with Step 1.1 of this blueprint

    Define how to determine a project’s value and set the stage for maximizing the value of your project portfolio using Info-Tech’s Project Value Scorecard Development Tool.

    Where traditional models of consulting can take considerable amounts of time before delivering value to clients, Info-Tech’s methodology for optimizing project intake, approval, and prioritization process gets you to value fast.

    The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    In the first step of this blueprint, you will pilot a multiple-criteria scorecard for determining project value that will help answer that question. Info-Tech’s Project Value Scorecard Development Tool is pre-populated with a ready-to-use, real-life example that you can leverage as a starting point for tailoring it to your organization – or adopt as is.

    Introduce objectivity and clarity to your discussion of maximizing the value of your project portfolio with Info-Tech’s practical IT research that drives measurable results.

    Download Info-Tech’s Project Value Scorecard Development Tool.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    Step 1.1: Define the criteria with which to determine project value

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Learn how to use the Project Value Scorecard Development Tool
    • Create a first-draft version of a project value-driven prioritized list of projects

    This step involves the following participants:

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Outcomes of this step

    • Understand the importance of devising a consensus criteria for project valuation.
    • Try a project value scorecard-driven prioritization process with your currently proposed.
    • Set the stage for optimizing project intake, approval, and prioritization processes.

    Intake, Approval, and Prioritization is a core process in Info-Tech’s project portfolio management (PPM) framework

    PPM is an infrastructure around projects that aims to ensure that the best projects are worked on at the right time with the right people.

    PPM’s goal is to maximize the throughput of projects that provide strategic and operational value to the organization. To do this, a PPM strategy must help to:

    Info-Tech's Project Portfolio Management Process Model
    3. Status & Progress Reporting
    1. Intake, Approval & Prioritization 2. Resource Management 3. Project Management 4. Project Closure 5. Benefits Tracking
    Intake Execution Closure
    1. Select the best projects
    2. Pick the right time and people to execute the projects
    3. Make sure the projects are okay
    4. Make sure the projects get done
    5. Make sure they were worth doing

    If you don’t yet have a PPM strategy in place, or would like to revisit your existing PPM strategy before optimizing your project intake, approval, and prioritization practices, see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    A screenshot of Info-Tech's blueprint Develop a Project Portfolio Management Strategy is shown.

    “Too many projects, not enough resources” is the reality of most IT environments

    A profound imbalance between demand (i.e. approved project work and service delivery commitments) and supply (i.e. people’s time) is the top challenge IT departments face today.

    In today’s organizations, the desires of business units for new products and enhancements, and the appetites of senior leadership to approve more and more projects for those products and services, far outstrip IT’s ability to realistically deliver on everything.

    The vast majority of IT departments lack the resourcing to meet project demand – especially given the fact that day-to-day operational demands frequently trump project work.

    As a result, project throughput suffers – and with it, IT’s reputation within the organization.

    An image is depicted that has several projects laid out near a scale filling one side of it and off of it. On the other part of the scale which is higher, has an image of people in it to help show the relationship between resource supply and project demand.

    Info-Tech Insight

    Where does the time go? The portfolio manager (or equivalent) should function as the accounting department for time, showing what’s available in IT’s human resources budget for projects and providing ongoing visibility into how that budget of time is being spent.

    Don’t weigh your portfolio down by starting more than you can finish

    Focus on what will deliver value to the organization and what you can realistically deliver.

    Most of the problems that arise during the lifecycle of a project can be traced back to issues that could have been mitigated during the initiation phase.

    More than simply a means of early problem detection at the project level, optimizing your initiation processes is also the best way to ensure the success of your portfolio. With optimized intake processes you can better guarantee:

    • The projects you are working on are of high value
    • Your project list aligns with available resource capacity
    • Stakeholder needs are addressed, but stakeholders do not determine the direction of the portfolio

    80% of organizations feel their portfolios are dominated by low-value initiatives that do not deliver value to the business (Source: Cooper).

    "(S)uccessful organizations select projects on the basis of desirability and their capability to deliver them, not just desirability" (Source: John Ward, Delivering Value from Information Systems and Technology Investments).

    Establishing project value is the first – and difficult – step for optimizing project intake, approval, and prioritization

    What is the best way to “deliver value to the organization”?

    Every organization needs to explicitly define how to determine project value that will fairly represent all projects and provide a basis of comparison among them during approval and prioritization. Without it, any discussions on reducing “low-value initiatives” from the previous slide cannot yield any actionable plan.

    However, defining the project value is difficult, because there are so many different and conflicting ways that are all valid in their own right and worth considering. For example:

    • Strategic growth vs. operational stability
    • Important work vs. urgent work
    • Return on investment vs. cost containment
    • Needs of a specific line of business vs. business-wide needs
    • Financial vs. intangible benefits

    This challenge is further complicated by the difficulty of identifying the right criteria for determining project value:

    Managers fail to identify around 50% of the important criteria when making decisions (Source: Transparent Choice).

    Info-Tech Insight

    Sometimes it can be challenging to show the value of IT-centric, operational-type projects that maintain critical infrastructure since they don’t yield net-new benefits. Remember that benefits are only half the equation; you must also consider the costs of not undertaking the said project.

    Find the right mix of criteria for project valuation with Info-Tech’s Project Value Scorecard Development Tool

    Scorecard-driven approach is an easy-to-understand, time-tested solution to a multiple-criteria decision-making problem, such as project valuation.

    This approach is effective for capturing benefits and costs that are not directly quantifiable in financial terms. Projects are evaluated on multiple specific questions, or criteria, that each yield a score on a point scale. The overall score is calculated as a weighted sum of the scores.

    Info-Tech’s Project Value Scorecard is pre-populated with a best-practice example of eight criteria, two for each category (see box at bottom right). This example helps your effort to develop your own project scorecard by providing a solid starting point:

    60%: On their own, decision makers could only identify around 6 of their 10 most important criteria for making decisions (Source: Transparent Choice).

    Finally, in addition, the overall scores of approved projects can be used as a metric on which success of the process can be measured over time.

    Download Info-Tech’s Project Value Scorecard Development Tool.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool

    Categories of project valuation criteria

    • Strategic alignment: projects must be aligned with the strategic goals of the business and IT.
    • Operational alignment: projects must be aligned with the operational goals of the business and IT.
    • Feasibility: practical considerations for projects must be taken into account in selecting projects.
    • Financial: projects must realize monetary benefits, in increased revenue or decreased costs, while posing as little risk of cost overrun as possible.

    Review the example criteria and score description in the Project Value Scorecard Development Tool

    1.1.1 Project Value Scorecard Development Tool, Tab 2: Evaluation Criteria

    This tab lists eight criteria that cover strategic alignment, operational alignment, feasibility, and financial benefits/risks. Each criteria is accompanied by a qualitative score description to standardize the analysis across all projects and analysts. While this tool supports up to 15 different criteria, it’s better to minimize the number of criteria and introduce additional ones as the organization grows in PPM maturity.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 2: Evaluation Criteria

    Type: It is useful to break down projects with similar overall scores by their proposed values versus ease of execution.

    Scale: Five-point scale is not required for this tool. Use more or less granularity of description as appropriate for each criteria.

    Blank Criteria: Rows with blank criteria are greyed out. Enter a new criteria to turn on the row.

    Score projects and search for the right mix of criteria weighting using the scorecard tab

    1.1.1 Project Value Scorecard Development Tool, Tab 3: Project Scorecard

    In this tab, you can see how projects are prioritized when they are scored according to the criteria from the previous tab. You can enter the scores of up to 30 projects in the scorecard table (see screenshot to the right).

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Value (V) or Execution (E) & Relative Weight: Change the relative weights of each criteria and review any changes to the prioritized list of projects change, whose rankings are updated automatically. This helps you iterate on the weights to find the right mix.

    Feasibility: Custom criteria category labels will be automatically updated.

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Overall: Choose the groupings of criteria by which you want to see the prioritized list. Available groupings are:

    • Overall score
    • By value or by execution
    • By category

    Ranks and weighted scores for each project is shown.

    For example, click on the drop-down and choose “Execution.”

    A screenshot of Info-Tech's Project Value Scorecard Development Tool, Tab 3: Project Scorecard is shown.

    Project ranks are based only on execution criteria.

    Create a first-draft version of a project value-driven prioritized list of projects

    1.1.1 Estimated Time: 60 minutes

    Follow the steps below to test Info-Tech’s example Project Value Scorecard and examine the prioritized list of projects.

    1. Using your list of proposed, ongoing, and completed projects, identify a representative sample of projects in your project portfolio, varying in size, scope, and perceived value – about 10-20 of them.
    2. Arrange these projects in the order of priority using any processes or prioritization paradigm currently in place in your organization.
    • In the absence of formal process, use your intuition, as well as knowledge of organizational priorities, and your stakeholders.
  • Use the example criteria and score description in Tab 2 of Info-Tech’s Project Value Scorecard Development Tool to score the same list of projects:
    • Avoid spending too much time at this step. Prioritization criteria will be refined in the subsequent parts of the blueprint.
    • If multiple scorers are involved, allow some overlap to benchmark for consistency.
  • Enter the scores in Tab 3 of the tool to obtain the first-draft version of a project value-driven prioritized project list. Compare it with your list from Step 2.
  • INPUT

    • Knowledge of proposed, ongoing, and completed projects in your project portfolio

    OUTPUT

    • Prioritized project lists

    Materials

    • Project Value Scorecard Development Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Iterate on the scorecard to set the stage for optimizing project intake, approval, and prioritization

    1.1.2 Estimated Time: 60 minutes

    Conduct a retrospective of the previous activity by asking these questions:

    • How smooth was the overall scoring experience (Step 3 of Activity 1.1.1)?
    • Did you experience challenges in interpreting and applying the example project valuation criteria? Why? (e.g. lack of information, absence of formalized business strategic goals, too much room for interpretation in scoring description)
    • Did the prioritized project list agree with your intuition?

    Iterate on the project valuation criteria:

    • Manipulate the relatives weights of valuation criteria to fine-tune them.
    • Revise the scoring descriptions to provide clarity or customize them to better fit your organization’s needs, then update the project scores accordingly.
    • For projects that did not score well, will this cause concern from any stakeholders? Are the concerns legitimate? If so, this may indicate the need for inclusion of new criteria.
    • For projects that score too well, this may indicate a bias toward a specific type of project or group of stakeholders. Try adjusting the relative weights of existing criteria.

    INPUT

    • Activity 1.1.1

    OUTPUT

    • Retrospective on project valuation
    • Review of project valuation criteria

    Materials

    • Project Value Scorecard Development Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Next steps: engage key PPM stakeholders to reach a consensus when establishing how to determine project value

    Engage these key players to create the evaluation criteria that all stakeholders will support:

    • Business units: Projects are undertaken to provide value to the business. Senior management from business units must help define how project will be valued.
    • IT: IT must ensure that technical/practical considerations are taken into account when determining project value.
    • Finance: The CFO or designated representative will ensure that estimated project costs and benefits can be used to manage the budget.
    • PMO: PMO is the administrator of the project portfolio. PMO must provide coordination and support to ensure the process operates smoothly and its goals are realized.
    • Business analysts: BAs carry out the evaluation of project value. Therefore, their understanding of the evaluation criteria and the process as a whole are critical to the success of the process.
    • Project sponsors: Project sponsors are accountable for the realization of benefits for which projects are undertaken.

    Optimize the process with the new project value definition to focus your discussion with stakeholders

    This blueprint will help you not only optimize the process, but also help you work with your stakeholders to realize the benefits of the optimized process.

    In this step, you’ve begun improving the definition of project value. Getting it right will require several more iterations and will require a series of discussions with your key stakeholders.

    The optimized intake process built around the new definition of project value will help evolve a conceptual discussion about project value into a more practical one. The new process will paint a picture of what the future state will look like for your stakeholders’ requested projects getting approved and prioritized for execution, so that they can provide feedback that’s concrete and actionable. To help you with that process, you will be taken through a series of activities to analyze the impact of change on your stakeholders and create a communication plan in the last phase of the blueprint.

    For now, in the next step of this blueprint, you will undergo a series of activities to assess your current state to identify the specific areas for process optimization.

    "To find the right intersection of someone’s personal interest with the company’s interest on projects isn’t always easy. I always try to look for the basic premise that you can get everybody to agree on it and build from there… But it’s sometimes hard to make sure that things stick. You may have to go back three or four times to the core agreement."

    -Eric Newcomer

    Step 1.2: Envision your target state for your optimized project intake, approval, and prioritization process

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Map your current project intake, approval, and prioritization workflow, and document it in a flowchart
    • Enumerate and prioritize your key process stakeholders
    • Determine your process capability level within Info-Tech’s Framework
    • Establish your current and target states for project intake, approval, and prioritization process

    This step involves the following participants:

    • CIO
    • PMO Director/Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Outcomes of this step

    • Current project intake, approval, and prioritization process is mapped out and documented in a flowchart
    • Key process stakeholders are enumerated and prioritized to inform future discussion on optimizing processes
    • Current and target organizational process capability levels are determined
    • Success criteria and key performance indicators for process optimization are defined

    Use Info-Tech’s Diagnostic Program for an initial assessment of your current PPM processes

    This step is highly recommended but not required. Call 1-888-670-8889 to inquire about or request the PPM Diagnostics.

    Info-Tech's Project Portfolio Management Assessmentprovides you with a data-driven view of the current state of your portfolio, including your intake processes. Our PPM Assessment measures and communicates success in terms of Info-Tech’s best practices for PPM.

    A screenshot of Info-Tech's Project Portfolio Management Assessment blueprint is shown.

    Use the diagnostic program to:

    • Assess resource utilization across the portfolio.
    • Determine project portfolio reporting completeness.
    • Solicit feedback from your customers on the clarity of your portfolio’s business goals.
    • Rate the overall quality of your project management practices and benchmark your rating over time.
    A screenshot of Info-Tech's Project Portfolio Management Assessment blueprint is shown.

    Scope your process optimization efforts with Info-Tech’s high-level intake, approval, and prioritization workflow

    Info-Tech recommends the following workflow at a high level for a capacity-constrained intake process that aligns to strategic goals and stakeholder need.

    • Intake (Step 2.1)*
      • Receive project requests
      • Triage project requests and assign a liaison
      • High-level scoping & set stakeholder expectations
    • Approval (Step 2.2)*
      • Concept approval by project sponsor
      • High-level technical solution approval by IT
      • Business case approval by business
      • Resource allocation & greenlight projects
    • Prioritization (Step 2.3)*
      • Update project priority scores & available project capacity
      • Identify high-scoring and “on-the-bubble” projects
      • Recommend projects to greenlight or deliberate

    * Steps denote the place in the blueprint where the steps are discussed in more detail.

    Use this workflow as a baseline to examine your current state of the process in the next slide.

    Map your current project intake, approval, and prioritization workflow

    1.2.1 Estimated Time: 60-90 minutes

    Conduct a table-top planning exercise to map out the processes currently in place for project intake, approval, and prioritization.

    1. Use white 4”x6” recipe cards / large sticky notes to write out unique steps of a process. Use the high-level process workflow from the previous slides as a guide.
    2. Arrange the steps into chronological order. Benchmark the arrangement through a group discussion.
    3. Use green cards to identify artifacts or deliverables that result from a step.
    4. Use yellow cards to identify who does the work (i.e. responsible parties), and who makes the decisions (i.e. accountable party). Keep in mind that while multiple parties may be responsible, accountability cannot be shared and only a single party can be accountable for a process.
    5. Use red cards to identify issues, problems, or risks. These are opportunities for optimization.

    INPUT

    • Documentation describing the current process (e.g. standard operating procedures)
    • Info-Tech’s high-level intake workflow

    OUTPUT

    • Current process, mapped out

    Materials

    • 4x6” recipe cards
    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Document the current project intake, approval, and prioritization workflow in a flowchart

    1.2.2 Estimated Time: 60 minutes

    Document the results of the previous table-top exercise (Activity 1.1.1) into a flow chart. Flowcharts provide a bird’s-eye view of process steps that highlight the decision points and deliverables. In addition, swim lanes can be used to indicate process stages, task ownership, or responsibilities (example below).

    An example is shown for activity 1.2.2

    Review and customize section 1.2, “Overall Process Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    "Flowcharts are more effective when you have to explain status and next steps to upper management."

    – Assistant Director-IT Operations, Healthcare Industry

    Browser-based flowchart tool examples

    INPUT

    • Mapped-out project intake process (Activity 1.2.1)

    OUTPUT

    • Flowchart representation of current project intake workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Example of a project intake, approval, and prioritization flow chart – without swim lanes

    An example project intake, approval, and prioritization flow chart without swim lanes is shown.

    Example of a project intake, approval, and prioritization flow chart – with swim lanes

    An example project intake, approval, and prioritization flow chart with swim lanes is shown.

    Download Info-Tech’s Project Intake Workflow Template (Visio and PDF)

    Enumerate your key stakeholders for optimizing intake, approval, and prioritization process

    1.2.3 30-45 minutes

    In the previous activity, accountable and responsible stakeholders for each of the steps in the current intake, approval, and prioritization process were identified.

    1. Based on your knowledge and insight of your organization, ensure that all key stakeholders with accountable and responsible stakeholders are accounted for in the mapped-out process. Note any omissions: it may indicate a missing step, or that the stakeholder ought to be, but are not currently, involved.
    2. For each step, identify any stakeholders that are currently consulted or informed. Then, examine the whole map and identify any other stakeholders that ought to be consulted or informed.
    3. Compile a list of stakeholders from steps 1-2, and write each of their names in two sticky notes.
    4. Put both sets of sticky notes on a wall. Use the wisdom-of-the-crowd approach to arrange one set in a descending order of influence. Record their ranked influence from 1 (least) to 10 (most).
    5. Rearrange the other set in a descending order of interest in seeing the project intake process optimized. Record their ranked interest from 1 (least) to 10 (most).

    INPUT

    • Mapped-out project intake process (Activity 1.2.1)
    • Insight on organizational culture

    OUTPUT

    • List of stakeholders in project intake
    • Ranked list in their influence and interest

    Materials

    • Sticky notes
    • Walls

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • Other PPM stakeholders

    Prioritize your stakeholders for project intake, approval, and prioritization process

    There are three dimensions for stakeholder prioritization: influence, interest, and support.

    1. Map your stakeholders in a 2D stakeholder power map (top right) according to their relative influence and interest.
    2. Rate their level of support by asking the following question: how likely is it that your stakeholder would welcome an improved process for project intake?

    These parameters will inform how to prioritize your stakeholders according to the stakeholder priority heatmap (bottom right). This priority should inform how to focus your attention during the subsequent optimization efforts.

    A flowchart is shown to show the relationship between influence and interest.

    Level of Support
    Stakeholder Category Supporter Evangelist Neutral Blocker
    Engage Critical High High Critical
    High Medium Low Low Medium
    Low High Medium Medium High
    Passive Low Irrelevant Irrelevant Low

    Info-Tech Insight

    There may be too many stakeholders to be able to achieve complete satisfaction. Focus your attention on the stakeholders that matter the most.

    Most organizations have low to medium capabilities around intake, approval, and prioritization

    1.2.4 Estimated Time: 15 minutes

    Use Info-Tech’s Intake Capability Framework to help define your current and target states for intake, approval, and prioritization.

    Capability Level Capability Level Description
    Capability Level 5: Optimized Our department has effective intake processes with right-sized administrative overhead. Work is continuously prioritized to keep up with emerging challenges and opportunities.
    Capability Level 4: Aligned Our department has very strong intake processes. Project approvals are based on business cases and aligned with future resource capacity.
    Capability Level 3: Engaged Our department has processes in place to track project requests and follow up on them. Priorities are periodically re-evaluated, based largely on the best judgment of one or several executives.
    Capability Level 2: Defined Our department has some processes in place but no capacity to say no to new projects. There is a formal backlog, but little or no method for grooming it.
    Capability Level 1: Unmanaged Our department has no formal intake processes in place. Most work is done reactively, with little ability to prioritize proactive project work.

    Refer to the subsequent slides for more detail on these capability levels.

    Level 1: Unmanaged

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Projects are requested through personal conversations and emails, with minimal documentation and oversight.
    Approval Projects are approved by default and rarely (if ever) declined. There is no definitive list of projects in the pipeline or backlog.
    Prioritization Most work is done reactively, with little ability to prioritize proactive project work.

    Symptoms

    • Poorly defined – or a complete absence of – PPM processes.
    • No formal approval committee.
    • No processes in place to balance proactive and reactive demands.

    Long Term

    PMOs at this level should work to have all requests funneled through a proper request form within six months. Decision rights for approval should be defined, and a scorecard should be in place within the year.

    Quick Win

    To get a handle on your backlog, start tracking all project requests using the “Project Data” tab in Info-Tech’s Project Intake and Prioritization Tool.

    Level 2: Defined

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Requests are formally documented in a request form before they’re assigned, elaborated, and executed as projects.
    Approval Projects are approved by default and rarely (if ever) declined. There is a formal backlog, but little or no method for grooming it.
    Prioritization There is a list of priorities but no process for updating it more than annually or quarterly.

    Symptoms

    • Organization does not have clear concept of project capacity.
    • There is a lack of discipline enforced on stakeholders.
    • Immature PPM processes in general.

    Long Term

    PMOs at this level should strive for greater visibility into the portfolio to help make the case for declining (or at least deferring) requests. Within the year, have a formal PPM strategy up and running.

    Quick Win

    Something PMOs at this level can accomplish quickly without any formal approval is to spend more time with stakeholders during the ideation phase to better define scope and requirements.

    Level 3: Engaged

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Processes and skills are in place to follow up on requests to clarify project scope before going forward with approval and prioritization.
    Approval Projects are occasionally declined based on exceptionally low feasibility or value.
    Prioritization Priorities are periodically re-evaluated based largely on the best judgment of one or several executives.

    Challenges

    • Senior executives’ “best judgement” is frequently fallible or influenced. Pet projects still enter the portfolio and deplete resources.
    • While approval processes “occasionally” filter out some low-value projects, many still get approved.

    Long Term

    PMOs at this level should advocate for a more formal cadence for prioritization and, within the year, establish a formal steering committee that will be responsible for prioritizing and re-prioritizing quarterly or monthly.

    Quick Win

    At the PMO level, employ Info-Tech’s Project Intake and Prioritization Tool to start re-evaluating projects in the backlog. Make this data available to senior executives when prioritization occurs.

    Level 4: Aligned

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Occurs through a centralized process. Processes and skills are in place for follow-up.
    Approval Project approvals are based on business cases and aligned with future resource capacity.
    Prioritization Project prioritization is visibly aligned with business goals.

    Challenges

    • The process of developing business cases can be too cumbersome, distracting resources from actual project work.
    • “Future” resource capacity predictions are unreliable. Reactive support work and other factors frequently change actual resource availability.

    Long Term

    PMOs at this level can strive for more accurate and frequent resource forecasting, establishing a more accurate picture of project vs. non-project work within the year.

    Quick Win

    PMOs at this level can start using Info-Tech’s Business Case Template (Comprehensive or Fast Track) to help simplify the business case process.

    Level 5: Optimizing

    Use these descriptions to place your organization at the appropriate level of intake capability.

    Intake Occurs through a centralized portal. Processes and skills are in place for thorough follow-up.
    Approval Project approvals are based on business cases and aligned with future resource capacity.
    Prioritization Work is continuously prioritized to keep up with emerging challenges and opportunities.

    Challenges

    • Establishing a reliable forecast for resource capacity remains a concern at this level as well.
    • Organizations at this level may experience an increasing clash between Agile practices and traditional Waterfall methodologies.

    A screenshot of Info-Tech's Manage an Agile Portfolio Blueprint

    PMOs at this level should look at Info-Tech’s Manage an Agile Portfolio for comprehensive tools and guidance on maintaining greater visibility at the portfolio level into work in progress and committed work.

    Establish your current and target states for process intake, approval, and prioritization

    1.2.5 Estimated Time: 20 minutes

    • Having reviewed the intake capability framework, you should be able to quickly identify where you currently reside in the model. Document this in the “Current State” box below.
    • Next, spend some time as a group discussing your target state. Make sure to set a realistic target as well as a realistic timeframe for meeting this target. Level 1s will not be able to become Level 5s overnight and certainly not without passing through the other levels on the way.
      • A realistic goal for a Level 1 to become a Level 2 is within six to eight months.
    Current State:
    Target State:
    Timeline for meeting target

    INPUT

    • Intake, approval, and prioritization capability framework (Activity 1.2.4)

    OUTPUT

    • Current and target state, with stated time goals

    Materials

    • Whiteboard

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Align your intake success with the strategic expectations of overall project portfolio management

    A successful project intake, approval, and prioritization process puts your leadership in a position to best steer the portfolio, like a conductor of an orchestra.

    To frame the discussion on deciding what intake success will look like, review Info-Tech’s PPM strategic expectations:

    • Project Throughput: Maximize throughput of the best projects.
    • Portfolio Visibility: Ensure visibility of current and pending projects.
    • Portfolio Responsiveness: Make the portfolio responsive to executive steering when new projects and changing priorities need rapid action.
    • Resource Utilization: Minimize resource waste and optimize the alignment of skills to assignments.
    • Benefits Realization: Clarify accountability for post-project benefits attainment for each project, and facilitate the process of tracking/reporting those benefits.
    A screenshot of Info-Tech's Develop a Project Portfolio Management Strategy blueprint.

    For a more detailed discussion and insight on PPM strategic expectations see Info-Tech’s blueprint, Develop a Project Portfolio Management Strategy.

    Decide what successful project intake, approval, prioritization process will look like

    1.2.6 Estimated Time: 60 minutes

    While assessing your current state, it is important to discuss and determine as a team how success will be defined.

    • During this process, it is important to consider tentative timelines for success milestones and to ask the question: what will success look like and when should it occur by?
    • Use the below table to help document success factors and timeliness. Follow the lead of our example in row 1.
    Optimization Benefit Objective Timeline Success Factor
    Facilitate project intake, prioritization, and communication with stakeholders to maximize time spent on the most valuable or critical projects. Look at pipeline as part of project intake approach and adjust priorities as required. July 1st Consistently updated portfolio data. Dashboards to show back capacity to customers. SharePoint development resources.

    Review and customize section 1.5, “Process Success Criteria” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    Info-Tech Insight

    Establish realistic short-term goals. Even with optimized intake procedures, you may not be able to eliminate underground project economies immediately. Make your initial goals realistic, leaving room for those walk-up requests that may still appear via informal channels.

    Prepare to optimize project intake and capture the results in the Intake, Approval, and Prioritization SOP

    Standard Operating Procedure (SOP) is the reference document to get all PPM stakeholders on the same page with the new optimized process.

    The current state explored and documented in this step will serve as a starting point for each step of the next phase of the blueprint. The next phase will take a deeper dive into each of the three components of Info-Tech’s project intake methodology, so that they can achieve the success criteria you’ve defined in the previous activity.

    Info-Tech’s Project Intake, Approval, and Prioritization SOP Template is intended to capture the outcome of your process optimization efforts. This blueprint guides you through numerous activities designed for your core project portfolio management team to customize each section.

    To maximize the chances of success, it is important that the team makes a concerted effort to participate. Schedule a series of working sessions over the course of several weeks for your team to work through it – or get through it in one week, with onsite Info-Tech analyst-facilitated workshops.

    Download Info-Tech’s Project Intake, Approval, and Prioritization SOP.

    A screenshot of Info-Tech's Project Intake, Approval, and Prioritization SOP.

    Contact your account representative or email Workshops@InfoTech.com for more information.

    Case study: PMO develops mature intake and prioritization processes by slowly evolving its capability level

    CASE STUDY

    Industry: Not-for-Profit

    Source: Info-Tech Interview

    Challenge

    • A PMO for a large not-for-profit benefits provider had relatively high project management maturity, but the enterprise had low PPM maturity.
    • There were strong intake processes in place for following up on requests. For small projects, project managers would assist as liaisons to help control scope. For corporate initiates, PMs were assigned to work with a sponsor to define scope and write a charter.

    Solution

    Prioritization was a challenge. Initially, the organization had ad hoc prioritization practices, but they had developed a scoring criteria to give more formality and direction to the portfolio. However, the activity of formally prioritizing proved to be too time consuming.

    Off-the-grid projects were a common problem, with initiatives consuming resources with no portfolio oversight.

    Results

    After trying “heavy” prioritization, the PMO loosened up the process. PMO staff now go through and quickly rank projects, with two senior managers making the final decisions. They re-prioritize quarterly to have discussions around resource availability and to make sure stakeholders are in tune to what IT is doing on a daily basis. IT has a monthly meeting to go over projects consuming resources and to catch anything that has fallen between the cracks.

    "Everything isn't a number one, which is what we were dealing with initially. We went through a formal prioritization period, where we painstakingly scored everything. Now we have evolved: a couple of senior managers have stepped up to make decisions, which was a natural evolution from us being able to assign a formal ranking. Now we are able to prioritize more easily and effectively without having to painstakingly score everything."

    – PMO Director, Benefits Provider

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.1-2

    A screenshot of activities 1.1.1 and 1.1.2 are shown.

    Pilot Info-Tech’s Project Value Scorecard-driven prioritization method

    Use Info-Tech’s example to prioritize your current project backlog to pilot a project value-driven prioritization, which will be used to guide the entire optimization process.

    1.2.1-3

    A screenshot of activities 1.2.1 and 1.2.3 are shown.

    Map out and document current project intake, approval, and prioritization process, and the involved key stakeholders

    A table-top planning exercise helps you visualize the current process in place and identify opportunities for optimization.

    Phase 2

    Build an Optimized Project Intake, Approval, and Prioritization Process

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Build an Optimized Project Intake, Approval, and Prioritization Process Proposed Time to Completion: 3-6 weeks

    Step 2.1: Streamline Intake

    Start with an analyst kick-off call:

    • Challenges of project intake
    • Opportunities for improving the management of stakeholder expectations by optimizing intake

    Then complete these activities…

    • Perform a process retrospective
    • Optimize your process to receive, triage, and follow up on project requests

    With these tools & templates:

    • Project Request Form.
    • Project Intake Classification Matrix

    Step 2.2: Right-Size Approval

    Start with an analyst call:

    • Challenges of project approval
    • Opportunities for improving strategic alignment of the project portfolio by optimizing project approval

    Then complete these activities…

    • Perform a process retrospective
    • Clarify accountability at each step
    • Decide on deliverables to support decision makers at each step

    With these tools & templates:

    • Benefits Commitment Form
    • Technology Assessment Tool
    • Business Case Templates

    Step 3.3: Prioritize Realistically

    Start with an analyst call:

    • Challenges in project prioritization
  • Opportunities for installing a resource capacity-constrained intake by optimizing prioritization
  • Then complete these activities…

    • Perform a process retrospective
    • Pilot the Intake and Prioritization Tool for prioritization within estimated resource capacity

    With these tools & templates:

    • Project Intake and Prioritization Tool

    Phase 2 Results & Insights:

    • Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity, to effectively address the challenges of establishing organizational discipline for project intake.

    Step 2.1: Streamline intake to manage stakeholder expectations

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project intake process
    • Optimize your process to receive project requests
    • Revisit the definition of a project for triaging requests
    • Optimize your process to triage project requests
    • Optimize your process to follow up on project requests

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this Step

    • Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
    • A streamlined, single-funnel intake channel with the right procedural friction to receive project requests
    • A refined definition of what constitutes a project, and project levels that will determine the necessary standard of rigor with which project requests should be scoped and developed into a proposal throughout the process
    • An optimized process for triaging and following up on project requests to prepare them for the steps of project approval
    • Documentation of the optimized process in the SOP document

    Understand the risks of poor intake practices

    Too much red tape could result in your portfolio falling victim to underground economies. Too little intake formality could lead to the Wild West.

    Off-the-grid projects, i.e. projects that circumvent formal intake processes, lead to underground economies that can deplete resource capacity and hijack your portfolio.

    These underground economies are typically the result of too much intake red tape. When the request process is made too complex or cumbersome, project sponsors may unsurprisingly seek alternative means to get their projects done.

    While the most obvious line of defence against the appearance of underground economies is an easy-to-use and access request form, one must be cautious. Too little intake formality could lead to a Wild West of project intake where everyone gets their initiatives approved regardless of their business merit and feasibility.

    Benefits of optimized intake Risks of poor intake
    Alignment of portfolio with business goals Portfolio overrun by off-the-grid projects
    Resources assigned to high-value projects Resources assigned to low-value projects
    Better throughput of projects in the portfolio Ever-growing project backlog
    Strong stakeholder relations Stakeholders lose faith in value of PMO

    Info-Tech Insight

    Intake is intimately bound to stakeholder management. Finding the right balance of friction for your team is the key to successfully walking the line between asking for too much and not asking for enough. If your intake process is strong, stakeholders will no longer have any reason to circumvent formal process.

    An excess number of intake channels is the telltale sign of a low capability level for intake

    Excess intake channels are also a symptom of a portfolio in turmoil.

    If you relate to the graphic below in any way, your first priority needs to be limiting the means by which projects get requested. A single, centralized channel with review and approval done in batches is the goal. Otherwise, with IT’s limited capacity, most requests will simply get added to the backlog.

    A graphic is shown to demonstrate how one may receive project requests. The following icons are in a circle: Phone, Intranet Request Form, In person, anywhere, anytime, SharePoint Request Form, Weekly Scrum, Document, and Email.

    Info-Tech Insight

    The PMO needs to have the authority – and needs to exercise the authority – to enforce discipline on stakeholders. Organizations that solicit in verbal requests (by phone, in person, or during scrum) lack the orderliness required for PPM success. In these cases, it needs to be the mission of the PMO to demand proper documentation and accountability from stakeholders before proceeding with requests.

    "The golden rule for the project documentation is that if anything during the project life cycle is not documented, it is the same as if it does not exist or never happened…since management or clients will never remember their undocumented requests or their consent to do something."

    – Dan Epstein, “Project Initiation Process: Part Two”

    Develop an intake workflow

    Info-Tech recommends following a four-step process for managing intake.

    1. Requestor fills out form and submits the request.

    Project Request Form Templates

    2. Requests are triaged into the proper queue.

    1. Divert non-project request
    2. Quickly assess value and urgency
    3. Assign specialist to follow up on request
    4. Inform the requestor

    Project Intake Classification Matrix

    3. BA or PM prepares to develop requests into a project proposal.

    1. Follow up with requestor and SMEs to refine project scope, benefits, and risks
    2. Estimate size of project and determine the required level of detail for proposal
    3. Prepare for concept approval

    Benefits Commitment Form Template

    4. Requestor is given realistic expectations for approval process.

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.1.1 Estimated Time: 45 minutes

    Optimizing project intake may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1. On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3. As a group, discuss the responses and come to an agreement as to which are most valid.
    2. Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4. Document the responses to help structure your game plan for intake optimization.
    Start Stop Continue
    • Explicitly manage follow-up expectations with project requestor
    • Receiving informal project requests
    • Take too long in proposal development
    • Quarterly approval meetings
    • Approve resources for proposal development

    INPUT

    • Current project intake workflow (Activity 1.2.2)
    • Project intake success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current intake process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Streamline project requests into a single funnel

    It is important to identify all of the ways through which projects currently get requested and initiated, especially if you have various streams of intake competing with each other for resources and a place in the portfolio. Directing multiple channels into a single, centralized funnel is step number one in optimizing intake.

    To help you identify project sources within your organization, we’ve broken project requests into three archetypes: the good, the bad, and the ugly.

    1. The Good – Proper Requests: written formal requests that come in through one appropriate channel.

    The Bad – Walk-Ups: requests that do not follow the appropriate intake channel(s), but nevertheless make an effort to get into the proper queue. The most common instance of this is a portfolio manager or CIO filling out the proper project request form on behalf of, and under direction from, a senior executive.

    The Ugly – Guerilla Tactics: initiatives that make their way into the portfolio through informal methods or that consume portfolio resources without formal approval, authority, or oversight. This typically involves a key resource getting ambushed to work on a stakeholder’s “side project” without any formal approval from, or knowledge of, the PMO.

    Funnel requests through a single portal to streamline intake

    Decide how you would funnel project requests on a single portal for submitting project requests. Determining the right portal for your organization will depend on your current infrastructure options, as well as your current and target state capability levels.

    Below are examples of a platform for your project request portal.

    Platform Template document, saved in a repository or shared drive Email-based form (Outlook forms) Intranet form (SharePoint, internal CMS) Dedicated intake solution (PPM tool, idea/innovation tool)
    Pros Can be deployed very easily Consolidates requests into a single receiver Users have one place to go from any device All-in-one solution that includes scoring and prioritization
    Cons Manual submission and intake process consumes extra effort Can pose problems in managing requests across multiple people and platforms Requires existing intranet infrastructure and some development effort Solution is costly; requires adoption across all lines of business

    Increasing intake capability and infrastructure availability

    Introduce the right amount of friction into your intake process

    The key to an effective intake process is determining the right amount of friction to include for your organization. In this context, friction comes from the level of granularity within your project request form and the demands or level of accountability your intake processes place on requestors. You will want to have more or less friction on your intake form, depending on your current intake pain points.

    If you are inundated with a high volume of requests:

    • Make your intake form more detailed to deter “half-baked” requests.
    • Have more managerial oversight into the process. Require approval for each request.

    If you want to encourage the use of a formal channel:

    • Make your intake form more concise and lightweight.
    • Have less managerial oversight into the process. Inform managers of each request rather than requiring approval.

    Download Info-Tech’s Detailed Project Request Form.

    Download Info-Tech’s Light Project Request Form.

    A screenshot of Info-Tech's Project Request Form is shown.

    Info-Tech Insight

    Optimizing a process should not automatically mean reducing friction. Blindly reducing friction could generate a tidal wave of poorly thought-out requests, which only drives up unrealistic expectations. Mitigate the risk of unrealistic stakeholder expectations by carefully managing the message: optimize friction.

    Document your process to receive project requests

    2.1.2 Estimated Time: 30-60 minutes

    Review and customize section 2.2, “Receive project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to consolidate multiple intake channels into a single funnel with the right amount of friction to improve visibility and manageability of incoming project requests.

    The important decisions to document for this step include:

    1. What data will be collected, and from whom? For example, Info-Tech’s Light Project Request Form Template will be used to collect project requests from everyone.
    2. How will requests be collected, and from where? For example, the template will be available as a fillable form on a SharePoint site.
    3. Who will be informed of the requests? For example, the PMO Director and the BA team will be notified with a hyperlink to the completed request form.
    4. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Retrospective of current process (Activity 2.1.1)

    OUTPUT

    • Customized Project Request Form
    • Method of implementation

    Materials

    • Project Request Form Templates

    Participants

    • PMO Director/ Portfolio Manager
    • Business Analysts

    Info-Tech Best Practice

    Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

    Establish a triage process to improve portfolio success

    Once a request has been submitted, it will need to be triaged. Triage begins as soon as the request is received. The end goal of the triage process is to set appropriate expectations for stakeholders and to ensure that all requests going forward for approval are valid requests.

    PPM Triage Process

    1. Divert non-project requests by validating that what is described on the request form qualifies as a “project.” Make sure requests are in the appropriate queue – for example, service desk request queue, change and release management queue, etc.
    2. Quickly assess value and urgency to determine whether the request requires fast-tracking or any other special consideration.
    3. Assign a specialist to follow up on the request. Match the request to the most suitable BA, PM, or equivalent. This person will become the Request Liaison (“RL”) for the request and will work with the requestor to define preliminary requirements.
    4. Inform the requestor that the request has been received and provide clear direction on what will happen with the request next, such as who will follow up on it and when. See the next slide for some examples of this follow-up.

    The PMO Triage Team

    • Portfolio Manager, or equivalent
    • Request Liaisons (business analysts, project managers, or equivalent)

    “Request Liaison” Role

    The BAs and PMs who follow up on requests play an especially important role in the triage process. They serve as the main point of contact to the requestor as the request evolves into a business case. In this capacity they perform a valuable stakeholder management function, helping to increase confidence and enhance trust in IT.

    To properly triage project requests, define exactly what a project is

    Bring color to the grey area that can exist in IT between those initiatives that fall somewhere in between “clearly a service ticket” and “clearly a project.”

    What constitutes a project?

    Another way of asking this question that gets more to the point for this blueprint – for what types of initiatives is project intake, approval, and prioritization rigor required?

    This is especially true in IT where, for some smaller initiatives, there can be uncertainty in many organizations during the intake and initiation phase about what should be included on the formal project list and what should go to help desk’s queue.

    As the definitions in the table below show, formal project management frameworks each have similar definitions of “a project.”

    Source Definition
    PMI A temporary endeavor undertaken to create a unique product, service, or result.” (553)
    COBIT A structured set of activities concerned with delivering a defined capability (that is necessary but not sufficient to achieve a required business outcome) to the enterprise based on an agreed‐on schedule and budget.” (74)
    PRINCE2 A temporary organization that is created for the purpose of delivering one or more business products according to an agreed business case.

    For each, a project is a temporary endeavor planned around producing a specific organizational/business outcome. The challenge of those small initiatives in IT is knowing when those endeavors require a business case, formal resource tracking, and project management rigor, and when they don’t.

    Separating small projects from non-projects requires a consideration of approval rights

    While conventional wisdom says to base your project definition on an estimation of cost, risk, etc., you also need to ask, “does this initiative require formal approval?”

    In the next step, we will define a suggested minimum threshold for a small “level 1” project. While these level thresholds are good and necessary for a number of reasons – including triaging your project requests – you may still often need to exercise some critical judgment in separating the tickets from the projects. In addition to the level criteria that we will develop in this step, use the checklist below to help with your differentiating.

    Service Desk Ticket Small Project
    • Approval seems implicit given the scope of the task.
    • No expectations of needing to report on status.
    • No indications that management will require visibility during execution.
    • The scope of the task suggests formal approval may be required.
    • You may have to report on status.
    • Possibility that management may require visibility during execution.

    Info-Tech Insight

    Guard the value of the portfolio. Because tickets carry with them an implicit approval, you need to be wary at the portfolio level of those that might possess a larger scope than their status of ticket implies. Sponsors that, for whatever reason, resist the formal intake process may use the ticketing process to sneak projects in through the backdoor. When assessing tickets and small projects at the portfolio level, you need to ask: is it possible that someone at an executive level might want to get updates on this because of its duration, scope, risk, cost, etc.? Could someone at the management level get upset that the initiative came in as a ticket and is burning up time and driving costs without any visibility?

    Sample Project/Non-Project Separation Criteria

    Non-Project Small Project
    e.g. Time required e.g. < 40 hours e.g. 40 > hours
    e.g. Complexity e.g. Very low e.g. Moderate – Low Difficulty: Does not require highly developed or specialized skill sets
    e.g. Collaboration e.g. None required e.g. Limited coordination and collaboration between resources and departments
    e.g. Repeatability of work e.g. Fully repeatable e.g. Less predictable
    e.g. Frequency of request type e.g. Hourly to daily e.g. Weekly to monthly

    "If you worked for the help desk, over time you would begin to master your job since there is a certain rhythm and pattern to the work…On the other hand, projects are unique. This characteristic makes them hard to estimate and hard to manage. Even if the project is similar to one you have done before, new events and circumstances will occur. Each project typically holds its own challenges and opportunities"

    – Jeffrey and Thomas Mochal

    Define the minimum-threshold criteria for small projects

    2.1.3 Estimated Time: 30 minutes

    Follow the steps below to define the specifics of a “level 1” project for your organization.

    1. Using your project list and/or ticketing system, identify a handful of small projects, large service desk tickets, and especially those items that fall somewhere in the grey area in between (anywhere between 10 to 20 of each). Then, determine the organizationally appropriate considerations for defining your project levels. Options include:
    • Duration
    • Budget/Cost
    • Technology requirements
    • Customer involvement
    • Integration
    • Organizational impact
    • Complexity
    • Number of cross-functional workgroups and teams involved
  • Using the list of projects established in the previous step, determine the organizationally appropriate considerations for defining your project levels –anywhere from four to six considerations is a good number.
  • Using these criteria and your list of small projects, define the minimum threshold for your level one projects across each of these categories. Record these thresholds in the table on the next slide.
  • INPUT

    • Data concerning small projects and service desk tickets, including size, duration, etc.

    OUTPUT

    • Clarity around how to define your level 1 projects

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Remove room for stakeholder doubt and confusion by informing requests forward in a timely manner

    During triaging, requestors should be notified as quickly as possible (a) that their request has been received and (b) what to expect next for the request. Make this forum as productive and informative as possible, providing clear direction and structure for the future of the request. Be sure to include the following:

    • A request ID or ticket number.
    • Some direction on who will be following up on the request –provide an individual’s name when possible.
    • An estimated timeframe of when they can expect to hear from the individual following up.

    The logistic of this follow-up will depend on a number of different factors.

    • The number of requests you receive.
    • Your ability to automate the responses.
    • The amount of detail you would like to, or need to, provide stakeholders with.

    Info-Tech Best Practice

    Assign an official request number or project ID to all requests during this initial response. An official request number anchors the request to a specific and traceable dataset that will accompany the project throughout its lifecycle.

    Sample “request received” emails

    If you receive a high volume of requests or need a quick win for improving stakeholder relations:

    Sample #1: Less detailed, automatic response

    Hello Emma,

    Thank you. Your project request has been received. Requests are reviewed and assigned every Monday. A business analyst will follow up with you in the next 5-10 business days. Should you have any questions in the meantime, please reply to this email.

    Best regards,

    Information Technology Services

    If stakeholder management is a priority, and you want to emphasize the customer-facing focus:

    Sample #2: More detailed, tailored response

    Hi Darren,

    Your project request has been received and reviewed. Your project ID number is #556. Business analyst Alpertti Attar has been assigned to follow up on your request. You can expect to hear from him in the next 5-10 business days to set up a meeting for preliminary requirements gathering.

    If you have any questions in the meantime, please contact Alpertti at aattar@projectco.com. Please include the Project ID provided in this email in all future correspondences regarding this request.

    Thank you for your request. We look forward to helping you bring this initiative to fruition.

    Sincerely,

    Jim Fraser

    PMO Director, Information Technology Services

    Info-Tech Insight

    A simple request response will go a long way in terms of stakeholder management. It will not only help assure stakeholders that their requests are in progress but the request confirmation will also help to set expectations and take some of the mystery out of IT’s processes.

    Document your process to triage project requests

    2.1.4 Estimated Time: 30-60 minutes

    Review and customize section 2.3, “Triage project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to divert non-project requests and set an appropriate initial set of stakeholder expectations for next steps. The important decisions to document for this step include:

    1. What defines a project? Record the outcomes of Activities 2.1.3 into the SOP.
    2. Who triages the requests and assign request liaisons? Who are they? For example, a lead BA can assign a set roster of BAs to project requests.
    3. What are the steps to follow for sending the initial response? See the previous slides on automated responses vs. detailed, tailored responses.
    4. How will you account for the consumption of resource capacity? For example, impose a maximum of four hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Results of activity 2.1.3

    OUTPUT

    • SOP for triaging project requests

    Materials

    • SOP Template

    Participants

    • PMO Director/ Portfolio Manager
    • Business Analysts

    Info-Tech Best Practice

    Whatever method of request collection you choose, ensure there is no doubt about how requesters can access the intake form.

    Follow up on requests to define project scope and set realistic expectations

    The purpose of this follow-up is to foster communication among the requestor, IT, and the sponsor to scope the project at a high level. The follow-up should:

    • Clarify the goals and value of the request.
    • Begin to manage expectations based on initial assessment of feasibility.
    • Ensure the right information is available for evaluating project proposals downstream. Every project should have the below key pieces of scope defined before any further commitments are made.

    Focus on Defining Key Pieces of Scope

    • Budget (funding, source)
    • Business outcome
    • Completion criteria
    • Timeframes (start date and duration)
    • Milestones/deliverables

    Structure the Follow-Up Process to Enhance Alignment Between IT and the Business

    Once a Request Liaison (RL) has been assigned to a request, it is their responsibility to schedule time (if necessary) with the requestor to perform a scoping exercise that will help define preliminary requirements. Ideally, this follow-up should occur no later than a week of the initial request.

    Structure the follow-up for each request based on your preliminary estimates of project size (next slide). Use the “Key Pieces of Scope” to the left as a guide.

    It may also be helpful for RLs and stakeholders to work together to produce a rough diagram or mock-up of the final deliverable. This will ensure that the stakeholder’s idea has been properly communicated, and it could also help refine or broaden this idea based on IT’s capabilities.

    After the scoping exercise, it is the RL’s responsibility to inform the requestor of next steps.

    Info-Tech Insight

    More time spent with stakeholders defining high-level requirements during the ideation phase is key to project success. It will not only improve the throughput of projects, but it will enhance the transparency of IT’s capacity and enable IT to more effectively support business processes.

    Perform a preliminary estimation of project size

    Project estimation is a common pain point felt by many organizations. At this stage, a range-of-magnitude (ROM) estimate is sufficient for the purposes of sizing the effort required for developing project proposals with appropriate detail.

    A way to structure ROM estimates is to define a set of standard project levels. It will help you estimate 80% of projects with sufficient accuracy over time with little effort. The remaining 20% of projects that don’t meet their standard target dates can be managed as exceptions.

    The increased consistency of most projects will enable you to focus more on managing the exceptions.

    Example of standard project sizes:

    Level Primary unit of estimation Target completion date*
    1 Weeks 3 weeks – 3 months
    2 Months 3 months – 6 months
    3 Quarters 2 – 4 quarters
    3+ Years 1 year or more

    * Target completion date is simply that – a target, not a service level agreement (SLA). Some exceptions will far exceed the target date, e.g. projects that depend heavily on external or uncontrollable factors.

    Info-Tech Best Practice

    Project levelling is useful for right-sizing many downstream processes; it sets appropriate levels of detail and scrutiny expected for project approval and prioritization steps, as well as the appropriate extent of requirements gathering, project management, and reporting requirements afterwards.

    Set your thresholds for level 2 and level 3 projects

    2.1.5 Estimated Time: 30 minutes

    Now that the minimum threshold for your smallest projects has been identified, it’s time to identify the maximum threshold in order to better apply project intake, approval, and prioritization rigor where it’s needed.

    1. Looking at your project list (e.g. Activity 1.1.1, or your current project backlog), isolate the medium and large projects. Examine the two categories in turn.
    2. Start with the medium projects. Using the criteria identified in Activity 2.1.3, identify where your level one category ends.
    • What are the commonly recurring thresholds that distinguish medium-sized projects from smaller initiatives?
    • Are there any criteria that would need to take on a greater importance when making the distinction? For instance, will cost or duration take on a greater weighting when determining level thresholds?
    • Once you have reached consensus, record these in the table on the next slide.
  • Now examine your largest projects. Once again relying on the criteria from Activity 2.1.3, determine where your medium-sized projects end and your large projects begin.
    • What are the commonly recurring thresholds that distinguish large and extra-large projects from medium-sized initiatives?
    • Once you have reached consensus, records these in the table on the next slide.

    INPUT

    • Leveling criteria from Activity 2.1.3
    • Project backlog, or list of projects from Activity 1.1.1

    OUTPUT

    • Clarity around how to define your level two and three projects

    Materials

    • Whiteboard
    • The project level table on the next slide

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Sample Project Levels Table

    Project Level Level 1 Level 2 Level 3
    Work Effort 40-100 hours 100-500 hours 500+ hours
    Budget $100,000 and under $100,000 to $500,000 $500,000 and over
    Technology In-house expertise Familiar New or requires system-wide change/training
    Complexity Well-defined solution; no problems expected Solution is known; some problems expected Solution is unknown or not clearly defined
    Cross-Functional Workgroups/Teams 1-2 3-5 > 6

    Apply a computation decision-making method for project levelling

    2.1.5 Project Intake Classification Matrix

    Capture the project levels in Info-Tech’s Project Intake Classification Matrix Tool to benchmark your levelling criteria and to determine project levels for proposed projects.

    Download Info-Tech’s Project Intake Classification Matrix tool.

    A screenshot of Info-Tech's Project Intake Classification Matrix Tool, tab 2 is shown.
    1. Pick a category to define project levels.
    2. Enter the descriptions for each project level.
    3. Assign a relative weight for each category.
    4. A screenshot of Info-Tech's Project Intake Classification Matrix Tool, tab 3 is shown.
    5. Enter a project name.
    6. Choose the description that best fits the project. If unknown, leave it blank.
    7. Suggested project levels are displayed.

    Get tentative buy-in and support from an executive sponsor for project requests

    In most organizations a project requires sponsorship from the executive layer, especially for strategic initiatives. The executive sponsor provides several vital factors for projects:

    • Funding and resources
    • Direct support and oversight of the project leadership
    • Accountability, acting as the ultimate decision maker for the project
    • Ownership of, and commitment to, project benefits

    Sometimes a project request may be made directly by a sponsor; in other times, the Request Liaison may need to connect the project request to a project sponsor.

    In either case, project request has a tentative buy-in and support of an executive sponsor before a project request is developed into a proposal and examined for approval – the subject of this blueprint’s next step.

    PMs and Sponsors: The Disconnect

    A study in project sponsorship revealed a large gap between the perception of the project managers and the perception of sponsors relative to the sponsor capability. The widest gaps appear in the areas of:

    • Motivation: 34% of PMs say sponsors frequently motivate the team, compared to 82% of executive sponsors who say they do so.
    • Active listening: 42% of PMs say that sponsors frequently listen actively, compared to 88% of executive sponsors who say they do so.
    • Effective communication: 47% of PMs say sponsors communicate effectively and frequently, compared to 92% of executive sponsors who say they do so.
    • Managing change: 37% of PMs say sponsors manage change, compared to 82% of executive sponsors who say they do so.

    Source: Boston Consulting Group/PMI, 2014

    Actively engaged executive sponsors continue to be the top driver of whether projects meet their original goals and business intent.

    – PMI Pulse of the Profession, 2017

    76% of respondents [organizations] agree that the role of the executive sponsor has grown in importance over the past five years.

    – Boston Consulting Group/PMI, 2014

    Document your process to follow up on project requests

    2.1.6 45 minutes

    Review and customize section 2.4, “Follow up on project requests” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of optimizing this process is to initiate communication among the requestor, IT, and the sponsor to scope the project requests at a high level. The important decisions to document for this step include:

    1. How will you perform a scoping exercise with the requestor? Leverage existing organizational processes (e.g. high-level requirements gathering). Look to the previous slides for suggested outcomes of the exercise.
    2. How will you determine project levels? Record the outcomes of activities 2.1.5 into the SOP.
    3. How will the RL follow up on the scoped project request with a project sponsor? For example, project requests scoped at a high level will be presented to senior leadership whose lines of business are affected by the proposed project to gauge their initial interest.
    4. How will you account for the consumption of resource capacity? For example, impose a maximum of 8 hours per week per analyst, and track the hours worked for each request to establish a pattern for capacity consumption.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Activity 2.1.5
    • Existing processes for scoping exercises

    OUTPUT

    • SOP for following up on project requests

    Materials

    • SOP Template

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Examine the new project intake workflow as a whole and document it in a flow chart

    2.1.7 Estimated Time: 30-60 minutes

    Review and customize section 2.1, “Project Intake Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1. Requestor fills out form and submits the request.
    2. Requests are triaged into the proper queue.
    3. BA or PM prepares to develop requests into a project proposal.
    4. Requestor is given realistic expectations for approval process.

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth handoff between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project intake (Activities 2.1.2-6)

    OUTPUT

    • Flowchart representation of new project intake workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Case study: Portfolio manager achieves intake and project success through detailed request follow-up

    Case Study

    Industry: Municipal Government

    Source: Info-Tech Client

    Challenge

    • There is an IT department with a relatively high level of project management maturity.
    • They have approximately 30 projects on the go, ranging from small to large.
    • To help with intake, IT assembled a project initiation team. It was made up of managers from throughout the county. This group “owned the talent” and met once a month to assess requests. As a group, they were able to assemble project teams quickly.

    Solution

    • Project initiation processes kept failing. A lot of time was spent within IT getting estimations precise, only to have sponsors reject business cases because they did not align with what those sponsors had in mind.
    • Off-the-grid projects were a challenge. Directors did not follow intake process and IT talent was torn in multiple directions. There was nothing in place for protecting the talent and enforcing processes on stakeholders.

    Results

    • IT dedicated a group of PMs and BAs to follow up on requests.
    • Working with stakeholders, this group collects specific pieces of information that allows IT to get to work on requests faster. Through this process, requests reach the charter stage more quickly and with greater success.
    • An intake ticketing system was established to protect IT talent. Workers are now better equipped to redirect stakeholders through to the proper channels.

    Step 2.2: Set up steps of project approval to maximize strategic alignment while right-sizing the required effort

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project approval process
    • Define the approval steps, their accountabilities, and the corresponding terminologies for approval
    • Right-size effort and documentation required for each project level through the approval steps

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this step

    • Retrospective of the current project intake process: to continue doing, to start doing, and to stop doing
    • A series of approval steps are defined, in which their accountabilities, responsibilities, and the nomenclature for what is approved at each steps are clarified and documented
    • A toolbox of deliverables for proposed projects that captures key information developed to inform project approval decisions at each step of the approval process, and the organizational standard for what to use for which project level
    • Documentation of the optimized process in the SOP document

    Set up an incremental series of approval stage-gates to tackle common challenges in project approval

    This section will help you address key challenges IT leaders face around project approval.

    Challenges Info-Tech’s Advice
    Project sponsors receive funding from their business unit or other source (possibly external, such as a grant), and assume this means their project is “approved” without any regard to IT costs or resource constraints. Clearly define a series of approval steps, and communicate requirements for passing them.
    Business case documentation is rarely updated to reflect unforeseen costs, emerging opportunities, and changing priorities. As a result, time and money is spent finishing diminished priority projects while the value of more recent projects erodes in the backlog. Approve projects in smaller pieces, with early test/pilot phases focused on demonstrating the value of later phases.
    Project business cases often focus on implementation and overlook ongoing operating costs imposed on IT after the project is finished. These costs further diminish IT’s capacity for new projects, unless investment in more capacity (such as hiring) is included in business cases. Make ongoing support and maintenance costs a key element in business case templates and evaluations.
    Organizations approve new projects without regard to the availability of resource capacity (or lack thereof). Project lead times grow and stakeholders become more dissatisfied because IT is unable to show how the business is competing with itself for IT’s time. Increase visibility into what IT is already working on and committed to, and for whom.

    Develop a project approval workflow

    Clearly define a series of approval steps, and communicate requirements for passing them. “Approval” can be a dangerous word in project and portfolio management, so it is important to clarify what is required to pass each step, and how long the process will take.

    1 2 3 4
    Approval step Concept Approval Feasibility Approval Business Case Approval Resource Allocation (Prioritization)
    Alignment Focus Business need / Project sponsorship Technology Organization-wide business need Resource capacity
    Possible dispositions at each gate
    • Approve developing project proposal
    • Reject concept
    • Proceed to business case approval
    • Approve a test/pilot project for feasibility
    • Reject proposal
    • Approve project and funding in full
    • Approve a test/pilot project for viability
    • Reject proposal
    • Begin or continue project work
    • Hold project
    • Outsource project
    • Reject project
    Accountability e.g. Project Sponsor e.g. CIO e.g. Steering Committee e.g. CIO
    Deliverable Benefits Commitment Form Template Proposed Project Technology Assessment Tool Business Case (Fast Track, Comprehensive) Intake and Prioritization Tool

    Identify the decision-making paradigm at each step

    In general, there are three different, mutually exclusive decision-making paradigms for approving projects:

    Paradigm Description Benefits Challenges Recommendation
    Unilateral authority One individual makes decisions. Decisions tend to be made efficiently and unambiguously. Consistency of agenda is easier to preserve. Decisions are subject to one person’s biases and unseen areas. Decision maker should solicit and consider input from others and seek objective rigor.
    Ad hoc deliberation Stakeholders informally negotiate and communicate decisions between themselves. Deliberation helps ensure different perspectives are considered to counterbalance individual biases and unseen areas. Ad hoc decisions tend to lack documentation and objective rationale, which can perpetuate disagreement. Use where unilateral decisions are unfeasible (due to complexity, speed of change, culture, etc.), and stakeholders are very well aligned or highly skilled negotiators and communicators.
    Formal steering committee A select group that represent various parts of the organization is formally empowered to make decisions for the organization. Formal committees can ensure oversight into decisions, with levers available to help resolve uncertainty or disagreement. Formal committees introduce administrative overhead and effort that might not be warranted by the risks involved. Formal steering committees are best where formality is warranted by the risks and costs involved, and the organizational culture has an appetite for administrative oversight.

    Info-Tech Insight

    The individual or party who has the authority to make choices, and who is ultimately answerable for those decisions, is said to be accountable. Understanding the needs of the accountable party is critical to the success of the project approval process optimization efforts.

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.2.1 Estimated Time: 45 minutes

    Optimizing project approval may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1.On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3.As a group, discuss the responses and come to an agreement as to which are most valid.
    2.Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4.;Document the responses to help structure your game plan for intake optimization.
    StartStopContinue
    • Inject technical feasibility approval step as an input to final approval
    • Simplify business cases
    • Approve low-value projects
    • Take too long in proposal development
    • Quarterly approval meetings
    • Approve resources for proposal development

    INPUT

    • Current project approval workflow (Activity 1.2.2)
    • Project approval success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current approval process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Customize the approval steps and describe them at a high level

    2.2.2 Estimated Time: 30-60 minutes

    Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to customize the definition of the approval steps for your organization, so that it makes sense for the existing organizational governance structure, culture, and need. Use the results of the start-stop-continue to inform what to customize. Consider the following factors:

    1. Order of steps: given the current decision-making paradigm, does it make sense to reorder the steps?
    2. Dispositions at each step: what are the possible dispositions, and who is accountable for making the dispositions?
    3. Project levels: do all projects require three-step approval before they’re up for prioritization? For example, IT steering committee may wish to be involved only for Level 3 projects and Level 2 projects with significant business impact, and not for Level 1 projects and IT-centric Level 2 projects.
    4. Accountability at each step: who makes the decisions?
    5. Who will handle exceptions? Aim to prevent the new process from being circumvented by vocal stakeholders, but also allow for very urgent requests. A quick win to strike this balance is to clarify who will exercise this discretion.

    INPUT

    • Retrospective of current process (Activity 2.2.1)
    • Project level definition
    • Approval steps in the previous slide

    OUTPUT

    • Customized project approval steps for each project level

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Specify what “approval” really means to manage expectations for what project work can be done and when

    2.2.3 Estimated Time: 15 minutes

    Review and customize section 3.2, “Project Approval Steps” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In the old reality, projects were approved and never heard back from again, which effectively gave your stakeholders a blanket default expectation of “declined.” With the new approval process, manage your stakeholder expectations more explicitly by refining your vocabulary around approval.

    Within this, decision makers should view their role in approval as approving that which can and should be done. When a project is approved and slated to backlog, the intention should be to allocate resources to it within the current intake cycle.

    Customize the table to the right with organizationally appropriate definitions, and update your SOP.

    “No” Declined.
    “Not Now” “It’s a good idea, but the time isn’t right. Try resubmitting next intake cycle.”
    “Concept Approval” Approval to add the item to the backlog with the intention of starting it this intake cycle.
    “Preliminary Approval” Approval for consumption of PMO resources to develop a business case.
    “Full Approval” Project is greenlighted and project resources are being allocated to it.

    Info-Tech Insight

    Refine the nomenclature. Add context to “approved” and “declined.” Speak in terms of “not now” or “you can have it when these conditions are met.” With clear expectations of the resources required to support each request, you can place accountability for keeping the request alive back on the sponsors.

    Continuously work out a balance between disciplined decision making and “analysis paralysis"

    A graph is depicted to show the relationship between disciplined decision making and analysis paralysis. The sweet spot for disciplined decisions changes between situations and types of decisions.

    A double bar graph is depicted to show the relative effort spent on management practice. The first bar shows that 20% has a high success of portfolio management. 35% has a low success of portfolio management. A caption on the graph: Spending additional time assessing business cases doesn’t necessarily improve success.

    Info-Tech Insight

    Estimates that form the basis of business cases are often based on flawed assumptions. Use early project phases or sprints to build working prototypes to test the assumptions on which business cases are built, rather than investing time improving precision of estimates without improving accuracy.

    Right-size project approval process with Info-Tech’s toolbox of deliverables

    Don’t paint every project with the same brush. Choose the right set of information needed for each project level to maximize the throughput of project approval process.

    The next several slides will take you through a series of tools and templates that help guide the production of deliverables. Each deliverable wireframes the required analysis of the proposed project for one step of the approval process, and captures that information in a document. This breaks down the overall work for proposal development into digestible chunks.

    As previously discussed, aim to right-size the approval process rigor for project levels. Not all project levels may call for all steps of approval, or the extent of required analysis within an approval step may differ. This section will conclude by customizing the requirement for deliverables for each project level.

    Tools and Templates for the Project Approval Toolbox

    • Benefits Commitment Form Template (.xlsx) Document the project sponsor’s buy-in and commitment to proposed benefits in a lightweight fashion.
    • Proposed Technology Assessment Tool (.xlsx) Determine the proposed project’s readiness for adoption from a technological perspective.
    • Business Case Templates (.docx) Guide the analysis process for the overall project proposal development in varying levels of detail.

    Use Info-Tech’s lightweight Benefits Commitment Form Template to document the sponsor buy-in and support

    2.2.4 Benefits Commitment Form Template

    Project sponsors are accountable for the realization of project benefits. Therefore, for a project to be approved by a project sponsor, they must buy-in and commit to the proposed benefits.

    Defining project benefits and obtaining project sponsor commitment has been demonstrated to improve the project outcome by providing the focal point of the project up-front. This will help reduce wasted efforts to develop parts of the proposals that are not ultimately needed.

    A double bar graph titled: Benefits realization improves project outcome is shown.

    Download Info-Tech’s Benefits Commitment Form Template.

    Contents of a Benefits Commitment Form

    • One-sentence highlight of benefits and risks
    • Primary benefit, hard (quantitative) and soft (qualitative)
    • Proposed measurements for metrics
    • Responsible and accountable parties for benefits
    A screenshot of Info-Tech's Establish the Benefits Realization Process blueprint is shown.

    For further discussion on benefits realization, use Info-Tech’s blueprint, Establish the Benefits Realization Process.

    Use Info-Tech’s Proposed Project Technology Assessment Tool to analyze a technology’s readiness for adoption

    2.2.4 Proposed Project Technology Assessment Tool

    In some projects, there needs to be an initial idea of what the project might look like. Develop a high-level solution for projects that:

    • Are very different from previous projects.
    • Are fairly complex, or not business as usual.
    • Require adoption of new technology or skill set.

    IT should advise and provide subject matter expertise on the technology requirements to those that ultimately approve the proposed projects, so that they can take into account additional costs or risks that may be borne from it.

    Info-Tech’s Proposed Project Technology Assessment Tool has a series of questions to address eight categories of considerations to determine the project’s technological readiness for adoption. Use this tool to ensure that you cover all the bases, and help you devise alternate solutions if necessary – which will factor into the overall business case development.

    Download Info-Tech’s Proposed Project Technology Assessment Tool.

    A screenshot of Info-Tech's Proposed Project Technology Assessment Tool is shown.

    Enable project valuation beyond financial metrics with Info-Tech’s Business Case Templates

    2.2.4 Business Case Template (Comprehensive and Fast Track)

    Traditionally, a business case is centered around financial metrics. While monetary benefits and costs are matters of bottom line and important, financial metrics are only part of a project’s value. As the project approval decisions must be based on the holistic comparison of project value, the business case document must capture all the necessary – and only those that are necessary – information to enable it.

    However, completeness of information does not always require comprehensiveness. Allow for flexibility to speed up the process of developing business plan by making a “fast-track” business case template available. This enables the application of the project valuation criteria with all other projects, with right-sized effort.

    Alarming business case statistics

    • Only one-third of companies always prepare a business case for new projects.
    • Nearly 45% of project managers admit they are unclear on the business objectives of their IT projects.

    (Source: Wrike)

    Download Info-Tech’s Comprehensive Business Case Template.

    A screenshot of Info-Tech's Comprehensive Business Case Template is shown.

    Download Info-Tech’s Fast Track Business Case Template.

    A screenshot of Info-Tech's Fast Track Business Case Template is shown.

    Info-Tech Insight

    Pass on that which is known. Valuable information about projects is lost due to a disconnect between project intake and project initiation, as project managers are typically not brought on board until project is actually approved. This will be discussed more in Phase 3 of this blueprint.

    Document the right-sized effort and documentation required for each project level

    2.2.4 Estimated Time:60-90 minutes

    Review and customize section 3.3, “Project Proposal Deliverables” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to customize the requirements for project proposal deliverables, so that it properly informs each of the approval steps discussed in the previous activity. The deliverables will also shape the work effort required for projects of various levels. Consider the following factors:

    1. Project levels: what deliverables should be required, recommended, or suggested for each of the project levels? How will exceptions be handled, and who will be accountable?
    2. Existing project proposal documents: what existing proposal documents, tools and templates can we leverage for the newly optimized approval steps?
    3. Skills availability: do these tools and templates represent a significant departure from the current state? If so, is there capacity (time and skill) to achieve the desired target state?
    4. How will you account for the consumption of resource capacity? Do a rough order of estimate for the resource capacity consumed the new deliverable standard.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Process steps (Activity 2.2.2)
    • Current approval workflow(Activity 1.2.1)
    • Artifacts introduced in the previous slides

    OUTPUT

    • Requirement for artifacts and effort for each approval step

    Materials

    • Whiteboard

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Examine the new project approval workflow as a whole and document it in a flow chart

    2.2.5 Estimated Time: 30-60 minutes

    Review and customize section 3.1, “Project Approval Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1 2 3 4
    Approval Step Concept Approval Feasibility Approval Business Case Approval Resource Allocation (Prioritization)
    Alignment Focus Business need/ Project Sponsorship Technology

    Organization-wide

    Business need

    Resource capacity

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth hand-off between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project approval (Activities 2.2.2-4)

    OUTPUT

    • Flowchart representation of new project approval workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Step 2.3: Prioritize projects to maximize the value of the project portfolio within the constraint of resource capacity

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Perform a deeper retrospective on current project prioritization process
    • Optimize your process to maintain resource capacity supply and project demand data
    • Optimize your process to formally make disposition recommendations to appropriate decision makers

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Administrative Staff

    Outcomes of this step

    • Retrospective of the current project prioritization process: to continue doing, to start doing, and to stop doing
    • Realistic estimate of available resource capacity, in the absence of a resource management practice
    • Optimized process for presenting the decision makers with recommendations and facilitating capacity-constrained steering of the project portfolio
    • Project Intake and Prioritization Tool for facilitating the prioritization process
    • Documentation of the optimized process in the SOP document

    The availability of staff time is rarely factored into IT project and service delivery commitments

    A lot gets promised and worked on, and staff are always busy, but very little actually gets done – at least not within given timelines or to expected levels of quality.

    Organizations tend to bite off more than they can chew when it comes to project and service delivery commitments involving IT resources.

    While the need for businesses to make an excess of IT commitments is understandable, the impacts of systemically over-allocating IT are clearly negative:

    • Stakeholder relations suffer. Promises are made to the business that can’t be met by IT.
    • IT delivery suffers. Project timelines and quality frequently suffer, and service support regularly lags.
    • Employee engagement suffers. Anxiety and stress levels are consistently high among IT staff, while morale and engagement levels are low.

    76%: 76% of organizations say they have too many projects on the go and an unmanageable and ever-growing backlog of things to get to.

    – Cooper, 2014

    70%: Almost 70% of workers feel as though they have too much work on their plates and not enough time to do it.

    – Reynolds, 2016

    Unconstrained, unmanaged demand leads to prioritization of work based on consequences rather than value

    Problems caused by the organizational tendency to make unrealistic delivery commitments is further complicated by the reality of the matrix environment.

    Today, many IT departments use matrix organization. In this system, demands on a resource’s time come from many directions. While resources are expected to prioritize their work, they lack the authority to formally reject any demand. As a result, unconstrained, unmanaged demand frequently outstrips the supply of work-hours the resource can deliver.

    When this happens, the resource has three options:

    1. Work more hours, typically without compensation.
    2. Choose tasks not to do in a way that minimizes personal consequences.
    3. Diminish work quality to meet quantity demands.

    The result is an unsustainable system for all those involved:

    1. Individual workers cannot meet expectations, leading to frustration and disengagement.
    2. Managers cannot deliver on the projects or services they manage and struggle to retain skilled resources who are looking elsewhere for “greener pastures.”
    3. Executives cannot execute strategic plans as they lose decision-making power over their resources.

    Prioritize project demand by project value to get the most out of constrained project capacity – but practicing it is difficult

    The theory may be simple and intuitive, but the practice is extremely challenging. There are three practical challenges to making project prioritization effective.

    Project Prioritization

    Capacity awareness

    Many IT departments struggle to realistically estimate available project capacity in a credible way. Stakeholders question the validity of your endeavor to install capacity-constrained intake process, and mistake it for unwillingness to cooperate instead.

    Lack of authority

    Many PMOs and IT departments simply lack the ability to decline or defer new projects.

    Many moving parts

    Project intake, approval, and prioritization involve the coordination of various departments. Therefore, they require a great deal of buy-in and compliance from multiple stakeholders and senior executives.

    Project Approval

    Unclear definition of value

    Defining the project value is difficult, because there are so many different and conflicting ways that are all valid in their own right. However, without it, it's impossible to fairly compare among projects to select what's "best."

    Unclear definition of value

    In Step 1.1 of the blueprint, we took the first step toward resolving this challenge by prototyping a project valuation scorecard.

    A screenshot of Step 1.1 of this blueprint is shown.

    "Prioritization is a huge issue for us. We face the simultaneous challenges of not having enough resources but also not having a good way to say no. "

    – CIO, governmental health agency

    Address the challenges of capacity awareness and authority with a project prioritization workflow

    Info-Tech recommends following a four-step process for managing project prioritization.

    1. Collect and update supply and demand data
      1. Re-evaluate project value for all proposed, on-hold and ongoing projects
      2. Estimate available resource capacity for projects
    2. Prioritize project demand by value
      1. Identify highest-value, “slam-dunk” projects
      2. Identify medium-value, “on-the-bubble” projects
      3. Identify lower-value projects that lie beyond the available capacity
    3. Approve projects for initiation or continuation
      1. Submit recommendations for review
      2. Adjust prioritized list with business judgment
      3. Steering committee approves projects to work on
    4. Manage a realistically defined project portfolio
    • Stakeholder Need
    • Strategic Objectives
    • Resource Capacity

    Intake and Prioritization Tool

    Perform a start-stop-continue exercise to help determine what is working and what is not working

    2.3.1 Estimated Time: 60 minutes

    Optimizing project prioritization may not require a complete overhaul of your existing processes. You may only need to tweak certain templates or policies. Perhaps you started out with a strong process and simply lost resolve over time – in which case you will need to focus on establishing motivation and discipline, rather than rework your entire process.

    Perform a start-stop-continue exercise with your team to help determine what should be salvaged, what should be abandoned, and what should be introduced:

    1. On a whiteboard or equivalent, write “Start,” “Stop,” and “Continue” in three separate columns. 3. As a group, discuss the responses and come to an agreement as to which are most valid.
    2. Equip your team with sticky notes or markers and have them populate the columns with ideas and suggestions surrounding your current processes. 4. Document the responses to help structure your game plan for intake optimization.
    Start Stop Continue
    • Periodically review the project value scorecard with business stakeholders
    • “Loud Voices First” prioritization
    • Post-prioritization score changes
    • Updating project value scores for current projects

    INPUT

    • Current project prioritization workflow (Activity 1.2.2)
    • Project prioritization success criteria (Activity 1.2.6)

    OUTPUT

    • Retrospective review of current prioritization process

    Materials

    • Whiteboard
    • Sticky notes/markers

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Use Info-Tech’s lightweight Intake and Prioritization Tool to get started on capacity-constrained project prioritization

    Use Info-Tech’s Project Intake and Prioritization Tool to facilitate the scorecard-driven prioritization and ensure effective flow of data.

    This tool builds on the Project Valuation Scorecard Tool to address the challenges in project prioritization:

    1. Lack of capacity awareness: quickly estimate a realistic supply of available work hours for projects for a given prioritization period, in the absence of a reliable and well-maintained resource utilization and capacity data.
    2. Using standard project sizing, quickly estimate the size of the demand for proposed and ongoing projects and produce a report that recommends the list of projects to greenlight – and highlight the projects within that list that are at risk of being short-charged of resources – that will aim to help you tackle:

    3. Lack of authority to say “no” or “not yet” to projects: save time and effort in presenting the results of project prioritization analysis that will enable the decision makers to make well-informed, high-quality portfolio decisions.
    4. The next several slides will walk you through the tool and present activities to facilitate its use for your organization.

    Download Info-Tech’s Project Intake and Prioritization Tool.

    A screenshot of Info-Tech's Project Intake Prioritization Tool is shown.

    Create a high-level estimate of available project capacity to inform how many projects can be greenlighted

    2.3.2 Project Intake and Prioritization Tool, Tab 2: Project Capacity

    Estimate how many work-hours are at your disposal for projects using Info-Tech’s resource calculator.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool, Tab 2: Project Capacity

    1. Compile a list of each role within your department, the number of staff, and the hours in a typical work week.

    2. Enter the foreseeable out-of-office time (vacation, sick time, etc.). Typically, this value is 12-16% depending on the region.

    3. Enter how much working time is spent on non-projects for each role: administrative duties and “keep the lights on” work.

    4. Select a period of time for breaking down available resource capacity in hours.

    Project Work (%): Percentage of your working time that goes toward project work is calculated as what’s left after your non-project working time allocations have been subtracted.

    Project (h) Total Percentage: Take a note of this percentage as your project capacity. This number will put the estimated project demand in context for the rest of the tool.

    Example for a five-day work week:

    • 2 weeks (10 days) of statutory holidays
    • 3 weeks of vacation
    • 1.4 weeks (7 days) of sick days on average
    • 1 week (5 days) for company holidays

    Result: 7.4/52 weeks’ absence = 14%

    Estimate your available project capacity for the next quarter, half-year, or year

    2.3.2 Estimated Time: 30 minutes

    Discover how many work-hours are at your disposal for project work.

    1. Use the wisdom-of-the-crowd approach or resource utilization data to fill out Tab 2 of the tool. This is intended to be somewhat of a rough estimate; avoid the pitfall of being too granular in role or in time split.
    2. Choose a time period that corresponds to your project prioritization period: monthly, quarterly, 4 months, semi-annually (6 months), or annually.
    3. Examine the pie graph representation of your overall capacity breakdown, like the one shown below.

    Screenshot from Tab 2 of Project Intake and Prioritization Tool

    INPUT

    • Knowledge of organization’s personnel and their distribution of time

    OUTPUT

    • Estimate of available project capacity

    Materials

    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    On average, only about half of the available project capacity results in productive project work

    Place realistic expectations on your resources’ productivity.

    Info-Tech’s PPM Current State Scorecard diagnostic provides a comprehensive view of your portfolio management strengths and weaknesses, including project portfolio management, project management, customer management, and resource utilization.

    A screenshot of Info-Tech's PPM Current State Scorecard diagnostic

    Use the wisdom of the crowd to estimate resource waste in:

    • Cancelled projects
    • Inefficiency
    • Suboptimal assignment of resources
    • Unassigned resources
    • Analyzing, fixing, and redeploying

    50% of PPM resource is wasted on average, effectively halving your available project capacity.

    Source: Info-Tech PPM Current State Scorecard

    Define project capacity and project t-shirt sizes

    2.3.3 Project Intake and Prioritization Tool, Tab 3: Settings

    The resource capacity calculator in the previous tab yields a likely optimistic estimate for how much project capacity is available. Based on this estimate as a guide, enter your optimistic (maximum) and pessimistic (minimum) estimates of project capacity as a percentage of total capacity:

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Info-Tech’s data shows that only about 50% of time spent on project work is wasted: cancelled projects, inefficiency, rework, etc. As a general rule, enter half of your maximum estimate of your project capacity.

    Capacity in work hours is shown here from the previous tab, to put the percentages in context. This example shows a quarterly breakdown (Step 4 from the previous slide; cell N5 in Tab 2.).

    Next, estimate the percentage of your maximum estimated project capacity that a single project would typically consume in the given period for prioritization.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    These project sizes might not line up with the standard project levels from Step 2.1 of the blueprint: for example, an urgent mid-sized project that requires all hands on deck may need to consume almost 100% of maximum available project capacity.

    Estimate available project capacity and standard project demand sizes for prioritizing project demand

    2.3.3 Estimated Time: 30 minutes

    Refine your estimates of project capacity supply and demand as it applies to a prioritization period.

    1. The estimated project capacity from Activity 2.3.2 represents a theoretical limit. It is most likely an overestimation (see box below). As a group, discuss and decide on a more realistic available project capacity:
      1. Optimistic estimate, assuming sustained peak productivity from everyone in your organization;
      2. Pessimistic estimate, taking into account the necessary human downtime and the PPM resource waste (see previous slide).
    2. Refine the choices of standard project effort sizes, expressed as percentages of maximum project capacity. As a reminder, this sizing is for the chosen prioritization period, and is independent from the project levels set previously in Activity 2.1.4 and 2.1.5.

    Dedicated work needs dedicated break time

    In a study conducted by the Draugiem Group, the ideal work-to-break ratio for maximizing focus and productivity was 52 minutes of work, followed by 17 minutes of rest (Evans). This translates to 75% of resource capacity yielding productive work, which could inform your optimistic estimate of project capacity.

    INPUT

    • Project capacity (Activity 2.3.2)
    • PPM Current State Scorecard (optional)

    OUTPUT

    • Capacity and demand estimate data for tool use

    Materials

    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Finish setting up the Project Intake and Prioritization Tool

    2.3.4 Project Intake and Prioritization Tool, Tab 3: Settings

    Enter the scoring criteria, which was worked out from Step 1.1 of the blueprint. This workbook supports up to ten scoring criteria; use of more than ten may make the prioritization step unwieldy.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Leave unused criteria rows blank.

    Choose “value” or “execution” from a drop-down.

    Score does not need to add up to 100.

    Finally, set up the rest of the drop-downs used in the next tab, Project Data. These can be customized to fit your unique project portfolio needs.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 3

    Enter project data into the Project Intake and Prioritization Tool

    2.3.4 Project Intake and Prioritization Tool, Tab 4: Project Data

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 4

    Ensure that each project has a unique name.

    Completed (or cancelled) projects will not be included in prioritization.

    Choose the standard project size defined in the previous tab.

    Change the heading when you customize the workbook.

    Days in Backlog is calculated from the Date Added column.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 4

    Overall weighted project prioritization score is calculated as a sum of value and execution scores.

    Weighted value and execution scores are calculated according to the scoring criteria table in the 2. Settings tab.

    Enter the raw scores. Weights will be taken into calculation behind the scenes.

    Spaces for unused intake scores will be greyed out. You can enter data, but they will not affect the calculated scores.

    Document your process to maintain resource capacity supply and project demand data

    2.3.4 Estimated Time: 30 minutes

    Review and customize section 4.2, “Maintain Supply and Demand Data” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to document the process with which the supply and demand information will be updated for projects. Consider the following factors:

    1. Estimates of resource supply: how often will the resource supply be updated? How are you estimating the range (maximum vs. minimum, optimistic vs. pessimistic)? Leverage your existing organizational process assets for resource management.
    2. Updating project data for proposed projects: when and how often will the project valuation scores be updated? Do you have sufficient inputs? Examine the overall project approval process from Step 2.2 of the blueprint, and ensure that sufficient information is available for project valuation (Activity 2.2.3).
    3. Updating project data for ongoing projects: will you prioritize ongoing projects along with proposed projects? When and how often will the project valuation scores be updated? Do you have sufficient inputs?
    4. How will you account for the consumption of resource capacity? Do a rough order of estimate for the resource capacity consumed in this process.
    5. Who will handle exceptions? For example, PMO will maintain this process and will handle any questions or issues that pertain to this part of the process.

    INPUT

    • Organizational process assets for resource management, strategic planning, etc.
    • Activity 2.3.3
    • Activity 2.2.3

    OUTPUT

    • Process steps for refreshing supply and demand data

    Materials

    • SOP Template
    • Project Intake and Prioritization Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts
    • PMO Admin Staff

    Prioritized list of projects shows what fits under available project capacity for realizing maximum value

    2.3.5 Project Intake and Prioritization Tool, Tab 5: Results

    The output of the Project Intake and Prioritization Tool is a prioritized list of projects with indicators to show that their demand on project capacity will fit within the estimated available project capacity for the prioritization period.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Status indicates whether the project is proposed or ongoing; completed projects are excluded.

    Disposition indicates the course of recommended action based on prioritization.

    Proposed projects display how long they have been sitting in the backlog.

    Projects highlighted yellow are marked as “deliberate” for their dispositions. These projects pose risks of not getting properly resourced. One must proceed with caution if they are to be initiated or continued.

    Provide better support to decision makers with the prioritized list, and be prepared for their steering

    It is the portfolio manager’s responsibility to provide the project portfolio owners with reliable data and enable them to make well-informed decisions for the portfolio.

    The prioritized list of proposed and ongoing projects, and an approximate indication for how they fill out the estimated available resource capacity, provide a meaningful starting ground for discussion on which projects to continue or initiate, to hold, or to proceed with caution.

    However, it is important to recognize the limitation of the prioritization methodology. There may be legitimate reasons why some projects should be prioritized over another that the project valuation method does not successfully capture. At the end of the day, it’s the prerogative of the portfolio owners who carry on the accountabilities to steer the portfolio.

    The portfolio manager has a responsibility to be prepared for reconciling the said steering with the unchanged available resource capacity for project work. What comes off the list of projects to continue or initiate? Or, will we outsource capacity if we must meet irreconcilable demand? The next slide will show how Info-Tech’s tool helps you with this process.

    Info-Tech Best Practice

    Strive to become the best co-pilot. Constantly iterate on the scoring criteria to better adapt to the portfolio owners’ preference in steering the project portfolio.

    Manipulate the prioritized list with the Force Disposition list

    2.3.5 Project Intake and Prioritization Tool, Tab 5: Results

    The Force Disposition list enables you to inject subjective judgment in project prioritization. Force include and outsource override project prioritization scores and include the projects for approval:

    • Force include counts the project demand against capacity.
    • Outsource, on the other hand, does not count the project demand.
    • Force exclude removes a project from prioritized list altogether, without deleting the row and losing its data.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Choose a project name and a disposition using a drop-down.

    Use this list to test out various scenarios, useful for what-if analysis.

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    Document your process to formally make disposition recommendations to appropriate decision-making party

    2.3.5 Estimated Time: 60 minutes

    Review and customize section 4.3, “Approve projects for initiation or continuation” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    The goal of this activity is to formalize the process of presenting the prioritized list of projects for review, modify the list based on steering decisions, and obtain the portfolio owners’ approval for projects to initiate or continue, hold, or terminate. Consider the following factors:

    1. Existing final approval process: what are the new injections to the current decision-making process for final approval?
    2. Meeting prep, agenda, and follow-up: what are the activities that must be carried out by PMO / portfolio manager to support the portfolio decision makers and obtain final approval?
    3. “Deliberate” projects: what additional information should portfolio owners be presented with, in order to deliberate on the projects at risk of being not properly resourced? For example, consider a value-execution plot (right).

    A screenshot of Info-Tech's Project Intake and Prioritization Tool Tab 5

    INPUT

    • Approval process steps (Activity 2.2.2)
    • Steering Committee process documentation

    OUTPUT

    • Activities for supporting the decision-making body

    Materials

    • SOP Template
    • Project Intake and Prioritization Tool

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Once a project is approved, pass that which is known on to those responsible for downstream processes

    Aim to be responsible stewards of important and costly information developed throughout project intake, approval, and prioritization processes.

    Once the proposed project is given a green light, the project enters an initiation phase.

    No matter what project management methodology is employed, it is absolutely vital to pass on the knowledge gained and insights developed through the intake, approval, and prioritization processes. This ensures that the project managers and team are informed of the project’s purpose, business benefits, rationale for the project approval, etc. and be able to focus their efforts in realizing the project’s business goals.

    Recognize that this does not aim to create any new artifacts. It is simply a procedural safeguard against the loss of important and costly information assets for your organization.

    A flowchart is shown as an example of business documents leading to the development of a project charter.

    Information from the intake process directly feeds into, for example, developing a project charter.

    Source: PMBOK, 6th edition

    "If the project manager can connect strategy to the project they are leading (and therefore the value that the organization desires by sanctioning the project), they can ensure that the project is appropriately planned and managed to realize those benefits."

    – Randall T. Black, P.Eng., PMP; source: PMI Today

    Examine the new project intake workflow as a whole and document it in a flow chart

    2.3.6 Estimated Time: 30-60 minutes

    Review and customize section 4.1, “Project Prioritization Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template.

    In Step 1.2 of the blueprint, you mapped out the current project intake, approval, and prioritization workflow and documented it in a flow chart. In this step, take the time to examine the new project intake process as a whole, and document the new workflow in the form of a flow chart.

    1. Collect and update supply and demand data
    2. Prioritize project demand by value
    3. Approve projects for initiation or continuation
    4. Manage a realistically defined project portfolio

    Consider the following points:

    1. Are the inputs and outputs of each step clear? Who’s doing the work? How long will each step take, on average?
    2. Is the ownership of each step clear? How will we ensure a smooth handoff between each step and prevent requests from falling through the cracks?

    INPUT

    • New process steps for project prioritization (Activities 2.3.x-y)

    OUTPUT

    • Flowchart representation of new project prioritization workflow

    Materials

    • Microsoft Visio, flowchart software, or Microsoft PowerPoint

    Participants

    • CIO
    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Leverage Info-Tech’s other blueprints to complement your project prioritization processes

    The project capacity estimates overlook a critical piece of the resourcing puzzle for the sake of simplicity: skills. You need the right skills at the right time for the right project.

    Use Info-Tech’s Balance Supply and Demand with Realistic Resource Management Practices blueprint to enhance the quality of information on your project supply.

    A screenshot of Info-Tech's Balance Supply and Demand with Realistic Resource Management Practices blueprint.

    There is more to organizing your project portfolio than a strict prioritization by project value. For example, as with a financial investment portfolio, project portfolio must achieve the right investment mix to balance your risks and leverage opportunities.

    Use Info-Tech’s Maintain an Organized Portfolio blueprint to refine the makeup of your project portfolio.

    A screenshot of Info-Tech's Maintain an Organized Portfolio blueprint.

    Continuous prioritization of projects allow organizations to achieve portfolio responsiveness.

    Use Info-Tech’s Manage an Agile Portfolio blueprint to take prioritization of your project portfolio to the next level.

    A screenshot of Info-Tech's Manage an Agile Portfolio blueprint

    46% of organizations use a homegrown PPM solution. Info-Tech’s Grow Your Own PPM Solution blueprint debuts a spreadsheet-based Portfolio Manager tool that provides key functionalities that integrates those of the Intake and Prioritization Tool with resource management, allocation and portfolio reporting capabilities.

    A screenshot of Info-Tech's Grow Your Own PPM Solution blueprint

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A picture of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.2-6

    A screenshot of activities 2.1.2-6 is shown.

    Optimize your process to receive, triage, and follow up on project requests

    Discussion on decision points and topics of consideration will be facilitated to leverage the diverse viewpoints amongst the workshop participants.

    2.3.2-5

    A screenshot of activities 2.3.2-5 is shown.

    Set up a capacity-informed project prioritization process using Info-Tech’s Project Intake and Prioritization Tool

    A table-top planning exercise helps you visualize the current process in place and identify opportunities for optimization.

    Phase 3

    Integrate the New Optimized Processes into Practice

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Integrate the New Optimized Processes into Practice

    Proposed Time to Completion: 6-12 weeks

    Step 3.1: Pilot your process to refine it prior to rollout

    Start with an analyst kick-off call:

    • Review the proposed intake, approval, and prioritization process

    Then complete these activities…

    • Select receptive stakeholders to work with
    • Define the scope of your pilot and determine logistics
    • Document lessons learned and create an action plan for any changes

    With these tools & templates:

    • Process Pilot Plan
    • Project Backlog Manager Job Description

    Step 3.2: Analyze the impact of organizational change

    Review findings with analyst:

    • Results of the process pilot and the finalized intake SOP
    • Key PPM stakeholders
    • Current organizational climate

    Then complete these activities…

    • Analyze the stakeholder impact and responses to impending organizational change
    • Create message canvases for at-risk change impacts and stakeholders to create an effective communication plan

    With these tools & templates:

    • Intake Process Implementation Impact Analysis Tool

    Phase 3 Results & Insights:

    • Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Step 3.1: Pilot your intake, approval, and prioritization process to refine it before rollout

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Select receptive managers to work with during your pilot
    • Define the scope of your pilot and determine logistics
    • Plan to obtain feedback, document lessons learned, and create an action plan for any changes
    • Finalize Project Intake, Approval, and Prioritization SOP

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts

    Outcomes of this step

    • A pilot team
    • A process pilot plan that defines the scope, logistics, and process for retrospection
    • Project Backlog Manager job description
    • Finalized Project Intake, Approval, and Prioritization SOP for rollout

    Pilot your new processes to test feasibility and address issues before a full deployment

    Adopting the right set of practices requires a significant degree of change that necessitates buy-in from varied stakeholders throughout IT and the business.

    Rome wasn’t built in a day. Similarly, benefits of optimized project intake, approval, and prioritization process will not be realized overnight.

    Resist the urge to deploy a big-bang roll out of your new intake practices. The approach is ill advised for two main reasons:

    • It will put more of a strain on the implementation team in the near term, with a larger pool of end users to train and collect data from.
    • Putting untested practices in a department-wide spotlight could lead to mass confusion in the near-term and color the new processes in a negative light, leading to a loss of stakeholder trust and engagement right out-of-the-gate.

    Start with a pilot phase. Identify receptive lines of business and IT resources to work with, and leverage their insights to help iron out the kinks in your process before unveiling your practices to IT and all business users at large.

    This step will help you to:

    • Plan and execute a pilot of the processes we developed in Phase 2.
    • Incorporate the lessons learned from that pilot to strengthen your SOP and ease the communication process.

    Info-Tech Insight

    Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Plan your pilot like you would any project to ensure it’s well defined and its goals are clearly articulated

    Use Info-Tech’s Intake Process Pilot Plan Template to help define the scope of your pilot and set appropriate goals for the test-run of your new processes.

    A process pilot is a limited scope of an implementation (constrained by time and resources involved) in order to test the viability and effectiveness of the process as it has been designed.

    • Investing time and energy into a pilot phase can help to lower implementation risk, enhance the details and steps within a process, and improve stakeholder relations prior to a full scale rollout.
    • More than a dry run, however, a pilot should be approached strategically, and planned out to limit the scope of it and achieve specific outcomes.
    • Leverage a planning document to ensure your process pilot is grounded in a common set of definitions, that the pilot is delivering value and insight, and that ultimately the pilot can serve as a starting point for a full-scale process implementation.

    Download Info-Tech’s Process Pilot Plan Template

    A screenshot of Info-Tech's Process Pilot Plan Template is shown.

    "The advantages to a pilot are several. First, risk is constrained. Pilots are closely monitored so if a problem does occur, it can be fixed immediately. Second, the people working in the pilot can become trainers as you roll the process out to the rest of the organization. Third, the pilot is another opportunity for skeptics to visit the pilot process and learn from those working in it. There’s nothing like seeing a new process working for people to change their minds."

    Daniel Madison

    Select receptive stakeholders to work with during your pilot

    3.1.1 Estimated Time: 20-60 minutes

    Info-Tech recommends selecting PPM stakeholders who are aware of your role and some of the challenges in project intake, approval, and prioritization to assist in the implementation process.

    1. If receptive PPM stakeholders are known, schedule a 15-minute meeting with them to inquire if they would be willing to be part of the pilot process.
    2. If receptive project managers are not known, use Info-Tech’s Stakeholder Engagement Workbook to conduct a formal selection process.
      1. Enter a list of potential participants for pilot in tab 3.
      2. Rate project managers in terms of influence, pilot interest, and potential deployment contribution within tab 4.
      3. Review tab 5 in the workbook. Receptive PPM stakeholders will appear in the top quadrants. Ideal PPM stakeholders for the pilot are located in the top right quadrant of the graph.

    A screenshot of Info-Tech's Stakeholder Engagement Workbook Tab 5 is shown.

    INPUT

    • Project portfolio management stakeholders (Activity 1.2.3)

    OUTPUT

    • Pilot project team

    Materials

    • Stakeholder Engagement Workbook
    • Process Pilot Plan Template

    Participants

    • PMO Director/ Portfolio Manager
    • CIO (optional)

    Document the PPM stakeholders involved in your pilot in Section 3 of Info-Tech’s Process Pilot Plan Template.

    Define the scope of your pilot and determine logistics

    3.1.2 Estimated Time: 60-90 minutes

    Use Info-Tech’s Process Pilot Plan Template to design the details of your pilot.

    Investing time into planning your pilot phase strategically will ensure a clear scope, better communications for those piloting the processes, and – overall – better, more actionable results for the pilot phase. The Pilot Plan Template is broken into five sections to assist in these goals:

    • Pilot Overview and Scope
    • Success and Risk Factors
    • Stakeholders Involved and Communications Plan
    • Pilot Retrospective and Feedback Protocol

    The duration of your pilot should go at least one prioritization period, e.g. one to two quarters.

    Estimates of time commitments should be captured for each stakeholder. During the retrospective at the end of the pilot you should capture actuals to help determine the time-cost of the process itself and measure its sustainability.

    Once the Plan Template is completed, schedule time to share and communicate it with the pilot team and executive sponsors of the process.

    While you should invest time in this planning document, continue to lean on the Intake, Approval, and Prioritization SOP throughout the pilot phase.

    INPUT

    • Sections 1 through 4 of the Process Pilot Plan Template

    OUTPUT

    • A process pilot plan

    Materials

    • Process Pilot Plan Template

    Participants

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts
    • CIO (optional)

    Execute your pilot and prepare to make process revisions before the full rollout

    Hit play! Begin the process pilot and get familiar with the work routine and resource management solution.

    Some things to keep in mind during the pilot include:

    • Depending on the solution you are using, you will likely need to spend one day or less to populate the tool. During the pilot, measure the time and effort required to manage the data within the tool. Determine whether time and effort required is viable on an ongoing basis (i.e. can you do it every month or quarter) and has value.
    • Meet with the pilot team and other stakeholders regularly during the pilot, at least biweekly. Allow the team (and yourself) to speak honestly and openly about what isn’t working. The pilot is your chance to make things better.
    • Keep notes about what will need to change in the SOP. For major changes, you may have to tweak the process during the pilot itself. Update the process documents as needed and communicate the changes and why they’re being made. If required, update the scope of the pilot in the Pilot Plan Template.
    An example is shown on how to begin the process pilot and getting familiar with the work routine and resource management solution.

    Obtain feedback from the pilot group to improve your processes before a wider rollout

    3.1.3 Estimated Time: 30 minutes

    Pilot projects allow you to validate your assumptions and leverage lessons learned. During the planning of the pilot, you should have scheduled a retrospective meeting with the pilot team to formally assess strengths and weaknesses in the process you have drafted.

    • Schedule the retrospective shortly after the pilot is completed. Info-Tech recommends performing a Stop/Start/Continue meeting with pilot participants to obtain and capture feedback.
    • Have members of the meeting record any processes/activities on sticky notes that should:
      • Stop: because they are ineffective or not useful
      • Start: because they would be useful for the tool and have not been incorporated into current processes
      • Continue: because they are useful and positively contribute to intended process outcomes.

    An example of how to structure a Stop/Start/Continue activity on a whiteboard using sticky notes.

    An example of stop, start, and continue is activity is shown.

    INPUT

    • What’s working and what isn’t in the process

    OUTPUT

    • Ideas to improve process

    Materials

    • Whiteboard
    • Sticky notes
    • Process Pilot Plan Template

    Participants

    • Process owner (PMO director or portfolio owner)
    • Pilot team

    See the following slide for additional instructions.

    Document lessons learned and create an action plan for any changes to the processes

    3.1.4 Estimated Time: 30 minutes

    An example of stop, start, and continue is activity is shown.

    As a group, discuss everyone’s responses and organize according to top priority (mark with a 1) and lower priority/next steps (mark with a 2). At this point, you can also remove any sticky notes that are repetitive or no longer relevant.

    Once you have organized based on priority, be sure to come to a consensus with the group regarding which actions to take. For example, if the group agrees that they should “stop holding meetings weekly,” come to a consensus regarding how often meetings will be held, i.e. monthly.

    Priority Action Required Who is Responsible Implementation Date
    Stop: Holding meetings weekly Hold meetings monthly Jane Doe, PMO Next Meeting: August 1, 2017
    Start: Discussing backlog during meetings Ensure that backlog data is up to date for discussion on date of next meeting. John Doe, Portfolio Manager August 1, 2017

    Create an action plan for the top priority items that require changes (the Stops and Starts). Record in this slide, or your preferred medium. Be sure to include who is responsible for the action and the date that it will be implemented.

    Document the outcomes of the start/stop/continue and your action plan in Section 6 of Info-Tech’s Process Pilot Plan Template.

    Use Info-Tech’s Backlog Manager Job Description Template to help fill any staffing needs around data maintenance

    3.1 Project Backlog Manager Job Description

    You will need to determine responsibilities and accountabilities for portfolio management functions within your team.

    If you do not have a clearly identifiable portfolio manager at this time, you will need to clarify who will wear which hats in terms of facilitating intake and prioritization, high-level capacity awareness, and portfolio reporting.

    • Use Info-Tech’s Project Backlog Manager job description template to help clarify some of the required responsibilities to support your intake, approval, and prioritization strategy.
      • If you need to bring in an additional staff member to help support the strategy, you can customize the job description template to help advertise the position. Simply edit the text in grey within the template.
    • If you have other PPM tasks that you need to define responsibilities for, you can use the RASCI chart on the final tab of the PPM Strategy Development Tool.

    Download Info-Tech’s Project Backlog Manager job description template.

    A screenshot of Info-Tech's Project Backlog Manager template is shown.

    Finalize the Intake, Approval, and Prioritization SOP and prepare to communicate your processes

    Once you’ve completed the pilot process and made the necessary tweaks, you should finalize your Intake, Approval, and Prioritization SOP and prepare to communicate it.

    Update section 1.2, “Overall Process Workflow” in Info-Tech’s Project Intake, Approval, and Prioritization SOP Template with the new process flow.

    Revisit your SOP from Phase 2 and ensure it has been updated to reflect the process changes that were identified in activity 3.1.4.

    • If during the pilot process the data was too difficult or time consuming to maintain, revisit the dimensions you have chosen and choose dimensions that are easier to accurately maintain. Tweak your process steps in the SOP accordingly.
    • In the long term, if you are not observing any progress toward achieving your success criteria, revisit the impact analysis that we’ll prepare in step 3.2 and address some of these inhibitors to organizational change.

    Download Info-Tech’s Project Intake, Approval, and Prioritization SOP template.

    A screenshot of Info-Tech's Project Intake, Approval, and Prioritization SOP template.

    Info-Tech Best Practice

    Make your SOP high impact. SOPs are often at risk of being left unmaintained and languishing in disuse. Improve the SOP’s succinctness and usability by making it visual; consult Info-Tech’s blueprint, Create Visual SOP Documents that Drive Process Optimization, Not Just Peace of Mind.

    Step 3.2: Analyze the impact of organizational change through the eyes of PPM stakeholders to gain their buy-in

    PHASE 1 PHASE 2 PHASE 3

    1.1

    Define project valuation criteria

    1.2

    Envision process target state

    2.1

    Streamline intake

    2.2

    Right-size approval steps

    2.3

    Prioritize projects to fit resource capacity

    3.1

    Pilot your optimized process

    3.2

    Communicate organizational change

    This step will walk you through the following activities:

    • Analyze the stakeholder impact and responses to impending organizational change
    • Create message canvases for at-risk change impacts and stakeholders
    • Set the course of action for communicating changes to your stakeholders

    This step involves the following participants:

    • PMO Director / Portfolio Manager
    • Project Managers
    • Business Analysts

    Outcomes of this step

    • A thorough organizational change impact analysis, based on Info-Tech’s expertise in organizational change management
    • Message canvases and communication plan for your stakeholders
    • Go-live for the new intake, approval, and prioritization process

    Manage key PPM stakeholders and communicate changes

    • Business units: Projects are undertaken to provide value to the business. Senior management from business units must help define how project will be valued.
    • IT: IT must ensure that technical/practical considerations are taken into account when determining project value.
    • Finance: The CFO or designated representative will ensure that estimated project costs and benefits can be used to manage the budget.
    • PMO: PMO is the administrator of the project portfolio. PMO must provide coordination and support to ensure the process operates smoothly and its goals are realized.
    • Business analysts: BAs carry out the evaluation of project value. Therefore, their understanding of the evaluation criteria and the process as a whole are critical to the success of the process.
    • Project sponsors: Project sponsors are accountable for the realization of benefits for which projects are undertaken.

    Impacts will be felt differently by different stakeholders and stakeholder groups

    As you assess change impacts, keep in mind that no impact will be felt the same across the organization. Depth of impact can vary depending on the frequency (will the impact be felt daily, weekly, monthly?), the actions necessitated by it (e.g. will it change the way the job is done or is it simply a minor process tweak?), and the anticipated response of the stakeholder (support, resistance, indifference?).

    Use the Organizational Change Depth Scale below to help visualize various depths of impact. The deeper the impact, the tougher the job of managing change will be.

    Procedural Behavioral Interpersonal Vocational Cultural
    Procedural change involves changes to explicit procedures, rules, policies, processes, etc. Behavioral change is similar to procedural change, but goes deeper to involve the changing tacit or unconscious habits. Interpersonal change goes beyond behavioral change to involve changing relationships, teams, locations, reporting structures, and other social interactions. Vocational change requires acquiring new knowledge and skills, and accepting the loss or decline in the value or relevance of previously acquired knowledge and skills. Cultural change goes beyond interpersonal and vocational change to involve changing personal values, social norms, and assumptions about the meaning of good vs. bad or right vs. wrong.
    Example: providing sales reps with mobile access to the CRM application to let them update records from the field. Example: requiring sales reps to use tablets equipped with a custom mobile application for placing orders from the field. Example: migrating sales reps to work 100% remotely. Example: migrating technical support staff to field service and sales support roles. Example: changing the operating model to a more service-based value proposition or focus.

    Perform a change impact analysis to maximize the chances of adoption for the new intake process

    Invest time and effort to analyze the impact of change to create an actionable stakeholder communication plan that yields the desirable result: adoption.

    Info-Tech’s Drive Organizational Change from the PMO blueprint offers the OCM Impact Analysis Tool to helps document the change impact across multiple dimensions, enabling the project team to review the analysis with others to ensure that the most important impacts are captured.

    This tool has been customized for optimizing project intake, approval, and prioritization process to deliver the same result in a more streamlined way. The next several slides will take you through the activities to ultimately create an OCM message canvas and a communication plan for your key stakeholders.

    Download Info-Tech’s Intake and Prioritization Impact Analysis Tool.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool is shown.

    "As a general principle, project teams should always treat every stakeholder initially as a recipient of change. Every stakeholder management plan should have, as an end goal, to change recipients’ habits or behaviors."

    -PMI, 2015

    Set up the Intake Process and Prioritization Impact Analysis Tool

    3.2.1 Intake and Prioritization Impact Analysis Tool, Tab 2-3

    In Tab 2, enter your stakeholders’ names. Represent stakeholders as a group if you expect the impact of change on them to be reasonably uniform, as well as their anticipated responses. Otherwise, consider adding them as individuals or subgroups.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 2 is shown.

    In Tab 3, enter whether you agree or disagree with each statement that represents an element of organizational change that be introduced as the newly optimized intake process is implemented.

    As a result of the change initiative in question:

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 3 is shown.

    Analyze the impact and the anticipated stakeholder responses of each change

    3.2.1 Intake and Prioritization Impact Analysis Tool, Tab 4: Impact Analysis Inputs

    Each change statement that you agreed with in Tab 3 are listed here in Tab 4 of the Intake and Prioritization Impact Analysis Tool. For each stakeholder, estimate and enter the following data:

    1. Frequency of the Impact: how often will the impact of the change be felt?
    2. Effort Associated with Impact: what is the demand on a stakeholder’s effort to implement the change?
    3. Anticipated Response: rate from enthusiastic response to active subversion. Honest and realistic estimates of anticipated responses are critical to the rest of the impact analysis.
    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 4 is shown.

    Analyze the stakeholder impact and responses to impending organizational change as a group

    3.2.1 Estimated Time: 60-90 minutes

    Divide and conquer. Leverage the group to get through the seemingly daunting amount of work involved with impact analysis.

    1. Divide the activity participants into subgroups and assign a section of the impact analysis. It may be helpful to do one section together as a group to make sure everyone is roughly on the same page for assessing impact.
    2. Suggested ways to divide up the impact analysis include:

    • By change impact. This would be suitable when the process owners (or would-be process owners) are available and participating.
    • By stakeholders. This would be suitable for large organizations where the activity participants know some stakeholders better than others.

    Tip: use a spreadsheet tool that supports multi-user editing (e.g. Google Sheets, Excel Online).

  • Aggregate the completed work and benchmark one another’s analysis by reviewing them with the entire group.
  • INPUT

    • Organizational and stakeholder knowledge
    • Optimized intake process

    OUTPUT

    • Estimates of stakeholder-specific impact and response

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Info-Tech Insight

    Beware of bias. Groups are just as susceptible to producing overly optimistic or pessimistic analysis as individuals, just in different ways. Unrealistic change impact analysis will compromise your chances of arriving at a reasonable, tactful stakeholder communication plan.

    Examine your impact analysis report

    3.2.2 Intake and Prioritization Impact Analysis Tool, Tab 5: Impact Analysis Outputs

    These outputs are based on the impacts you analyzed in Tab 4 of the tool (Activity 3.2.1). They are organized in seven sections:

    1. Top Five Highest Risk Impacts, based on the frequency and effort inputs across all impacts.
    2. Overall Process Adoption Rating (top right), showing the overall difficulty of this change given likelihood/risk that the stakeholders involved will absorb the anticipated change impacts.
    3. Top Five Most Impacted Stakeholders, based on the frequency and effort inputs across all impacts.
    4. Top Five Process Supporters and;
    5. Top Five Process Resistors, based on the anticipated response inputs across all impacts.
    6. Impact Register (bottom right): this list breaks down each change’s likelihood of adoption.
    7. Potential Impacts to Watch Out For: this list compiles all of the "Don't Know" responses from Tab 3.
    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 5 is shown. It shows Section 2. Overall process adoption rating. A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 5 is shown. It shows Section 6. Impact Register.

    Tailor messages for at-risk change impacts and stakeholders with Info-Tech’s Message Canvas

    3.2.2 Intake and Prioritization Impact Analysis Tool, Tab 6: Message Canvas

    Use Info-Tech’s Message Canvas on this tab to help rationalize and elaborate the change vision for each group.

    Elements of a Message Canvas

    • Why is there a need for this process change?
    • What will be new for this audience?
    • What will go away for this audience?
    • What will be meaningfully unchanged for this audience?
    • How will this change benefit this audience?
    • When and how will the benefits be realized for this audience?
    • What does this audience have to do for this change to succeed?
    • What does this audience have to stop doing for this change to succeed?
    • What should this audience continue doing?
    • What support will this audience receive to help manage the transition?
    • What should this audience expect to do/happen next?

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 6 is shown.

    Info-Tech Insight

    Change thy language, change thyself.

    Jargon, acronyms, and technical terms represent deeply entrenched cultural habits and assumptions.

    Continuing to use jargon or acronyms after a transition tends to drag people back to old ways of thinking and working.

    You don’t need to invent a new batch of buzzwords for every change (nor should you), but every change is an opportunity to listen for words and phrases that have lost their meaning through overuse and abuse.

    Create message canvases for at-risk change impacts and stakeholders as a group

    3.2.2 Estimated Time: 90-120 minutes

    1. Decide on the number of message canvases to complete. This will be based on the number of at-risk change impacts and stakeholders.
    2. Divide the activity participants into subgroups and assign a section of the message canvas. It may be helpful to do one section together as a group to make sure everyone is roughly on the same page for assessing impact.
    3. Aggregate the completed work and benchmark the message canvases amongst subgroups.

    Remember these guidelines to help your messages resonate:

    • People are busy and easily distracted. Tell people what they really need to know first, before you lose their attention.
    • Repetition is good. Remember the Aristotelian triptych: “Tell them what you’re going to tell them, then tell them, then tell them what you told them.”
    • Don’t use technical terms, jargon, or acronyms. Different groups in organizations tend to develop specialized vocabularies. Everybody grows so accustomed to using acronyms and jargon every day that it becomes difficult to notice how strange it sounds to outsiders. This is especially important when IT communicates with non-technical audiences. Don’t alienate your audience by talking at them in a strange language.
    • Test your message. Run focus groups or deliver communications to a test audience (which could be as simple as asking 2–3 people to read a draft) before delivering messages more broadly.

    – Info-Tech Blueprint, Drive Organizational Change from the PMO

    INPUT

    • Impact Analysis Outputs
    • Organizational and stakeholder knowledge

    OUTPUT

    • Estimates of stakeholder-specific impact and response

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Distill the message canvases into a comprehensive communication plan

    3.2.3 Intake and Prioritization Impact Analysis Tool, Tab 7: Communication Plan

    The communication plan creates an action plan around the message canvases to coordinate the responsibilities of delivering them, so the risks of “dropping the ball” on your stakeholders are minimized.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 7: Communication is shown.

    1. Choose a change impact from a drop-down menu.

    2. Choose an intended audience...

    … and the message canvas to reference.

    3. Choose the method of delivery. It will influence how to craft the message for the stakeholder.

    4. Indicate who is responsible for creating and communicating the message.

    A screenshot of Info-Tech's Intake and Prioritization Impact Analysis Tool, Tab 7: Communication is shown.

    5. Briefly indicate goal of the communication and the likelihood of success.

    6. Record the dates to plan and track the communications that take place.

    Set the course of action for communicating changes to your stakeholders

    3.2.2 Estimated Time: 90-120 minutes

    1. Divide the activity participants into subgroups and assign communication topics to each group. There should be one communication topic for each change impact. Based on the message canvas, create a communication plan draft.
    2. Aggregate the completed work and benchmark the communication topic amongst subgroups.
    3. Share the finished communication plan with the rest of the working group. Do not share this file widely, but keep it private within the group.

    Identify critical points in the change curve:

    1. Honeymoon of “Uninformed Optimism”: There is usually tentative support and even enthusiasm for change before people have really felt or understood what it involves.
    2. Backlash of “Informed Pessimism” (leading to “Valley of Despair”): As change approaches or begins, people realize they’ve overestimated the benefits (or the speed at which benefits will be achieved) and underestimated the difficulty of change.
    3. Valley of Despair and beginning of “Hopeful Realism”: Eventually, sentiment bottoms out and people begin to accept the difficulty (or inevitability) of change.
    4. Bounce of “Informed Optimism”: People become more optimistic and supportive when they begin to see bright spots and early successes.
    5. Contentment of “Completion”: Change has been successfully adopted and benefits are being realized.

    Based on Don Kelley and Daryl Conner’s Emotional Cycle of Change.

    INPUT

    • Change impact analysis results
    • Message canvases
    • List of stakeholders

    OUTPUT

    • Communication Plan

    Materials

    • Intake and Prioritization Impact Analysis Tool

    Participants

    • PMO Director/ Portfolio Manager
    • Project Managers
    • Business Analysts

    Roll out the optimized intake, approval, and prioritization process, and continually monitor adoption and success

    As you implement your new project intake process, familiarize yourself with common barriers and challenges.

    There will be challenges to watch for in evaluating the effectiveness of your intake processes. These may include circumvention of process by key stakeholders, re-emergence of off-the-grid projects and low-value initiatives.

    As a quick and easy way to periodically assess your processes, consider the following questions:

    • Are you confident that all work in progress is being tracked via the project list?
    • Are your resources all currently working on high-value initiatives?
    • Since optimizing, have you been able to deliver (or are you on target to deliver) all that has been approved, with no initiatives in states of suspended animation for long periods of time?
    • Thanks to sufficient portfolio visibility and transparency into your capacity, have you been able to successfully decline requests that did not add value or that did not align with resourcing?

    If you answer “no” to any of these questions after a sufficient post-implementation period (approximately six to nine months, depending on the scope of your optimizing), you may need to tweak certain aspects of your processes or seek to align your optimization with a lower capability level in the short term.

    Small IT department struggles to optimize intake and to communicate new processes to stakeholders

    CASE STUDY

    Industry: Government

    Source: Info-Tech Client

    Challenge

    There is an IT department for a large municipal government. Possessing a relatively low level of PPM maturity, IT is in the process of establishing more formal intake practices in order to better track, and respond to, project requests. New processes include a minimalist request form (sent via email) coupled with more thorough follow-up from BAs and PMs to determine business value, ROI, and timeframes.

    Solution

    Even with new user-friendly processes in place, IT struggles to get stakeholders to adopt, especially with smaller initiatives. These smaller requests frequently continue to come in outside of the formal process and, because of this, are often executed outside of portfolio oversight. Without good, reliable data around where staff time is spent, IT lacks the authority to decline new requests.

    Results

    IT is seeking further optimization through better communication. They are enforcing discipline on stakeholders and reiterating that all initiatives, regardless of size, need to be directed through the process. IT is also training its staff to be more critical. “Don’t just start working on an initiative because a stakeholder asks.” With staff being more critical and directing requests through the proper queues, IT is getting better at tracking and prioritizing requests.

    "The biggest challenge when implementing the intake process was change management. We needed to shift our focus from responding to requests to strategically thinking about how requests should be managed. The intake process allows the IT Department to be transparent to customers and enables decision makers."

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    A picture of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.1

    A screenshot of activity 3.1.1 is shown

    Select receptive stakeholders to work with during your pilot

    Identify the right team of supportive PPM stakeholders to carry out the process pilot. Strategies to recruit the right people outside the workshop will be discussed if appropriate.

    3.2.1

    A screenshot of activity 3.2.1 is shown.

    Analyze the stakeholder impact and responses to impending organizational change

    Carry out a thorough analysis of change impact in order to maximize the effectiveness of the communication strategy in support of the implementation of the optimized process.

    Insight breakdown

    Insight 1

    • The overarching goal of optimizing project intake, approval, and prioritization process is to maximize the throughput of the best projects. To achieve this goal, one must have a clear way to determine what are “the best” projects.

    Insight 2

    • Info-Tech’s methodology systemically fits the project portfolio into its triple constraint of stakeholder needs, strategic objectives, and resource capacity to effectively address the challenges of establishing organizational discipline for project intake.

    Insight 3

    • Engagement paves the way for smoother adoption. An “engagement” approach (rather than simply “communication”) turns stakeholders into advocates who can help boost your message, sustain the change, and realize benefits without constant intervention or process command-and-control.

    Summary of accomplishment

    Knowledge Gained

    • Triple constraint model of project portfolio: stakeholder needs, strategic objectives, and resource capacity
    • Benefits of optimizing project intake, approval, and prioritization for managing a well-behaved project portfolio
    • Challenges of installing well-run project intake
    • Importance of piloting the process and communicating impacts to stakeholders

    Processes Optimized

    • Project valuation process: scorecard, weights
    • Project intake process: reception, triaging, follow-up
    • Project approval process: steps, accountabilities, deliverables
    • Project prioritization process: estimation of resource capacity for projects, project demand
    • Communication for organizational change

    Deliverables Completed

    • Optimized Project Intake, Approval, and Prioritization Process
    • Documentation of the optimized process in the form of a Standard Operating Procedure
    • Project valuation criteria, developed with Project Value Scorecard Development Tool and implemented through the Project Intake and Prioritization Tool
    • Standardized project request form with right-sized procedural friction
    • Standard for project level classification, implemented through the Project Intake Classification Matrix
    • Toolbox of deliverables for capturing information developed to inform decision makers for approval: Benefits Commitment Form, Technology Assessment Tool, Business Case Templates
    • Process pilot plan
    • Communication plan for organizational change, driven by a thorough analysis of change impacts on key stakeholders using the Intake and Prioritization Impact Analysis Tool

    Research contributors and experts

    Picture of Kiron D. Bondale

    Kiron D. Bondale, PMP, PMI - RMP

    Senior Project Portfolio & Change Management Professional

    A placeholder photo is shown here.

    Scot Ganshert, Portfolio Group Manager

    Larimer County, CO

    Picture of Garrett McDaniel

    Garrett McDaniel, Business Analyst II – Information Technology

    City of Boulder, CO

    A placeholder photo is shown here.

    Joanne Pandya, IT Project Manager

    New York Property Insurance Underwriters

    Picture of Jim Tom.

    Jim Tom, CIO

    Public Health Ontario

    Related Info-Tech research

    A screenshot of Info-Tech's Develop a Project Portfolio Management Strategy blueprint

    Develop a Project Portfolio Management Strategy blueprint"

    A screenshot of Info-Tech's Grow Your Own PPM Solution blueprint is shown.

    Grow Your Own PPM Solution

    A screenshot of Info-Tech's Balance Supply and Demand with Realistic Resource Management Practices blueprint is shown.

    Balance Supply and Demand with Realistic Resource Management Practices

    A screenshot of Info-Tech's Maintain an Organized Portfolio blueprint is shown.

    Maintain an Organized Portfolio

    A screenshot of Info-Tech's Manage a Minimum Viable PMO blueprint is shown.

    Manage a Minimum Viable PMO

    A screenshot of Info-Tech's Establish the Benefits Realization Process blueprint is shown.

    Establish the Benefits Realization Process

    A screenshot of Info-Tech's Manage an Agile Portfolio blueprint is shown.

    Manage an Agile Portfolio

    A screenshot of Info-Tech's Tailor Project Management Processes to Fit Your Projects blueprint is shown.

    Tailor Project Management Processes to Fit Your Projects

    A screenshot of Info-Tech's Project Portfolio Management Diagnostic Program blueprint is shown.

    Project Portfolio Management Diagnostic Program

    The Project Portfolio Management Diagnostic Program is a low-effort, high-impact program designed to help project owners assess and improve their PPM practices. Gather and report on all aspects of your PPM environment to understand where you stand and how you can improve.

    Bibliography

    Boston Consulting Group. “Executive Sponsor Engagement: Top Driver of Project and Program Success.” PMI, 2014. Web.

    Boston Consulting Group. “Winning Through Project Portfolio Management: the Practitioners’ Perspective.” PMI, 2015. Web.

    Bradberry, Travis. “Why The 8-Hour workday Doesn’t Work.” Forbes, 7 Jun 2016. Web.

    Cook, Scott. Playbook: Best Practices. Business Week

    Cooper, Robert, G. “Effective Gating: Make product innovation more productive by using gates with teeth.” Stage-Gate International and Product Development Institute. March/April 2009. Web.

    Epstein, Dan. “Project Initiation Process: Part Two.” PM World Journal. Vol. IV, Issue III. March 2015. Web.

    Evans, Lisa. “The Exact Amount of Time You Should Work Every Day.” Fast Company, 15 Sep. 2014. Web.

    Madison, Daniel. “The Five Implementation Options to Manage the Risk in a New Process.” BPMInstitute.org. n.d. Web.

    Merkhofer, Lee. “Improve the Prioritization Process.” Priority Systems, n.d. Web.

    Miller, David, and Mike Oliver. “Engaging Stakeholder for Project Success.” PMI, 2015. Web.

    Mind Tools. “Kelley and Conner’s Emotional Cycle of Change.” Mind Tools, n.d. Web.

    Mochal, Jeffrey and Thomas Mochal. Lessons in Project Management. Appress: September 2011. Page 6.

    Newcomer, Eric. “Getting Decisions to Stick.” Standish Group PM2go, 20 Oct 2017. Web.

    “PMI Today.” Newtown Square, PA: PMI, Oct 2017. Web.

    Project Management Institute. “Standard for Portfolio Management, 3rd ed.” Newtown Square, PA: PMI, 2013.

    Project Management Institute. “Pulse of the Profession 2017: Success Rates Rise.” PMI, 2017. Web.

    Transparent Choice. “Criteria for Project Prioritization.” n.p., n.d. Web.

    University of New Hampshire (UNH) Project Management Office. “University of New Hampshire IT Intake and Selection Process Map.” UNH, n.d. Web.

    Ward, John. “Delivering Value from Information Systems and Technology Investments: Learning from Success.” Information Systems Research Centre. August 2006. Web.

    Demystify the New PMBOK Guide and PMI Certifications

    • Buy Link or Shortcode: {j2store}446|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • There is lots of confusion with the latest edition of A Guide to The Project Management Body of Knowledge (PMBOK Guide).
    • The Project Management Professional (PMP) certification is not satisfying the needs of PMOs.
    • There is still a divide on whether the focus should be on the PMP or an Agile-related certification.
    • The PMP certification has lost its sizzle while other emerging certifications have started to penetrate the market. It’s hard to distinguish which certifications still hold weight.

    Our Advice

    Critical Insight

    • The PMP certification is still valuable and worth your time in 2023.
    • There are still over a million active PMP-certified individuals worldwide.
    • PMP can make you more money.

    Impact and Result

    • Study the market trends for certification options as they emerge and evolve.
    • Go with longstanding, reputable certifications, but be ready to pivot if they are not adding value.
    • Look at the job market as an indicator of certification demands.
    • There are a lot of certification options out there, and every day there seems to be a new one that pops up. Wait and see how the market reacts before investing your time and money in a new certification.

    Demystify the New PMBOK Guide and PMI Certifications Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Demystify the New PMBOK and PMI Certifications Storyboard – A guide to validate if the PMP is still valuable. It will also provide clarity related to the updated PMBOK 7th edition.

    This publication will validate if the PMP certification is still valuable and worth your time. In addition, you will gain different perspectives related to other PMI and non-PMI certifications. You will gain a better understanding of the evolution of the PMBOK Guide, and the significant changes made from PMBOK 6th edition to the 7th edition.

    • Demystify the New PMBOK and PMI Certifications Storyboard
    [infographic]

    Further reading

    Demystify the New PMBOK Guide and the PMI Certifications

    The PMP certification is still valuable and worth your time in 2023.

    Analyst Perspective

    The PMP (Project Management Professional) certification is still worth your time.

    Long Dam

    I often get asked, “Is the PMP worth it?” I then proceed with a question of my own: “If it gets you an interview or a foot in the door or bolsters your salary, would it be worth it?” Typically, the answer is a resounding “YES!”

    CIO magazine ranked the PMP as the top project management certification in North America because it demonstrates that you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.

    Given its popularity and the demand in the marketplace, I strongly believe it is still worth your time and investment. The PMP is a globally recognized certification that has dominated for decades. It is hard to overlook the fact that the Project Management Institute (PMI) has more than 1.2 million PMP certification holders worldwide and is still considered the gold standard for project management.

    Yes, it’s worth it. It gets you interviews, a foot in the door, and bolsters your salary. Oh, and it makes you a more complete project manager.

    Long Dam, PMP, PMI-ACP, PgMP, PfMP

    Principal Research Director, Project Portfolio Management Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • There is lots of confusion with the latest A Guide to The Project Management Body of Knowledge (aka PMBOK Guide).
    • The Project Management Professional (PMP) certification is not satisfying the needs of PMOs.
    • There is still a divide on whether the focus should be on the PMP or an Agile-related certification.

    The PMP certification has lost its sizzle while other emerging certifications have started to penetrate the market. It’s hard to distinguish which certification still holds weight.

    Common Obstacles

    • Poor understanding and lack of awareness of other PMI certifications outside of the PMP.
    • There are too many competing certifications out there, and it’s hard to decipher which ones to choose.
    • PMI certifications typically take a lot of effort to obtain and maintain.

    There are other, less intensive certifications available. It’s unclear what will be popular in the future.

    Info-Tech's Approach

    • Study the market trends for certification options as they emerge and evolve.
    • Go with longstanding reputable certifications, but be ready to pivot if they are not adding value.
    • Look at the job market as an indicator for certification demands.

    There are a lot of certification options out there, and every day there seems to be a new one that pops up. Wait and see how the market reacts before investing your time and money in a new certification.

    Info-Tech Insight

    The PMP certification is still valuable and worthy of your time in 2023.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guide Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or knowledge to take this project on. We need assistance through the entirety of the this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    The PMP dominated the market for decades and got over 1 million people certified

    Total active project management professional holders from December 2021 versus July 2022

    Info-Tech Insight

    The PMI’s flagship PMP certification numbers have not significantly increased from 2021 to 2022. However, PMP substantially outpaces all competitors with over 1.2 million certified PMPs.

    Source: projectmanagement.com

    The PMP penetrated over 200 countries

    PMP is the global project management gold standard.

    • CIO magazine ranked the PMP as the top project management certification because it demonstrates you have the specific skills employers seek, dedication to excellence, and the capacity to perform at the highest levels.
    • It delivers real value in the form of professional credibility, deep knowledge, and increased earning potential. Those benefits have staying power.
    • The PMP now includes predictive, Agile, and hybrid approaches.
    • The PMP demonstrates expertise across the wide array of planning and work management styles.

    Source: PMI, “PMP Certification.” PMI, “Why You Should Get the PMP.”

    The PMP was valuable in the past specifically because it was the standard

    79% of project managers surveyed have the PMP certification out of 30,000 respondents in 40 countries.

    The PMP became table stakes for jobs in project management and PMO’s.

    Work desk with project management written in middle. Arrows point to: Goals, planning, risks, control, teamwork, cost, communication, and problem solving.

    Source: PMI’s Earning Power: Project Management Salary Survey—Twelfth Edition (2021)

    The PMP put itself on a collision course with Agile

    • The Agile Certified Practitioner (PMI-ACP) was introduced in 2012 which initially clashed with the PMP for project management supremacy from the PMI.
    • Then the Disciplined Agile (DA) was introduced in 2019, which further compounded the issue and caused even more confusion with both the PMP and the PMI-ACP certification.
    • Instead of complementing the PMP, these certifications began to inadvertently compete with it head-to-head.

    There is a new PMBOK Guide Seventh Edition in town

    The PMI made its most significant changes between 2017 and 2021.

    Chart showing editions of the PMBOK guide from 1996 to 2021.

    Timeline adapted from Wikipedia, “Project Management Body of Knowledge.”

    Roughly every 3-5 years, the PMI has released a new PMBOK version. It’s unclear if there will be an eighth edition.

    The market got confused by PMBOK Guide – Seventh Edition

    PMBOK guide version 5 considered the gold standard, version 6 first included Agile and version 7 was the most radical change.

    • Die-hard traditional project managers have a hard time grasping why the PMI messed around with the PMBOK Guide. There is sentiment that the PMBOK Guide V7 got diluted.
    • Naysayers do not think that the PMBOK Guide V7 hit the mark and found it to be a concession to Agilists.
    • The PMBOK Guide V7 was significantly trimmed down by almost two-thirds to 274 pages whereas the PMBOK V6 ballooned to 756 pages!
    • Some Agile practitioners found this to be a refreshing, bold move from the PMI. Most, however, ignored or resisted it.
    PMBOK Guide: A guide to the Project Management Body of Knowledge Seventh Edition.  AND The Standard for Project Management.

    PMBOK Guide – Seventh edition released in 2021

    • The PMBOK Guide – Seventh Edition was released in late 2021. It was the most radical change since 1987. For the first time, the PMI went from a process-based standard to a principles-based standard, and the guide went from knowledge areas to project performance domains. This may have diluted the traditional predictive project management practices. However, it was offset by incorporating more iterative, Agile, and hybrid approaches.
    • The market is confused and is clearly shifting toward Agile and away from the rigor that is typically associated with the PMI.
    • The PMI transitioned most of the process-based standards & ITTO to their new digital PMIStandards+ online platform, which can be found here (access for PMI members only).
    • The PMBOK Guide is not the sole basis of the certification exam; however, it can be used as one of several reference resources. Using the exam content outline (ECO) is the way forward, which can be found here.

    The Agile certification seems to be the focus for the PMI in the coming years

    • The PMI started to get into the Agile game with the introduction of Agile certifications, which is where all the confusion started. Although the PMI-ACP & the DASM have seen a steady uptake recently, it appears to be at the expense of the PMP certification.
    • The PMI acquired the Discipline Agile (DA) in late 2019, which expanded their offerings and capabilities for project managers and teams to choose their “way of working.”
    • This was an important milestone for the PMI to address the new way of working for Agile practitioners with this offering to provide more options and to better support enterprise agility.
    PMI-ACP & the DASM have seen a steady uptake recently.

    Source: projectmanagement.com as of July 2022

    The PMI has lost more certified PMPs than they have gained so far in 2022

    The PMI has lost more certified PMPs than they have gained so far in 2022.

    PMP

    PMP – Project Management Professional

    It is a concerning trend that their bread and butter, the PMP flagship certification, has largely stalled in 2022. We are unsure if this was attributed to them being displaced by competitors such as the Agile Alliance, their own Agile offerings, or the market’s lackluster reaction to PMBOK Guide – Seventh Edition.

    Source: projectmanagement.com as of July 2022

    The PMI’s total memberships have stalled since September 2021

    The PMIs total memberships have stalled since September 2021.

    PMI: Project Management Insitute

    The PMI’s membership appears to have a direct correlation to the PMP numbers. As the PMP number stalls, so do the PMI’s memberships.

    Source: projectmanagement.com as of July 2022

    The PMP and the PMBOK Guide are more focused on project management

    The knowledge and skills were not all that helpful for running programs, portfolios, and PMOs.
    • It became evident that other certifications were more tightly aligned to program and portfolio management for the PMOs. The PMI provides the following:
      • Program Management Professional (PgMP)
      • Portfolio Management Professional (PfMP)
    • Axelos also has certifications for program management and portfolio management, such as:
      • Managing Successful Programmes (MSP)
      • Management of Portfolios (MoP)
      • Portfolio, Programme, and Project Offices (P3O)

    The market didn’t know what to do with the PgMP or the PfMP

    These were relatively unknown certifications for Program and Portfolio Management.

    • The PMI’s story was that you would start as a project manager with the PMP certification and then the natural progression would be toward either Program Management (PgMP) or Portfolio Management (PfMP).
    • The uptake for the PgMP and the PfMP certification has been insignificant and underwhelming. The appetite and the demand for PMO-aligned certifications has been lackluster since their inception.
    PgMP - Program Management Professional and PfMP - Portfolio Management Professioanal Certifications are relatively unkown. PgMP only has 3780 members since 2007, and PfMP has 1266 since 2014.

    Source: projectmanagement.com as of July 2022

    There are other non-PMI certifications to consider

    Depending on your experience level

    List of non-PMI certifications based on specialization. List of non-PMI certifications based on years of experience.  Divided into 3 categories: 0-3 years, 3+ years, and 8+ years of experience.

    Other non-PMI project management certifications

    Non-PMI project management certifications

    PRINCE2 and CSM appear to be the more popular ones in the market.

    In April 2022, CIO.com outlined other popular project management certifications outside of the PMI.

    Source: CIO.com

    Project managers have an image problem among senior leaders

    There is a perception that PMs are just box-checkers and note-takers.

    • Project managers are seen as tactical troubleshooters rather than strategic partners. This suggests a widespread lack of understanding of the value and impact of project management at the C-suite level.
    • Very few C-suite executives associate project managers with "realizing visions," being "essential," or being "changemakers."
    • Strong strategic alignment between the PMO and the C-suite helps to reinforce the value of project management capabilities in achieving wider strategic aims.

    Source: PMI, Narrowing The Talent Gap, 2021

    Hiring practices have yet to change in response to the PMI’s moves

    The PMP is still the standard, even for organizations transitioning to Agile and PMO/portfolio jobs.

    • Savvy business leaders are still unsure about how Agile will impact them in the long term.
    • According to the Narrowing the Talent Gap report, PMI and PwC’s latest global research indicates that talent strategies haven’t changed much. There’s a widespread lack of focus on developing and retaining existing project managers, and a lack of variety and innovation in attracting and recruiting new talent. The core problem is that there isn’t a business case for investment in talent.

    Noteworthy Agile certifications to consider

    AGILE Certified Practioner(PMI-ACP) and Certified ScrumMaster(CSM) certification details.

    Source: PMI, “Agile Certifications,” and ScrumAlliance, “Become a Certified ScrumMaster.”

    Info-Tech Insight

    There is a lot of chatter about which Agile certification is better, and the jury is still out with no consensus. There are pros and cons to both certifications. We believe the PMI-ACP will give you more mileage and flexibility because of its breath of coverage in the Agile practice compared to the CSM.

    The talent shortage is a considerable risk to organizations

    • According to the PMI’s 2021 Talent Gap report1, the talent gap is likely to impact every region. By 2030, at least 13 million project managers are expected to have retired, creating additional challenges for recruitment. To close the gap, 25 million new project professionals are needed by 2030.
    • Young project managers will change the profession. Millennials and Generation Z are bringing fresh perspectives to projects. Learning to work alongside these younger generations isn't optional, as they increasingly dominate the labor force and extend their influence.
    • Millennials have already arrived: According to Pew Research2, this group surpassed Gen X in 2016 and is now the largest generation in the US labor force.

    1. PMI, Talent Gap, 2021.
    2. PM Network, 2019.

    Money talks – the PMP is still your best payoff

    It is a financially rewarding profession!

    The median salary for PMP holders in the US is 25% higher than those without PMP certification.

    On a global level, the Project Management Professional (PMP) certification has been shown to bolster salary levels. Holders of the PMP certification report higher median salaries than those without a PMP certification – 16% higher on average across the 40 countries surveyed.

    Source: PMI, Earning Power, 2021

    Determine which skills and capabilities are needed in the coming years

    • A scan of 2022 PM and PMO postings still shows continued dominance of the PMP certification requirement.
    • People and relationships have become more important than predicting budgets and timelines.
    • The PMI and PwC Global Survey on Transformation and Project Management 2021 identified the top five skills/capabilities for project managers (in order of priority):
      1. Relationship building
      2. Collaborative leadership
      3. Strategic thinking
      4. Creative problem solving
      5. Commercial awareness

    Source: PMI, Narrowing The Talent Gap, 2021.

    Prepare for product delivery by focusing on top digital-age skills

    According to the PMI Megatrends 2022 report, they have identified six areas as the top digital-age skills for product delivery:

    1. Innovative mindset
    2. Legal and regulatory compliance knowledge
    3. Security and privacy knowledge
    4. Data science skills
    5. Ability to make data-driven decisions
    6. Collaborative leadership skills

    Many organizations aren’t considering candidates who don’t have project-related qualifications. Indeed, many more are increasing the requirements for their qualifications than those who are reducing it.

    Source: PMI, Narrowing The Talent Gap, 2021

    Prioritize training and development at the C-suite level

    Currently, there is an imbalance with more emphasis of training on tools, processes, techniques, and methodologies rather than business acumen skills, collaboration, and management skills. With the explosion of remote work, training needs to be revamped and, in some cases, redesigned altogether to accommodate remote employees.

    Train of gears Labeled: Training. Gears from left to right are labeled: Knowledge, coaching, skills, developement, and experience.

    Lack of strategic prioritization is evident in how training and development is being done, with organizations largely not embracing a diversity of learning preferences and opportunities.

    Source: PMI, Narrowing The Talent Gap, 2021

    PM is evolving into a more strategic role

    • Ensure program and portfolio management roles are supported by the most appropriate certifications.
    • For project managers that have evolved beyond the iron triangle of managing projects, there is applicability to the PgMP and the PfMP for program managers, portfolio managers, and those in charge of PMOs.
    • Although these certifications have not been widely adopted due to lack of awareness and engagement at the decision-maker level, they still hold merit and prestige within the project management community.

    Project managers are evolving. No longer creatures of scope, schedule, and budget alone, they are now – enabled by new technology – focusing on influencing outcomes, building relationships, and achieving the strategic goals of their organizations.

    Source: PMI, Narrowing the Talent Gap, 2021

    Overhaul your recruitment practices to align with skills/capabilities

    World map with cartoon profile images, linked in a network.

    Talent managers will need to retool their toolbox to fill the capability gap and to look beyond where the role is geographically based by embracing flexible staffing models.

    They will need to evolve their talent strategies in line with changing business priorities.

    Organizations should be actively working to increase the diversity of candidates and upskilling young people in underrepresented communities as a priority.

    Most organizations are still relying on traditional approaches to recruit talent. Although we are prioritizing power skills and business acumen, we are still searching in the same, shrinking pool of talent.

    Source: PMI, Narrowing the Talent Gap, 2021.

    Bibliography

    “Agile Certifications for Every Step in Your Career.” PMI. Web.

    “Become a Certified ScrumMaster and Help Your Team Thrive.” ScrumAlliance. Web.

    “Become a Project Manager.” PMI. Accessed 14 Sept. 2022.

    Bucero, A. “The Next Evolution: Young Project Managers Will Change the Profession: Here's What Organizations Need to Know.” PM Network, 2019, 33(6), 26–27.

    “Certification Framework.” PMI. Accessed 14 Sept. 2022.

    “Certifications.” PMI. Accessed 14 Sept. 2022.

    DePrisco, Mike. Global Megatrends 2022. “Foreword.” PMI, 2022. Accessed 14 Sept. 2022.

    Earning Power: Project Management Salary Survey. 12th ed. PMI, 2021. Accessed 14 Sept. 2022.

    “Global Research From PMI and PwC Reveals Attributes and Strategies of the World’s Leading Project Management Offices.” PMI, 1 Mar. 2022. Press Release. Accessed 14 Sept. 2022.

    Narrowing the Talent Gap. PMI, 2021. Accessed 14 Sept. 2022.

    “PMP Certification.” PMI. Accessed 4 Aug. 2022.

    “Project Management Body of Knowledge.” Wikipedia, Wikimedia Foundation, 29 Aug. 2022.

    “Project Portfolio Management Pulse Survey 2021.” PwC. Accessed 30 Aug. 2022.

    Talent Gap: Ten-Year Employment Trends, Costs, and Global Implications. PMI. Accessed 14 Sept. 2022.

    “The Critical Path.” ProjectManagement.com. Accessed 14 Sept. 2022.

    “True Business Agility Starts Here.” PMI. Accessed 14 Sept. 2022.

    White, Sarah K. and Sharon Florentine. “Top 15 Project Management Certifications.” CIO.com, 22 Apr. 2022. Web.

    “Why You Should Get the PMP.” PMI. Accessed 14 Sept. 2022.

    Build a Platform-Based Organization

    • Buy Link or Shortcode: {j2store}98|cart{/j2store}
    • member rating overall impact (scale of 10): 8.0/10 Overall Impact
    • member rating average dollars saved: $3,420 Average $ Saved
    • member rating average days saved: 2 Average Days Saved
    • Parent Category Name: Innovation
    • Parent Category Link: /innovation
    • The organization is riddled with bureaucracy. Some even believe that bureaucracy is inevitable and is an outcome of a complex business operating in a complex market and regulatory environment.
    • Time to market for new products and services is excruciatingly long.
    • Digital natives like Facebook, Netflix, and Spotify do not compare well with the organization and cannot be looked to for inspiration.

    Our Advice

    Critical Insight

    • Large corporations often consist of a few operating units, each with its own idiosyncracies about strategies, culture, and capabilities. These tightly integrated operating units make a company prone to bureaucracy.
    • The antidote to this bureaucracy is a platform structure: small, autonomous teams operating as startups within the organization.

    Impact and Result

    • Platforms consist of related activities and associated technologies that deliver on a specific organizational goal. A platform can therefore be run as a business or as a service. This structure of small autonomous teams that are loosely joined will make your employees directly accountable to the customers. In a way, they become entrepreneurs and do not remain just employees.

    Build a Platform-Based Organization Research & Tools

    Build a platform-based organization

    Download our guide to learn how you can get started with a platform structure.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    • Build a Platform-Based Organization Storyboard
    [infographic]

    Further reading

    Build a Platform-Based Organization

    Use a platform structure to overcome bureaucracy.

    Analyst Perspective

    Build a platform-based organization.

    Bureaucracy saps innovation out of large corporations. Some even believe that bureaucracy is inevitable and is an outcome of a complex business operating in a complex market and regulatory environment.

    So, what is the antidote to bureaucracy? Some look to startups like Uber, Airbnb, Netflix, and Spotify, but they are digital native and don’t compare well to a large monolithic corporation.

    However, all is not lost for large corporations. Inspiration can be drawn from a company in China – Haier, which is not a typical poster child of the digital age like Spotify. In fact, three decades ago, it was a state-owned company with a shoddy product quality.

    Haier uses an intriguing organization structure based on microenterprises and platforms that has proven to be an antidote to bureaucracy.

    Vivek Mehta
    Research Director, Digital & Innovation
    Info-Tech Research Group

    Executive Summary

    The Challenge

    Large corporations are prone to bureaucracies, which sap their organizations of creativity and make them blind to new opportunities. Though many executives express the desire to get rid of it, bureaucracy is thriving in their organizations.

    Why It Happens

    As organizations grow and become more complex over time, they yearn for efficiency and control. Some believe bureaucracy is the natural outcome of running a complex organization in a complex business and regulatory environment.

    Info-Tech’s Approach

    A new organizational form – the platform structure – is challenging the bureaucratic model. The platform structure makes employees directly accountable to customers and organizes them in an ecosystem of autonomous units.

    As a starting point, sketch out a platform structure that works for your organization. Then, establish a governance model and identify and nurture key capabilities for the platform structure.

    Info-Tech Insight

    The antidote to bureaucracy is a platform structure: small, autonomous teams operating as startups within the organization.

    Executive Brief Case Study

    Small pieces, loosely joined

    Haier

    Industry: Manufacturing
    Source: Harvard Business Review November-December 2018

    Haier, based in China, is currently the world’s largest appliance maker. Zhang Ruimin, Haier’s CEO, has built an intriguing organizing structure where every employee is directly accountable to customers – internal and/or external. A large corporation often consists of a few operating units, each with its own idiosyncrasies, which makes it slow to innovate. To avoid that, Haier has divided itself into 4,000 microenterprises (MEs), most of which have ten to 15 employees. There are three types of microenterprises in Haier:

    1. Approximately 200 “transforming” MEs: market-facing units like Zhisheng, which manufactures refrigerators, a legacy Haier product, for today’s young urbanites.
    2. Approximately 50 “incubating” MEs: entirely new businesses like Xinchu that wrap existing products into entirely new business models.
    3. Approximately 3,800 “node” MEs: units that sell component products and services such as design, manufacturing, and human resources support to Haier’s market-facing MEs.

    Each ME operates as an autonomous unit with its own targets – an organizing structure that enables innovation at Haier.

    (Harvard Business Review, 2018)

    The image is a rectangular graphic with the words Refrigeration Platform in the centre. There are six text boxes around the centre, reading (clockwise from top left): Zhisheng Young urbanites; Langdu Premium; Jinchu Mid-priced; Xinchu Internet-connected; Overseas Export markets; Leader Value-priced. There are a series of white boxes bordering the graphic, with the following labels: at top--Sales nodes; at right--Support nodes (R&D, HR, supply chain, etc.); at bottom left---Design nodes; at bottom right--Production nodes.

    Markets disproportionately reward platform structure

    Tech companies like Facebook, Netflix, and Spotify are organized around a set of modular platforms run by accountable platform teams. This modular org structure enables them to experiment, learn, and scale quickly – a key attribute of innovative organizations.

    Facebook ~2,603 million monthly active users

    India ~1,353 million population

    Netflix ~183 million monthly paid subscribers

    Spotify ~130 million premium subscribers

    Canada ~37 million population

    (“Facebook Users Worldwide 2020,” “Number of Netflix Subscribers 2019,” “Spotify Users - Subscribers in 2020,” Statista.)

    1. Sketch Out the Platform Structure

    What is a platform anyway?

    A modular component of an org structure

    Platforms consist of a logical cluster of activities and associated technology that delivers on a specific business goal and can therefore be run as a business, or ‘as a service’ … Platforms focus on business solutions to serve clients (internal or external) and to supply other platforms.” – McKinsey, 2019

    Platforms operate as independent units with their own business, technology, governance, processes, and people management. As an instance, a bank could have payments platform under a joint business and IT leadership. This payments-as-a-service platform could provide know-how, processes, and technology to the bank’s internal customers such as retail and commercial business units.

    Many leading IT organizations are set up in a platform-based structure that allows them to rapidly innovate. It’s an imperative for organizations in other industries that they must pilot and then scale with a platform play.

    What a platform-based org looks like

    It looks like a multicellular organism, where each cell is akin to a platform

    An organism consists of multiple cells of different types, sizes, and shapes. Each cell is independent in its working. Regardless of the type, a cell would have three features –the nucleus, the cell membrane, and, between the two, the cytoplasm.

    Similarly, an organization could be imagined as one consisting of several platforms of different types and sizes. Each platform must be autonomous, but they all share a few common features – have a platform leader, set up and monitor targets, and enable interoperability amongst platforms. Platforms could be of three types (McKinsey, 2019):

    1. Customer-journey platforms enable customer proposition and experience built on reusable code. They provide “journey as a service”; for example, Account Opening in a bank.
    2. Business-solution platforms are modular and run as a business or as a service. They provide “company as a service”; for example, Payments or Fraud Detection in a bank.
    3. Core IT provisioning platforms provide core IT services for the organization, for example, cloud, data, automation.

    There are two images: in the lower part of the graphic shows a multicellular organism, and has text pointing to a single cell. At the top, there is a zoomed in image of that single cell, with its component parts labelled: Cell Membrane, Nucleus, and Cytoplasm.

    Case study: Payments platform in a bank

    Payments as a service to internal business units

    The payments platform is led by an SVP – the platform leader. Business and IT teams are colocated and have joint leadership. The platform team works with a mindset of a startup, serving internal customers of the bank – retail and commercial lines of business.

    A diagram showing Advisory Council in a large grey box on the left. To the right are smaller dark blue boxes labeled 'Real-time peer-to-peer payments,' Wire transfers,' 'Batch payments,' 'Mobile wallets,' and 'International payments (VISA, WU, etc.),' and one light blue box labeled 'Payments innovation.'


    Advisory Council: An Advisory Council is responsible for strategy, business, and IT architecture and for overseeing the work within the team. The Advisory Council prioritizes the work, earmarks project budgets, sets standards such as for APIs and ISO 20022, and leads vendor evaluation.

    International payments (VISA, WU, etc.): Project execution teams are structured around payment modes. Teams collaborate with each other whenever a common functionality is to be developed, like fraud check on a payment or account posting for debits and credits.

    Payments innovation: A think tank keeping track of trends in payments and conducting proof of concepts (POCs) with prospective fintech partners and with new technologies.

    Use a capability map to sketch out a platform-based structure

    Corral your organization’s activities and associated tech into a set of 20 to 40 platforms that cover customer journeys, business capabilities, and core IT. Business and IT teams must jointly work on this activity and could use a capability map as an aid to facilitate the discussion.

    The image is an example of a capability map, shown in more detail in the following section.

    An example of sketching a platform-based org structure for an insurance provider (partial)

    Design Policy Create Policy Issue Policy Service Customers Process Claims Manage Investments
    Defining Market Research & Analysis Underwriting Criteria Selection Customer Targeting Interaction Management First Notice of Loss (FNOL) Investment Strategy
    Actuarial Analysis Product Reserving Needs Assessment & Quotes Payments Claims Investigation Portfolio Management
    Catastrophe Risk Modeling Reinsurance Strategy Contract Issuance Adjustments Claims Adjudication Deposits & Disbursements
    Product Portfolio Strategy Product Prototyping Application Management Renewals Claims Recovery (Subrogation) Cash & Liquidity Management
    Rate Making Product Testing Sales Execution Offboarding Dispute Resolution Capital Allocation
    Policy Definition Product Marketing Contract Change Management

    Customer Retention

    [Servicing a customer request is a customer-journey platform.]

    Claims Inquiry

    [Filing a claim is a customer-journey platform.]

    Credit Bureau Reporting
    Shared Customer Management

    Account Management

    [Customer and account management is a business-capability platform to enable journeys.]

    Channel Management Risk Management Regulatory & Compliance Knowledge Management
    Partner Management

    Access and Identity Management

    [Access and identity management is a core IT platform.]

    Change Management Enterprise Data Management Fraud Detection [Fraud detection is a business-capability platform to enable journeys.] Product Innovation
    Enabling Corporate Governance Strategic Planning Reporting Accounting Enterprise Architecture Human Resources
    Legal Corporate Finance IT Facilities Management

    2. Establish Governance and Nurture Key Capabilities

    Two ingredients of the platform structure

    Establish a governance

    Advisory Council (AC) operates like a conductor at an orchestra, looking across all the activities to understand and manage the individual components.

    Nurture key capabilities

    Team structure, processes and technologies must be thoughtfully orchestrated and nurtured.

    Establish strong governance

    Empowerment does not mean anarchy

    While platforms are distinct units, they must be in sync with each other, like individual musicians in an orchestra. The Advisory Council (AC) must act like a conductor of the orchestra and lead and manage across platforms in three ways.

    1. Prioritize spend and effort. The AC team makes allocation decisions and prioritizes spend and effort on those platforms that can best support organizational goals and/or are in most urgent technical need. The best AC teams have enterprise architects who can understand business and dive deep enough into IT to manage critical interdependencies.
    2. Set and enforce standards. The AC team establishes both business and technology standards for interoperability. For example, the AC team can set the platform and application interfaces standards and the industry standards like ISO 20022 for payments. The AC team can also provide guidance on common apps and tools to use, for example, a reconciliation system for payments.
    3. Facilitate cross-platform work. The AC team has a unique vantage point where it can view and manage interdependencies among programs. As these complexities emerge, the AC team can step in and facilitate the interaction among the involved platform teams. In cases when a common capability is required by multiple platforms, the AC team can facilitate the dialogue to have it built out.

    Nurture the following capabilities:

    Design thinking

    “Zero distance from the customer” is the focus of platform structure. Each platform must operate with a mindset of a startup serving internal and/or external users.

    Agile delivery model

    Platform teams iteratively develop their offerings. With guidance from Advisory Council, they can avoid bottlenecks of formal alignment and approvals.

    Enterprise architecture

    The raison d'être of enterprise architecture discipline is to enable modularity in the architecture, encourage reusability of assets, and simplify design.

    Microservices

    Microservices allow systems to grow with strong cohesion and weak coupling and enable teams to scale components independently.

    APIs

    With their ability to link systems and data, APIs play a crucial role in making IT systems more responsive and adaptable.

    Machine learning

    With the drop in its cost, predictability is becoming the new electricity for business. Platforms use machine learning capability for better predictions.

    Related Info-Tech Research

    Drive Digital Transformation With Platform Strategies
    Innovate and transform your business models with digital platforms.

    Implement Agile Practices That Work
    Guide your organization through its Agile transformation journey.

    Design a Customer-Centric Digital Operating Model
    Putting the customer at the center of digital transformation.

    Bibliography

    Bossert, Oliver, and Jürgen Laartz. “Perpetual Evolution—the Management Approach Required for Digital Transformation.” McKinsey, 5 June 2017. Accessed 21 May 2020.

    Bossert, Oliver, and Driek Desmet. “The Platform Play: How to Operate like a Tech Company.” McKinsey, 28 Feb. 2019. Accessed 21 May 2020.

    “Facebook Users Worldwide 2020.” Statista. Accessed 21 May 2020.

    Hamel, Gary, and Michele Zanini. “The End of Bureaucracy.” Harvard Business Review. Nov.-Dec. 2018. Accessed 21 May 2020.

    “Number of Netflix Subscribers 2019.” Statista. Accessed 21 May 2020.

    “Spotify Users - Subscribers in 2020.” Statista. Accessed 21 May 2020.

    Develop an IT Asset Management Strategy

    • Buy Link or Shortcode: {j2store}295|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $52,211 Average $ Saved
    • member rating average days saved: 31 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.

    Our Advice

    Critical Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Impact and Result

    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Develop an IT Asset Management Strategy Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Develop an IT Asset Management Strategy – A methodology to create a business-aligned, coherent, and durable approach to ITAM.

    This two-phase, step-by-step methodology will guide you through the activities to build a business-aligned, coherent, and durable approach to ITAM. Review the executive brief at the start of the slide deck for an overview of the methodology and the value it can provide to your organization.

    • Develop an IT Asset Management Strategy – Phases 1-2

    2. ITAM Strategy Template – A presentation-ready repository for the work done as you define your ITAM approach.

    Use this template to document your IT asset management strategy and approach.

    • ITAM Strategy Template

    3. IT Asset Estimations Tracker – A rough-and-ready inventory exercise to help you evaluate the work ahead of you.

    Use this tool to estimate key data points related to your IT asset estate, as well as your confidence in your estimates.

    • IT Asset Estimations Tracker

    Infographic

    Workshop: Develop an IT Asset Management Strategy

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify ITAM Priorities & Goals, Maturity, Metrics and KPIs

    The Purpose

    Align key stakeholders to the potential strategic value of the IT asset management practice.

    Ensure the ITAM practice is focused on business-aligned goals.

    Key Benefits Achieved

    Define a business-aligned direction and expected outcomes for your ITAM program.

    Activities

    1.1 Brainstorm ITAM opportunities and challenges.

    1.2 Conduct an executive alignment working session.

    1.3 Set ITAM priorities, goals and tactics.

    1.4 Identify target and current state ITAM maturity.

    Outputs

    ITAM opportunities and challenges

    Align executive priorities with ITAM opportunities.

    ITAM metrics and KPIs

    ITAM maturity

    2 Identify Your Approach to Support ITAM Priorities and Goals

    The Purpose

    Translate goals into specific and coherent actions to enable your ITAM practice to deliver business value.

    Key Benefits Achieved

    A business-aligned approach to ITAM, encompassing scope, structure, tools, audits, budgets, documentation and more.

    A high-level roadmap to achieve your vision for the ITAM practice.

    Activities

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Outputs

    Your ITAM approach

    ITAM roadmap and communication plan

    Further reading

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    17 Phase 1: Establish Business-Aligned ITAM Goals and Priorities

    59 Phase 2: Support ITAM Goals and Priorities

    116 Bibliography

    Develop an IT Asset Management Strategy

    Define your business-aligned approach to ITAM.

    EXECUTIVE BRIEF

    Analyst Perspective

    Track hardware and software. Seems easy, right?

    It’s often taken for granted that IT can easily and accurately provide definitive answers to questions like “how many laptops do we have at Site 1?” or “do we have the right number of SQL licenses?” or “how much do we need to budget for device replacements next year?” After all, don’t we know what we have?

    IT can’t easily provide these answers because to do so you must track hardware and software throughout its lifecycle – which is not easy. And unfortunately, you often need to respond to these questions on very short notice because of an audit or to support a budgeting exercise.

    IT Asset Management (ITAM) is the solution. It’s not a new solution – the discipline has been around for decades. But the key to success is to deploy the practice in a way that is sustainable, right-sized, and maximizes value.

    Use our practical methodology to develop and document your approach to ITAM that is aligned with the goals of your organization.

    Photo of Andrew Sharp, Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Andrew Sharp
    Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Realize the value of asset management

    Cost optimization, application rationalization and reduction of technical debt are all considered valuable to right-size spending and improve service outcomes. Without access to accurate data, these activities require significant investments of time and effort, starting with creation of point-in-time inventories, which lengthens the timeline to reaching project value and may still not be accurate.

    Cost optimization and reduction of technical debt should be part of your culture and technical roadmap rather than one-off projects. Why? Access to accurate information enables the organization to quickly make decisions and pivot plans as needed. Through asset management, ongoing harvest and redeployment of assets improves utilization-to-spend ratios. We would never see any organization saying, “We’ve closed our year end books, let’s fire the accountants,” but often see this valuable service relegated to the back burner. Similar to the philosophy that “the best time to plant a tree is 20 years ago and the next best time is now,” the sooner you can start to collect, validate, and analyze data, the sooner you will find value in it.

    Photo of Sandi Conrad, Principal Research Director, Infrastructure & Operations Practice, Info-Tech Research Group.

    Sandi Conrad
    Principal Research Director
    Infrastructure & Operations Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    You have a mandate to create an accurate and actionable database of the IT assets in your environment, but:

    • The data you have is often incomplete or wrong.
    • Processes are broken or non-existent.
    • Your tools aren’t up to the task of tracking ever more hardware, software, and relevant metadata.
    • The role of stakeholders outside the core ITAM team isn’t well defined or understood.
    Common Obstacles

    It is challenging to make needed changes because:

    • There’s cultural resistance to asset tracking, it’s seen as busywork that doesn’t clearly create value.
    • Decentralized IT teams aren’t generating the data required to track hardware and licenses.
    • ITAM can’t direct needed tool improvements because the admins don’t report to ITAM.
    • It’s hard to find time to improve processes given the day-to-day demands on your time.
    Info-Tech’s Approach
    • Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.
    • Clarify the structure for the ITAM program, including scope, responsibility and accountability, centralization vs. decentralization, outsourcing vs. insourcing, and more.
    • Create a practical roadmap to guide improvement.
    • Summarize your strategy and approach using Info-Tech’s templates for review with stakeholders.

    Info-Tech Insight

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. But there’s no value in data for data’s sake. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an ITAM strategy that maximizes the value they can deliver as service providers.

    Unlock business value with IT asset management

    • IT asset management (ITAM) is the practice of maintaining accurate, accessible, and actionable data on the assets within the organization’s IT estate. Each IT asset will have a record that tracks it across its lifecycle from purchase to disposal.
    • ITAM’s value is realized through other processes and practice areas that can leverage ITAM data to manage risk, improve IT services, and control costs.
    • Develop an approach to ITAM that maximizes the value delivered to the business and IT. ITAM succeeds when its partners succeed at delivering business value, and it fails when it doesn’t show value to those partners.

    This blueprint will help you develop your approach for the management of IT hardware and software, including cloud services. Leverage other Info-Tech methodologies to dive directly into developing hardware asset management procedures, software asset management procedures, or to implement configuration management best practices.

    Info-Tech Members report significant savings from implementing our hardware and software asset management frameworks. In order to maximize value from the process-focused methodologies below, develop your ITAM strategy first.

    Implement Hardware Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.6/10

    $23k

    32

    Overall Impact Average $ Saved Average Days Saved
    Implement Software Asset Management (Based on Info-Tech Measured Value Surveys results from clients working through these blueprints, as of February 2022.)

    9.0/10

    $12k

    5

    Overall Impact Average $ Saved Average Days Saved

    ITAM provides both early and ongoing value

    ITAM isn’t one-and-done. Properly supported, your ITAM practice will deliver up-front value that will help demonstrate the value ongoing ITAM can offer through the maintenance of an accurate, accessible, and actionable ITAM database.

    Example: Software Savings from ITAM



    This chart shows the money saved between the first quote and the final price for software and maintenance by a five-person ITAM team. Over a year and a half, they saved their organization a total of $7.5 million from a first quote total of $21 million over that period.

    This is a perfect example of the direct value that ITAM can provide on an ongoing basis to the organization, when properly supported and integrated with IT and the business.

    Examples of up-front value delivered in the first year of the ITAM practice:

    • Save money by reviewing and renegotiating critical, high-spend, and undermanaged software and service contracts.
    • Redeploy or dispose of clearly unused hardware and software.
    • Develop and enforce standards for basic hardware and software.
    • Improve ITAM data quality and build trust in the results.

    Examples of long-term value from ongoing governance, management, and operational ITAM activities:

    • Optimize spend: Reallocate unused hardware and software, end unneeded service agreements, and manage renewals and audits.
    • Reduce risk: Provide comprehensive asset data for security controls development and incident management; manage equipment disposal.
    • Improve IT service: Support incident, problem, request, and change management with ITAM data. Develop new solutions with an understanding of what you have already.

    Common obstacles

    The rulebook is available, but hard to follow
    • ITAM takes a village, but stakeholders aren’t aware of their role. ITAM processes rely on technicians to update asset records, vendors to supply asset data, administrators to manage tools, leadership to provide direction and support, and more.
    • Constant change in the IT and business environment undermines the accuracy of ITAM records (e.g. licensing and contract changes, technology changes that break discovery tools, personnel and organizational changes).
    • Improvement efforts are overwhelmed by day-to-day activities. One study found that 83% of SAM teams’ time is consumed by audit-related activities. (Flexera State of ITAM Report 2022) A lack of improvement becomes a vicious cycle when stakeholders who don’t see the value of ITAM decline to dedicate resources for improvement.
    • Stakeholders expect ITAM tools to be a cure-all, but even at their best, they can’t provide needed answers without some level of configuration, manual input, and supervision.
    • There’s often a struggle to connect ITAM to value. For example, respondents to Info-Tech’s Management & Governance Diagnostic consistently rank ITAM as less important than other processes that ITAM directly supports (e.g. budget management and budget optimization). (Info-Tech MGD Diagnostic (n=972 unique organizations))
    ITAM is a mature discipline with well-established standards, certifications, and tools, but we still struggle with it.
    • Only 28% of SAM teams track IaaS and PaaS spend, and only 35% of SAM teams track SaaS usage.
    • Increasing SAM maturity is a challenge for 76% of organizations.
    • 10% of organizations surveyed have spent more than $5 million in the last three years in audit penalties and true-ups.
    • Half of all of organizations lack a viable SAM tool.
    • Seventy percent of SAM teams have a shortfall of qualified resources.
    • (Flexera State of ITAM Report 2022)

    Info-Tech's IT Asset Management Framework (ITAM)

    Adopt, manage, and mature activities to enable business value thorugh actionable, accessible, and accurate ITAM data

    Logo for Info-Tech Research Group. Enable Business Value Logo for #iTRG.
    Business-Aligned Spend
    Optimization and Transparency
    Facilitate IT Services
    and Products
    Actionable, Accessible,
    and Accurate Data
    Context-Aware Risk Management
    and Security Controls

    Plan & Govern

    Business Goals, Risks, and Structure
    • ITAM Goals & Priorities
    • Roles, Accountability, Responsibilities
    • Scope
    Ongoing Management Commitment
    • Resourcing & Funding
    • Policies & Enforcement
    • Continuous Improvement
    Culture
    • ITAM Education, Awareness & Training
    • Organizational Change Management
    Section title 'Operate' with a cycle surrounding key components of Operate: 'Data Collection & Validation', 'Tool Administration', 'License Management', and 'Lease Management'. The cycle consists of 'Request', 'Procure', 'Receive', 'Deploy', 'Manage', 'Retire & Dispose', and back to 'Request'.

    Build & Manage

    Tools & Data
    • ITAM Tool Selection & Deployment
    • Configuration Management Synchronization
    • IT Service Management Integration
    Process
    • Process Management
    • Data & Process Audits
    • Document Management
    People, Policies, and Providers
    • Stakeholder Management
    • Technology Standardization
    • Vendor & Contract Management

    Info-Tech Insight

    ITAM is a foundational IT service that provides actionable, accessible, and accurate data on IT assets. But there's no value in data for data's sake. Use this methodology to enable collaboration between ITAM, the business, and IT to develop an approach to ITAM that maximizes the value the ITAM team can deliver as service providers.

    Key deliverable

    IT asset management requires ongoing practice – you can’t just implement it and walk away.

    Our methodology will help you build a business-aligned strategy and approach for your ITAM practice with the following outputs:

    • Business-aligned ITAM priorities, opportunities, and goals.
    • Current and target state ITAM maturity.
    • Metrics and KPIs.
    • Roles, responsibilities, and accountability.
    • Insourcing, outsourcing, and (de)centralization.
    • Tools and technology.
    • A documentation framework.
    • Initiatives, a roadmap, and a communication plan.
    Each step of this blueprint is designed to help you create your IT asset management strategy:
    Sample of Info-Tech's key deliverable 'IT Asset Management' blueprint.

    Info-Tech’s methodology to develop an IT asset management strategy

    1. Establish business-aligned ITAM goals and priorities 2. Identify your approach to support ITAM priorities and goals
    Phase Steps
    • 1.1 Define ITAM and brainstorm opportunities and challenges.
    • Executive Alignment Working Session:
    • 1.2 Review organizational priorities, strategy, and key initiatives.
    • 1.3 Align executive priorities with ITAM opportunities and priorities.
    • 1.4 Identify business-aligned ITAM goals and target maturity.
    • 1.5 Write mission and vision statements.
    • 1.6 Define ITAM metrics and KPIs.
    • 2.1 Define ITAM scope.
    • 2.2 Acquire ITAM services (outsourcing and contracting).
    • 2.3 Centralize or decentralize ITAM capabilities.
    • 2.4 Create a RACI for the ITAM practice.
    • 2.5 Align ITAM with other service management practices.
    • 2.6 Evaluate ITAM tools and integrations.
    • 2.7 Create a plan for internal and external audits.
    • 2.8 Improve your budget processes.
    • 2.9 Establish a documentation framework.
    • 2.10 Create a roadmap and communication plan.
    Phase Outcomes Defined, business-aligned goals and priorities for ITAM. Establish an approach to achieving ITAM goals and priorities including scope, structure, tools, service management integrations, documentation, and more.
    Project Outcomes Develop an approach and strategy for ITAM that is sustainable and aligned with your business priorities.

    Insight Summary

    There’s no value in data for data’s sake

    ITAM is a foundational IT service that provides accurate, accessible, actionable data on IT assets. Enable collaboration between IT asset managers, business leaders, and IT leaders to develop an approach to ITAM that maximizes the value they can deliver as service providers.

    Service provider to a service provider

    ITAM is often viewed (when it’s viewed at all) as a low-value administrative task that doesn’t directly drive business value. This can make it challenging to build a case for funding and resources.

    Your ITAM strategy is a critical component to help you define how ITAM can best deliver value to your organization, and to stop creating data for the sake of data or just to fight the next fire.

    Collaboration over order-taking

    To align ITAM practices to deliver organizational value, you need a very clear understanding of the organization’s goals – both in the moment and as they change over time.

    Ensure your ITAM team has clear line of sight to business strategy, objectives, and decision-makers, so you can continue to deliver value as priorities change

    Embrace dotted lines

    ITAM teams rely heavily on staff, systems, and data beyond their direct area of control. Identify how you will influence key stakeholders, including technicians, administrators, and business partners.

    Help them understand how ITAM success relies on their support, and highlight how their contributions have created organizational value to encourage ongoing support.

    Project benefits

    Benefits for IT
    • Set a foundation and direction for an ITAM practice that will allow IT to manage risk, optimize spend, and enhance services in line with business requirements.
    • Establish accountability and responsibility for essential ITAM activities. Decide where to centralize or decentralize accountability and authority. Identify where outsourcing could add value.
    • Create a roadmap with concrete, practical next steps to develop an effective, right-sized ITAM practice.
    Stock image of a trophy. Benefits for the business
    • Plan and control technology spend with confidence based on trustworthy ITAM data.
    • Enhance IT’s ability to rapidly and effectively support new priorities and launch new projects. Effective ITAM can support more streamlined procurement, deployment, and management of assets.
    • Implement security controls that reflect your total technology footprint. Reduce the risk that a forgotten device or unmanaged software turns your organization into the next Colonial Pipeline.

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    Guided Implementation

    Workshop

    Consulting

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful." "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track." "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place." "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI around 12 calls over the course of 6 months.

    What does a typical GI on this topic look like?

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Review business priorities.

    Call #3: Identify ITAM goals & target maturity.

    Call #4: Identify metrics and KPIs. Call #5: Define ITAM scope.

    Call #6: Acquire ITAM services.

    Call #7: ITAM structure and RACI.

    Call #8: ITAM and service management.

    Tools and integrations.

    Call #10: Internal and external audits.

    Call #11: Budgets & documentation

    Call #12: Roadmap, comms plan. Wrap-up.

    Phase 1 Phase 2

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com1-888-670-8889
    Day 1 Day 2 Day 3 Day 4 Day 5
    Identify ITAM priorities & goals, maturity, metrics and KPIs
    Identify your approach to support ITAM priorities and goals
    Next Steps and wrap-Up (offsite)
    Activities

    1.1 Define ITAM.

    1.2 Brainstorm ITAM opportunities and challenges.

    Conduct an executive alignment working session:

    1.3 Review organizational priorities, strategy, and key initiatives.

    1.4 Align executive priorities with ITAM opportunities.

    1.5 Set ITAM priorities.

    2.1 Translate opportunities into ITAM goals and tactics.

    2.2 Identify target and current state ITAM maturity.

    2.3 Create mission and vision statements.

    2.4 Identify key ITAM metrics and KPIs.

    3.1 Define ITAM scope.

    3.2 Acquire ITAM services (outsourcing and contracting)

    3.3 Centralize or decentralize ITAM capabilities.

    3.4 Create a RACI for the ITAM practice.

    3.5 Align ITAM with other service management practices.

    3.6 Evaluate ITAM tools and integrations.

    4.1 Create a plan for internal and external audits.

    4.2 Improve your budget processes.

    4.3 Establish a documentation framework and identify documentation gaps.

    4.4 Create a roadmap and communication plan.

    5.1 Complete in-progress deliverables from previous four days.

    5.2 Set up review time for workshop deliverables and to discuss next steps.

    Deliverables
    1. ITAM opportunities and challenges.
    2. Align executive priorities with ITAM opportunities.
    3. Set ITAM priorities.
    1. ITAM goals and tactics.
    2. Current and target ITAM maturity.
    3. Mission and vision statements.
    4. ITAM metrics and KPIs.
    1. Decisions that will shape your ITAM approach, including:
      1. What’s in scope (hardware, software, and cloud services).
      2. Where to centralize, decentralize, or outsource ITAM activities.
      3. Accountability, responsibility, and structure for ITAM activities.
      4. Service management alignment, tooling gaps, audit plans, budget processes, and required documentation.
    2. A roadmap and communication plan.
    1. Your completed ITAM strategy template.
    Develop an IT Asset Management Strategy

    Phase 1:

    Establish business-aligned ITAM goals and priorities

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Defined, business-aligned goals, priorities, and KPIs for ITAM. A concise vision and mission statement. The direction you need to establish a practical, right-sized, effective approach to ITAM for your organization.

    Before you get started

    Set yourself up for success with these three steps:
    • This methodology and the related slides are intended to be executed via intensive, collaborative working sessions using the rest of this slide deck.
    • Ensure the working sessions are a success by working through these steps before you start work on your IT asset management strategy.

    1. Identify participants

    Review recommended roles and identify who should participate in the development of your ITAM strategy.

    2. Estimate assets managed today

    Work through an initial assessment to establish ease of access to ITAM data and your level of trust in the data available to you.

    3. Create a working folder

    Create a repository to house your notes and any work in progress, including your copy of the ITAM Strategy Template.

    0.1 Identify participants

    30 minutes

    Output: List of key roles for the strategy exercises outlined in this methodology

    Participants: Project sponsor, Lead facilitator, ITAM manager and SMEs

    This methodology relies on having the right stakeholders in the room to identify ITAM goals, challenges, roles, structure, and more. On each activity slide in this deck, you’ll see an outline of the recommended participants. Use the table below to translate the recommended roles into specific people in your organization. Note that some people may fill multiple roles.

    Role Expectations People
    Project Sponsor Accountable for the overall success of the methodology. Ideally, participates in all exercises in this methodology. May be the asset manager or whoever they report to. Jake Long
    Lead Facilitator Leads, schedules, and manages all working sessions. Guides discussions and ensures activity outputs are completed. Owns and understands the methodology. Has a working knowledge of ITAM. Robert Loblaw
    Asset Manager(s) SME for the ITAM practice. Provides strategic direction to mature ITAM practices in line with organizational goals. Supports the facilitator. Eve Maldonado
    ITAM Team Hands-on ITAM professionals and SMEs. Includes the asset manager. Provide input on tactical ITAM opportunities and challenges. Bruce Wayne, Clark Kent
    IT Leaders & Managers Leaders of key stakeholder groups from across the IT department – the CIO and direct reports. Provide input on what IT needs from ITAM, and the role their teams should play in ITAM activities. May include delegates, particularly those familiar with day-to-day processes relevant to a particular discussion or exercise. Marcelina Hardy, Edmund Broughton
    ITAM Business Partners Non-IT business stakeholders for ITAM. This could include procurement, vendor management, accounting, and others. Zhang Jin, Effie Lamont
    Business Executives Organizational leaders and executives (CFO, COO, CEO, and others) or their delegates. Will participate in a mini-workshop to identify organizational goals and initiatives that can present opportunities for the ITAM practice. Jermaine Mandar, Miranda Kosuth

    0.2 Estimate asset numbers

    1 hour

    Output: Estimates of quantity and spend related to IT assets, Confidence/margin of error on estimates

    Participants: IT asset manager, ITAM team

    What do you know about your current IT environment, and how confident are you in that knowledge?

    This exercise will help you evaluate the size of the challenge ahead in terms of the raw number of assets in your environment, the spend on those assets, and the level of trust your organization has in the ITAM data.

    It is also a baseline snapshot your ability to relay key ITAM metrics quickly and confidently, so you can measure progress (in terms of greater confidence) over time.

    1. Download the estimation tracker below. Add any additional line items that are particularly important to the organization.
    2. Time-box this exercise to an hour. Use your own knowledge and existing data repositories to identify count/spend for each line item, then add a margin of error to your guess. Larger margins of error on larger counts will typically indicate larger risks.
    3. Track any assumptions, data sources used, or SMEs consulted in the comments.

    Download the IT Asset Estimation Tracker

    “Any time there is doubt about the data and it doesn’t get explained or fixed, then a new spreadsheet is born. Data validation and maintenance is critical to avoid the hidden costs of having bad data”

    Allison Kinnaird,
    Operations Practice Lead,
    Info-Tech Research Group

    0.3 Create a working folder

    15 minutes

    Output: A repository for templates and work in progress

    Participants: Lead facilitator

    Create a central repository for collaboration – it seems like an obvious step, but it’s one that gets forgotten about
    1. Download a copy of the ITAM Strategy Template.
      1. This will be the repository for all the work you do in the activities listed in this blueprint; take a moment to read it through and familiarize yourself with the contents.
    2. House the template in a shared repository that can house other related work in progress. Share this folder with participants so they can check in on your progress.
    3. You’ll see this callout box: Add your results to your copy of the ITAM Strategy Template as you work through activities in this blueprint. Copy the output to the appropriate slide in the ITAM Strategy Template.
    Stock image of a computer screen with a tiny person putting likes on things.

    Collect action items as you go

    Don’t wait until the end to write down your good ideas.
    • The last exercise in this methodology is to gather everything you’ve learned and build a roadmap to improve the ITAM practice.
    • The output of the exercises will inform the roadmap, as they will highlight areas with opportunities for improvement.
    • Write them down as you work through the exercises, or you risk forgetting valuable ideas.
    • Keep an “idea space” – a whiteboard with sticky notes or a shared document – to which any of your participants can post an idea for improvement and that you can review and consolidate later.
    • Encourage participants to add their ideas at any time during the exercises.
    Pad of sticky notes, the top of which reads 'Good ideas go here!'

    Step 1.1: Brainstorm ITAM opportunities and challenges

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Rally the working group around a collection of ideas that, when taken together, create a vision for the future ITAM practice.
    • Identify your organization’s current ITAM challenges.

    “ITAM is a cultural shift more than a technology shift.” (Rory Canavan, SAM Charter)

    What is an IT Asset?

    Any piece of technology can be considered an asset, but it doesn’t mean you need to track everything. Image of three people building a computer from the inside.
    Icon of a power button.

    According to the ISO 19770 standard on ITAM, an IT Asset is “[an] item, thing, or entity that can be used to acquire, process, store and distribute digital information and has potential or actual value to an organization.”
    These are all things that IT is expected to support and manage, or that have the potential to directly impact services that IT supports and manages.

    Icon of a half-full battery.

    IT assets are distinct from capital assets. Some IT assets will also be capital assets, but not all will be. And not all capital assets are IT assets, either.

    Icon of a microphone.

    IT assets are typically tracked by IT, not by finance or accounting.
    IT needs more from their IT asset tracking system than the typical finance department can deliver.
    This can include end-user devices, software, IT infrastructure, cloud-based resources, third-party managed IT services, Internet-of-Things devices, embedded electronics, SCADA equipment, “smart” devices, and more.

    Icon of a fingerprint.

    It’s important to track IT assets in a way that enables IT to deliver value to the business – and an important part of this is understanding what not to track. This list should be aligned to the needs of your organization.

    What is IT asset management?

    • IT asset management is the practice of maintaining accurate, accessible, and actionable data on IT hardware, software, and cloud assets from procurement to disposal.
    • Trustworthy data maintained by an IT asset management practice will help your business meet its goals by managing risk, controlling costs, and enabling IT services and products.
    • ITAM tends to focus on the asset itself – its technical, financial, contractual, lifecycle, and ownership attributes – rather than its interactions or connections to other IT assets, which tends to be part of configuration management.

    What IT Asset Management is NOT:

    Configuration Management: Configuration management databases (CMDBs) often draw from the same data pool as ITAM (many configuration items are assets, and vice versa), but they focus on the interaction, interconnection, and interoperation of configuration items within the IT estate.

    In practice, many configuration items will be IT assets (or parts of assets) and vice versa. Configuration and asset teams should work closely together as they develop different but complementary views of the IT environment. Use Info-Tech’s methodology to harness configuration management superpowers.

    Organizational Data Management: Leverage a different Info-Tech methodology to develop a digital and data asset management program within Info-Tech’s DAM framework.

    “Asset management’s job is not to save the organization money, it’s not to push back on software audits.

    It’s to keep the asset database as up-to-date and as trustworthy as possible. That’s it.” (Jeremy Boerger, Consultant & Author)

    “You can’t make any real decisions on CMDB data that’s only 60% accurate.

    You start extrapolating that out, you’re going to get into big problems.” (Mike Austin, Founder & CEO, MetrixData 360)

    What is an ITAM strategy?

    Our strategy document will outline a coherent, sustainable, business-aligned approach to ITAM.

    No single approach to ITAM fits all organizations. Nor will the same approach fit the same organization at different times. A world-leading research university, a state government, and a global manufacturer all have very different goals and priorities that will be best supported by different approaches to ITAM.

    This methodology will walk you through these critical decisions that will define your approach to ITAM:

    • Business-aligned priorities, opportunities, and goals: What pressing opportunities and challenges do we face as an organization? What opportunities does this create that ITAM can seize?
    • Current and future state maturity, challenges: What is the state of the practice today? Where do we need to improve to meet our goals? What challenges stand in the way of improvement?
    • Responsibility, accountability, sourcing and (de)centralization: Who does what? Who is accountable? Where is there value to outsourcing? What authority will be centralized or decentralized?
    • Tools, policies, and procedures: What technology do we need? What’s our documentation framework?
    • Initiatives, KPIs, communication plan, and roadmap: What do we need to do, in what order, to build the ITAM practice to where we need it to be? How long do we expect this to take? How will we measure success?

    “A good strategy has coherence, coordinating actions, policies, and resources so as to accomplish an important end. Most organizations, most of the time, don’t have this.

    Instead, they have multiple goals and initiatives that symbolize progress, but no coherent approach to accomplish that progress other than ‘spend more and try harder.’” (Good Strategy, Bad Strategy, Richard Rumelt)

    Enable business value with IT asset management

    If you’ve never experienced a mature ITAM program before, it is almost certainly more rewarding than you’d expect once it’s functioning as intended.

    Each of the below activities can benefit from accessible, actionable, and accurate ITAM data.

    • Which of the activities, practices, and initiatives below have value to your organization?
    • Which could benefit most from ITAM data?
    Manage Risk: Effective ITAM practices provide data and processes that help mitigate the likelihood and impact of potentially damaging IT risks.

    ITAM supports the following practices that help manage organizational risk:

    • Security Controls Development
    • Security Incident Response
    • Security Audit Reports
    • Regulatory Compliance Reports
    • IT Risk Management
    • Technical Debt Management
    • M&A Due Diligence
    Optimize Spend: Asset data is essential to maintaining oversight of IT spend, ensuring that scarce resources are allocated where they can have the most impact.

    ITAM supports these activities that help optimize spend:

    • Vendor Management & Negotiations
    • IT Budget Management & Variance Analysis
    • Asset Utilization Analysis
    • FinOps & Cloud Spend Optimization
    • Showback & Chargeback
    • Software Audit Defense
    • Application Rationalization
    • Contract Consolidation
    • License and Device Reallocation
    Improve IT Services: Asset data can help inform solutions development and can be used by service teams to enhance and improve IT service practices.

    Use ITAM to facilitate these IT services and initiatives:

    • Solution and Enterprise Architecture
    • Service Level Management
    • Technology Procurement
    • Technology Refresh Projects
    • Incident & Problem Management
    • Request Management
    • Change Management
    • Green IT

    1.1 Brainstorm ideas to create a vision for the ITAM practice

    30 minutes

    Input: Stakeholders with a vision of what ITAM could provide, if resourced and funded adequately

    Output: A collection of ideas that, when taken together, create a vision for the future ITAM practice

    Materials: ITAM strategy template, Whiteboard or virtual whiteboard

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    It can be easy to lose sight of long-term goals when you’re stuck in firefighting mode. Let’s get the working group into a forward-looking mindset with this exercise.

    Think about what ITAM could deliver with unlimited time, money, and technology.

    1. Provide three sticky notes to each participant.
    2. Add the headings to a whiteboard, or use a blank slide as a digital whiteboard
    3. On each sticky note, ask participants to outline a single idea as follows:
      1. We could: [idea]
      2. Which would help: [stakeholder]
      3. Because: [outcome]
    4. Ask participants to present their sticky notes and post them to the whiteboard. Ask later participants to group similar ideas together.

    As you hear your peers describe what they hope and expect to achieve with ITAM, a shared vision of what ITAM could be will start to emerge.

    1.1 Identify structural ITAM challenges

    30 minutes

    Input: The list of common challenges on the next slide, Your estimated visibility into IT assets from the previous exercise, The experience and knowledge of your participants

    Output: Identify current ITAM challenges

    Materials: Your working copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What’s standing in the way today of delivering the ITAM practices you want to achieve?

    Review the list of common challenges on the next slide as a group.

    1. Delete any challenges that don’t apply to your organization.
    2. Modify any challenges as required to reflect your organization.
    3. Add further challenges that aren’t on the list, as required.
    4. Highlight challenges that are particularly painful.

    Add your results to your copy of the ITAM Strategy Template

    “The problem – the reason why asset management initiatives keep falling on their face – is that people attack asset management as a problem to solve, instead of a practice and epistemological construct.” (Jeremy Boerger, Consultant & Author)

    1.1 Identify structural ITAM challenges

    Review and update the list of common challenges below to reflect your own organization.

    • Leadership and executives don’t understand the value of asset management and don’t fund or resource it.
    • Tools aren’t fit for purpose, don’t scale, or are broken.
    • There’s a cultural tendency to focus on tools over processes.
    • ITAM data is fragmented across multiple repositories.
    • ITAM data is widely viewed as untrustworthy.
    • Stakeholders respond to vendor audits before consulting ITAM, which leads to confusion and risks penalties.
    • No time for improvement; we’re always fighting fires.
    • We don’t audit our own ITAM data for accuracy.
    • End-user equipment is shared, re-assigned, or disposed without notifying or involving IT.
    • No dedicated resources.
    • Lack of clarity on roles and responsibilities.
    • Technicians don’t track assets consistently; ITAM is seen as administrative busywork.
    • Many ITAM tasks are manual and prone to error.
    • Inconsistent organizational policies and procedures.
    • We try to manage too many hardware types/software titles.
    • IT is not involved in the procurement process.
    • Request and procurement is seen as slow and excessively bureaucratic.
    • Hardware/software standards don’t exist or aren’t enforced.
    • Extensive rogue purchases/shadow IT are challenging to manage via ITAM tools and processes.
    What Else?

    Copy results to your copy of the ITAM Strategy Template

    Step 1.2: Review organizational priorities, strategy, initiatives

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives or their delegates

    Outcomes

    • Review organizational priorities and strategy.
    • Identify key initiatives.

    Enter the executives

    Deliver on leadership priorities

    • Your business’ major transformative projects and executive priorities might seem far removed from hardware and software tracking. Why would we start with business strategy and executive priorities as we’re setting goals for the ITAM program?
    • While business executives have (likely) no interest in how software and hardware is tracked, they are accountable for the outcomes ITAM can enable. They are the most likely to understand why and how ITAM can deliver value to the organization.
    • ITAM succeeds by enabling its stakeholders to achieve business outcomes. The next three activities are designed to help you identify how you can enable your stakeholders, and what outcomes are most important from their point of view. Specifically:
      • What are the business’ planned transformational initiatives?
      • What are your highest priority goals?
      • What should the priorities of the ITAM practice be?
    • The answers to these questions will shape your approach to ITAM. Direct input from your leadership and executives – or their delegates – will help ensure you’re setting a solid foundation for your ITAM practice.

    “What outcomes does the organization want from IT asset management? Often, senior managers have a clear vision for the organization and where IT needs to go, and the struggle is to communicate that down.” (Kylie Fowler, ITAM Intelligence)

    Stock image of many hands with different puzzle pieces.

    Executive Alignment Session Overview

    ITAM Strategy Working Sessions

    • Discover & Brainstorm
    • Executive Alignment Working Session
      • 1.2 Review organizational strategy, priorities, and key initiatives
      • 1.3 Align executive priorities with ITAM opportunities, set ITAM priorities
    • ITAM Practice Maturity, Vision & Mission, Metrics & KPIs
    • Scope, Outsourcing, (De)Centralization, RACI
    • Service Management Integration
    • ITAM Tools
    • Audits, Budgets, Documents
    • Roadmap & Comms Plan

    A note to the lead facilitator and project sponsor:
    Consider working through these exercises by yourself ahead of time. As you do so, you’ll develop your own ideas about where these discussions may go, which will help you guide the discussion and provide examples to participants.

    1.2 Review organizational strategy and priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Welcome your group to the working session and outline the next few exercises using the previous slide.

    Ask the most senior leader present to provide a summary of the following:

    1. What is the vision for the organization?
    2. What are our priorities and what must we absolutely get right?
    3. What do we expect the organization to look like in three years?

    The facilitator or a dedicated note-taker should record key points on a whiteboard or flipchart paper.

    1.2 Identify transformational initiatives

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leadership, Business executives or delegates

    Ask the most senior leader present to provide a summary of the following: What transformative business and IT initiatives are planned? When will they begin and end?

    Using one box per initiative, draw the initiatives in a timeline like the one below.

    Sample timeline for ITAM initiatives.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.3: Set business-aligned ITAM priorities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • Business executives

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    1.3 Align executive priorities with ITAM opportunities

    45 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The diagram in the next slide, and/or a whiteboard, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    In this exercise, we’ll use the table on the next slide to identify the top priorities of key business and IT stakeholders and connect them to opportunities for the ITAM practice.

    1. Ask your leadership or executive delegates – what are their goals? What are they trying to accomplish? List roles and related goals in the table.
    2. Brainstorm opportunities for IT asset management to support listed goals:
      1. Can ITAM provide an enhanced level of service, access, or insight?
      2. Can ITAM address an existing issue or mitigate an existing risk?

    Add your results to your copy of the ITAM Strategy Template

    1.3 Align executive priorities with ITAM opportunities (example)

    ITAM is for the… Who wants to… Which presents these ITAM opportunities
    CEO Deliver transformative business initiatives Acquire the right tech at the right time to support transformational initiatives.
    Establish a data-driven culture of stewardship Improve data to increase IT spend transparency.
    COO Improve organizational efficiency Increase asset use.
    Consolidate major software contracts to drive discounts.
    CFO Accurately forecast spending Track and anticipate IT asset spending.
    Control spending Improve data to increase IT spend transparency.
    Consolidate major software contracts to drive discounts.
    CIO Demonstrate IT value Use data to tell a story about value delivered by IT assets.
    Govern IT use Improve data to increase IT spend transparency.
    CISO Manage IT security and compliance risks Identify abandoned or out-of-spec IT assets.
    Provide IT asset data to support controls development.
    Respond to security incidents Support security incident teams with IT asset data.
    Apps Leader Build, integrate, and support applications Identify opportunities to retire applications with redundant functionality.
    Connect applications to relevant licensing and support agreements.
    IT Infra Leader Build and support IT infrastructure. Provide input on opportunities to standardize hardware and software.
    Provide IT asset data to technicians supporting end users.

    1.3 Categorize ITAM opportunities

    10-15 minutes

    Input: The outputs from the previous exercise

    Output: Executive priorities, sorted into the three categories at the right

    Materials: The table in this slide, The outputs from the previous exercise

    Participants: Lead facilitator

    Give your participants a quick break. Quickly sort the identified ITAM opportunities into the three main categories below as best you can.

    We’ll use this table as context for the next exercise.

    Example: Optimize Spend Enhance IT Services Manage Risk
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Consolidate major software contracts to drive discounts.
    • Increase asset utilization.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM priorities

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: Whiteboard, The template on the next slide, Your copy of the ITAM Strategy Template

    Participants: Asset manager, IT leaders and managers, Business executives or delegates

    The objective of this exercise is to prioritize the outcomes your organization wants to achieve from its ITAM practice, given the context from the previous exercises.

    Review the image below. The three points of the triangle are the three core goals of ITAM: Enhance IT Service, Manage Risk, and Optimize Spend. This exercise was first developed by Kylie Fowler of ITAM Intelligence. It is an essential exercise to understand ITAM priorities and the tradeoffs associated with those priorities. These priorities aren’t set in stone and should be revisited periodically as technology and business priorities change.

    Draw the diagram on the next slide on a whiteboard. Have the most senior leader in the room place the dot on the triangle – the closer it is to any one of the goals, the more important that goal is to the organization. Note: The center of the triangle is off limits! It’s very rarely possible to deliver on all three at once.
    Track notes on what’s being prioritized – and why – in the template on the next slide.
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'.

    Add your results to your copy of the ITAM Strategy Template

    1.3 Set ITAM Priorities

    The priorities of the ITAM practice are to:
    • Optimize Spend
    • Manage Risk
    Why?
    • We believe there is significant opportunity right now to rationalize spend by consolidating key software contracts.
    • Major acquisitions are anticipated in the near future. Effective ITAM processes are expected to mitigate acquisition risk by supporting due diligence and streamlined integration of acquired organizations.
    • Ransomware and supply chain security threats have increased demands for a comprehensive accounting of IT assets to support security controls development and security incident response.
    (Update this section with notes from your discussion.)
    Triangle with the points labelled 'Enhance IT Service', 'Manage Risk', and 'Optimize Spend'. There is a dot close to the 'Optimize Spend' corner, a legend labelling the dot as 'Our Target', and a note reading 'Move this dot to reflect your priorities'.

    Step 1.4: Identify ITAM goals, target maturity

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Connect executive priorities to ITAM opportunities.
    • Set business-aligned priorities for the ITAM practice.

    “ITAM is really no different from the other ITIL practices: to succeed, you’ll need some ratio of time, treasure, and talent… and you can make up for less of one with more of the other two.” (Jeremy Boerger, Consultant and Author)

    1.4 Identify near- and medium-term goals

    15-30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Narrow down the list of opportunities to identify specific goals for the ITAM practice.

    1. Use one color to highlight opportunities you will seize in the next year.
    2. Use a second color to highlight opportunities you plan to address in the next three years.
    3. Leave blank anything you don’t intend to address in this timeframe.

    The highlighted opportunities are your near- and medium-term objectives.

    Optimize Spend Enhance IT Services Manage Risk
    Priority Critical Normal High
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.

    1.4 Connect ITAM goals to tactics

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Let’s dig down a little deeper. Connect the list of opportunities from earlier to specific ITAM tactics that allow the team to seize those opportunities.

    Add another row to the earlier table for ITAM tactics. Brainstorm tactics with your participants (e.g. sticky notes on a whiteboard) and align them with the priorities they’ll support.

    Optimize SpendEnhance IT ServicesManage Risk
    PriorityCriticalNormalHigh
    ITAM Opportunities
    • Improve data to increase IT spend transparency.
    • Increase asset utilization.
    • Consolidate major software contracts to drive discounts.
    • Identify opportunities to retire applications with redundant functionality
    • Acquire the right tech at the right time to support transformational initiatives.
    • Provide IT asset data to technicians supporting end users.
    • Identify abandoned or out-of-spec IT assets.
    • Provide IT asset data to support controls development.
    • Support security incident teams with IT asset data.
    ITAM Tactics to Seize Opportunities
    • Review and improve hardware budgeting exercises.
    • Reallocate unused licenses, hardware.
    • Ensure ELP reports are up to date.
    • Validate software usage.
    • Data to support software renewal negotiations.
    • Use info from ITAM for more efficient adds, moves, changes.
    • Integrate asset records with the ticket intake system, so that when someone calls the service desk, the list of their assigned equipment is immediately available.
    • Find and retire abandoned devices or services with access to the organization’s network.
    • Report on lost/stolen devices.
    • Develop reliable disposal processes.
    • Report on unpatched devices/software.

    Add your results to your copy of the ITAM Strategy Template

    1.4 Identify current and target state

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    We’ll use this exercise to identify the current and one-year target state of ITAM using Info-Tech’s ITAM maturity framework.

    1. Review the maturity framework on the next slide as a group.
    2. In one color, highlight statements that reflect your organization today. Summarize your current state. Are you in firefighter mode? Between “firefighter” and “trusted operator”?
    3. In a second color, highlight statements that reflect where you want to be one year from today, taking into consideration the goals and tactics identified in the last exercise.
    4. During a break, copy the highlighted statements to the table on the slide after next, then add this final slide to your working copy of the ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Establish current and target ITAM maturity

    IT maturity ladder with five color-coded levels. Innovator – Optimized Asset Management
    • All items from Business & Technology Partner, plus:
    • Business and IT stakeholders collaborate regularly with the ITAM team to identify new opportunities to leverage or deploy ITAM practices and data to mitigate risks, optimize spend, and improve service. The ITAM program scales with the business.
    Business & Technology Partner – Proactive Asset Management
    • All items from Trusted Operator, plus:
    • The ITAM data is integral to decisions related to budget, project planning, IT architecture, contract renewal, and vendor management. Software and cloud assets are reviewed as frequently as required to manage costs. ITAM data consumers have self-serve access to ITAM data.
    • Continuous improvement practices strengthen ITAM efficiency and effectiveness.
    • ITAM processes, standards, and related policies are regularly reviewed and updated. ITAM teams work closely with SMEs for key tools/systems integrated with ITAM (e.g. AD, ITSM, monitoring tools) to maximize the value and reliability of integrations.
    Trusted Operator – Controls Assets
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role. Teams responsible for ITAM data collection cooperate effectively. Policies and procedures are documented and enforced. Key licenses and contracts are available to the ITAM team. Discovery, tracking, and analysis tools support most important use cases.
    Firefighter – Reactive Asset Tracking
    • Data is often untrustworthy, may be fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation. Data tracking processes are extremely highly manual. Effective cooperation for ITAM data collection is challenging.
    • ITAM tools are in place, but additional configuration or tooling is needed.
    Unreliable - Struggles to Support
    • No data, or data is typically unusable.
    • No allocated staff, no cooperation between parties responsible for ITAM data collection.
    • No related policies or documentation.
    • Tools are non-existent or not fit-for-purpose.

    Current and target ITAM maturity

    Today:
    Firefighter
    • Data is often untrustworthy, is fragmented across multiple repositories, and typically requires significant effort to translate or validate before use.
    • Insufficient staff, fragmented or incomplete policies or documentation.
    • Tools are non-existent.
    In One Year:
    Trusted Operator
    • ITAM data for deployed hardware and software is regularly audited for accuracy.
    • Sufficient staff and skills to support asset tracking, including a dedicated IT asset management role.
    • Teams responsible for ITAM data collection cooperate effectively.
    • Discovery, tracking, and analysis tools support most important use cases.
    IT maturity ladder with five color-coded levels.

    Innovator – Optimized Asset Management

    Business & Technology Partner – Proactive Asset Management

    Trusted Operator – Controls Assets

    Firefighter – Reactive Asset Tracking

    Unreliable - Struggles to Support

    Step 1.5: Write mission and vision statements

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Write a mission statement that encapsulates the purpose and intentions of the ITAM practice today.
    • Write a vision statement that describes what the ITAM practice aspires to become and achieve.

    Write vision and mission statements

    Create two statements to summarize the role of the ITAM practice today – and where you want it to be in the future.

    Create two short, compelling statements that encapsulate:
    • The vision for what we want the ITAM practice to be in the future; and
    • The mission – the purpose and intentions – of the ITAM practice today.

    Why bother creating mission and vision statements? After all, isn’t it just rehashing or re-writing all the work we’ve just done? Isn’t that (at best) a waste of time?

    There are a few very important reasons to create mission and vision statements:

    • Create a compass that can guide work today and your roadmap for the future.
    • Focus on the few things you must do, rather than the many things you could do.
    • Concisely communicate a compelling vision for the ITAM practice to a larger audience who (let’s face it) probably won’t read the entire ITAM Strategy deck.

    “Brevity is the soul of wit.” (Hamlet, Act 2, Scene 2)

    “Writing is easy. All you have to do is cross out the wrong words.” (Mark Twain)

    1.5 Write an ITAM vision statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: A whiteboard, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT Leaders and managers

    Your vision statement describes the ITAM practice as it will be in the far future. It is a target to aspire to, beyond your ability to achieve in the near or medium term.

    Examples of ITAM vision statements:

    Develop the single accurate view of IT assets, available to anyone who needs it.

    Indispensable data brokers that support strategic decisions on the IT environment.

    Provide sticky notes to participants. Write out the three questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What’s the desired future state of the ITAM practice?
    2. What needs to be done to achieved this desired state?
    3. How do we want ITAM to be perceived in this desired state?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    1.5 Write an ITAM mission statement

    30 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Your ITAM mission statement is an expression of what your IT asset management function brings to your organization today. It should be presented in straightforward language that is compelling, easy to understand, and sharply focused.

    Examples of ITAM mission statements:

    Maintain accurate, actionable, accessible on data on all IT assets.

    Support IT and the business with centralized and integrated asset data.

    Provide sticky notes to participants. Write out the questions below on a whiteboard side by side. Have participants write their answers to the questions and post them below the appropriate question. Give everyone 10 minutes to write and post their ideas.

    1. What is our role as the asset management team?
    2. How do we support the IT and business strategies?
    3. What does our asset management function offer that no one else can?

    Review the answers and combine them into one focused vision statement. Use the 20x20 rule: take no more than 20 minutes and use no more than 20 words. If you’re not finished after 20 minutes, the ITAM manager should make any final edits offline.

    Document your vision statement in your ITAM Strategy Template.

    Add your results to your copy of the ITAM Strategy Template

    Step 1.6: Define ITAM metrics and KPIs

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Identify metrics, data, or reports that may be of interest to different consumers of ITAM data.
    • Identify the key performance indicators (KPIs) for the ITAM practice, based on the goals and priorities established earlier.

    Navigate a universe of ITAM metrics

    When you have the data, how will you use it?

    • There’s a dizzying array of potential metrics you can develop and track across your ITAM environment.
    • Different stakeholders will need different data feeds, metrics, reports, and dashboards.
    • Different measures will be useful at different times. You will often need to filter or slice the data in different ways (by department, timeframe, equipment type, etc.)
    • We’ll use the next few exercises to identify the types of metrics that may be useful to different stakeholders and the KPIs to measure progress towards ITAM goals and priorities.

    ITAM Metrics

    • Quantity
      e.g. # of devices or licenses
    • Cost
      e.g. average laptop cost
    • Compliance
      e.g. effective license position reports
    • Progress
      e.g. ITAM roadmap items completed
    • Quality
      e.g. ITAM data accuracy rate
    • Time
      e.g. time to procure/ deploy

    Drill down by:

    • Vendor
    • Date
    • Dept.
    • Product
    • Location
    • Cost Center

    Develop different metrics for different teams

    A few examples:

    • CIOs — CIOs need asset data to govern technology use, align to business needs, and demonstrate IT value. What do we need to budget for hardware and software in the next year? Where can we find money to support urgent new initiatives? How many devices and software titles do we manage compared to last year? How has IT helped the business achieve key goals?
    • Asset Managers — Asset managers require data to help them oversee ITAM processes, technology, and staff, and to manage the fleet of IT assets they’re expected to track. What’s the accuracy rate of ITAM data? What’s the state of integrations between ITAM and other systems and processes? How many renewals are coming up in the next 90 days? How many laptops are in stock?
    • IT Leaders — IT managers need data that can support their teams and help them manage the technology within their mandate. What technology needs to be reviewed or retired? What do we actually manage?
    • Technicians — Service desk technicians need real-time access to data on IT assets to support service requests and incident management – for example, easy access to the list of equipment assigned to a particular user or installed in a particular location.
    • Business Managers and Executives — Business managers and executives need concise, readable dashboards to support business decisions about business use of IT assets. What’s our overall asset spend? What’s our forecasted spend? Where could we reallocate spend?

    1.6 Identify useful ITAM metrics and reports

    60 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Use this exercise to identify as many potentially useful ITAM metrics and reports as possible, and narrow them down to a few high-priority metrics. Leverage the list of example metrics on the next slide for your own exercise. If you have more than six participants, consider splitting into two or more groups, and divide the table between groups to minimize overlap.

    1. List potential consumers of ITAM data in the column on the left.
    2. What type of information do we think this role needs? What questions about IT assets do we get on a regular basis from this role or team?
    3. Review and consolidate the list as a group. Discuss and highlight any metrics the group thinks are a particularly high priority for tracking.
    Role Compliance Quality Quantity Cost Time Progress
    IT Asset Manager Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/ planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress
    Service Desk

    Add your results to your copy of the ITAM Strategy Template

    Examples of ITAM metrics

    Compliance Quality Quantity Cost Time/Duration/Age Progress
    Owned devices not discovered in last 60 days Discrepancies between discovery data and ITAM DB records # of corporate-owned devices Spend on hardware (recent and future/planned) Average time, maximum time to deploy end-user devices Number of ITAM roadmap items in progress or completed
    Disposed devices without certificate of destruction Breakage rates (in and out of warranty) by vendor # of devices running software title X, # of licenses for software title X Spend on software (recent and future/planned) Average time, maximum time to deploy end user software Number of integrations between ITAM DB and other sources
    Discrepancies between licenses and install count, by software title RMAs by vendor, model, equipment type Number of requests by equipment model or software title Spend on cloud (recent and future/planned) Average & total time spent on software audit responses Number of records in ITAM database
    Compliance reports (e.g. tied to regulatory compliance or grant funding) Tickets by equipment type or software title Licenses issued from license pool in the last 30 days Value of licenses issued from license pool in the last 30 days (cost avoidance) Devices by age Software titles with an up-to-date ELP report
    Reports on lost and stolen devices, including last assigned, date reported stolen, actions taken User device satisfaction scores, CSAT scores Number of devices retired or donated in last year Number of IT-managed capital assets Number of hardware/software request tickets beyond time-to-fulfil targets Number of devices audited (by ITAM team via self-audit)
    Number of OS versions, unpatched systems Number of devices due for refresh in the next year Spend saved by harvesting unused software Number of software titles, software vendors managed by ITAM team
    Audit accuracy rate Equipment in stock Cost savings from negotiations
    # of users assigned more than one device Number of non-standard devices or requests Dollars charged during audit or true-up

    Differentiate between metrics and KPIs

    Key performance indicators (KPIs) are metrics with targets aligned to goals.

    Targets could include one or more of:

    • Target state (e.g. completed)
    • Target magnitude (e.g. number, percent, rate, dollar amount)
    • Target direction (e.g. trending up or down)

    You may track many metrics, but you should have only a few KPIs (typically 2-3 per objective).

    A breached KPI should be a trigger to investigate and remediate the root cause of the problem, to ensure progress towards goals and priorities can continue.

    Which KPIs you track will change over the life of the practice, as ITAM goals and priorities shift. For example, KPIs may initially track progress towards maturing ITAM practices. Once you’ve reached target maturity, KPIs may shift to track whether the key service targets are being met.

    1.6 Identify ITAM KPIs

    20 minutes

    Input: Organizational strategy documents

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Good KPIs are a more objective measure of whether you’re succeeding in meeting the identified priorities for the ITAM practice.

    Identify metrics that can measure progress or success against the priorities and goals set earlier. Aim for around three metrics per goal. Identify targets for the metric you think are SMART (specific, measurable, achievable, relevant, and timebound). Track your work using the example table below.

    Goal Metric Target
    Consolidate major software contracts to drive discounts Amount spent on top 10 software contracts Decrease by 10% by next year
    Customer satisfaction scores with enterprise software Satisfaction is equal to or better than last year
    Value of licenses issued from license pool 30% greater than last year
    Identify abandoned or out-of-spec IT assets # of security incidents involving undiscovered assets Zero
    % devices with “Deployed” status in ITAM DB but not discovered for 30+ days ‹1% of all records in ITAM DB
    Provide IT asset data to technicians for service calls Customer satisfaction scores Satisfaction is equal to or better than last year
    % of end-user devices meeting minimum standards 97%

    Add your results to your copy of the ITAM Strategy Template

    Develop an IT Asset Management Strategy

    Phase 2:

    Identify your approach to support ITAM priorities and goals

    Phase 1

    1.1 Define ITAM and brainstorm opportunities and challenges.

    Executive Alignment Working Session:

    1.2 Review organizational priorities, strategy, and key initiatives.

    1.3 Align executive priorities with ITAM opportunities & priorities.

    1.4 Identify business-aligned ITAM goals and target maturity.

    1.5 Write mission and vision statements.

    1.6 Define ITAM metrics and KPIs.

    Phase 2

    2.1 Define ITAM scope.

    2.2 Acquire ITAM services (outsourcing and contracting).

    2.3 Centralize or decentralize ITAM capabilities.

    2.4 Create a RACI for the ITAM practice.

    2.5 Align ITAM with other service management practices.

    2.6 Evaluate ITAM tools and integrations.

    2.7 Create a plan for internal and external audits.

    2.8 Improve your budget processes.

    2.9 Establish a documentation framework.

    2.10 Create a roadmap and communication plan.

    Phase Outcomes:

    Establish an approach to achieving ITAM goals and priorities, including scope, structure, tools, service management integrations, documentation, and more.

    Create a roadmap that enables you to realize your approach.

    Step 2.1: Define ITAM Scope

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish what types of equipment and software you’ll track through the ITAM practice.
    • Establish which areas of the business will be in scope of the ITAM practice.

    Determine ITAM Scope

    Focus on what’s most important and then document it so everyone understands where they can provide the most value.

    Not all categories of assets require the same level of tracking, and some equipment and software should be excluded from the ITAM practice entirely.

    In some organizations, portions of the environment won’t be tracked by the asset management team at all. For example, some organizations will choose to delegate tracking multi-function printers (MFPs) or proprietary IoT devices to the department or vendor that manages them.

    Due to resourcing or technical limitations, you may decide that certain equipment or software is out of scope for the moment.

    What do other organizations typically track in detail?
    • Installs and entitlements for major software contracts that represent significant spend and/or are highly critical to business goals.
    • Equipment managed directly by IT that needs to be refreshed on a regular cycle:
      • End-user devices such as laptops, desktops, and tablets.
      • Server, network, and telecoms devices.
    • High value equipment that is not regularly refreshed may also be tracked, but in less detail – for example, you may not refresh large screen TVs, but you may need to track date of purchase, deployed location, vendor, and model for insurance or warranty purposes.

    2.1 Establish scope for ITAM

    45 minutes

    Input: Organizational strategy documents

    Output: ITAM scope, in terms of types of assets tracked and not tracked

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Establish the hardware and software that are within the scope of the ITAM program by updating the tables below to reflect your own environment. The “out of scope” category will include asset types that may be of value to track in the future but for which the capability or need don’t exist today.

    Hardware Software Out of Scope
    • End-user devices housing data or with a dollar value of more than $300, which will be replaced through lifecycle refresh.
    • Infrastructure devices, including network, telecom, video conferencing, servers and more
    • End-user software purchased under contract
    • Best efforts on single license purchases
    • Infrastructure software, including solutions used by IT to manage the infrastructure
    • Enterprise applications
    • Cloud (SaaS, IaaS, PaaS)
    • Departmental applications
    • Open-source applications
    • In-house developed applications
    • Freeware & shareware
    • IoT devices

    The following locations will be included in the ITAM program: All North and South America offices and retail locations.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.2: Acquire ITAM Services

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Define the type of work that may be more effectively or efficiently delivered by an outsourcer or contractor.

    “We would like our clients to come to us with an idea of where they want to get to. Why are you doing this? Is it for savings? Because you want to manage your security attack surface? Are there digital initiatives you want to move forward? What is the end goal?” (Mike Austin, MetrixData 360)

    Effectively acquire ITAM services

    Allow your team to focus on strategic, value-add activities by acquiring services that free them from commodity tasks.
    • When determining which asset capabilities and activities are best kept in-house and which ones are better handled by a supplier, it is imperative to keep the value to the business in mind.
    • Activities/capabilities that are challenging to standardize and are critical to enabling business goals are better kept in-house.
    • Activities/capabilities that are (or should be) standardized and automated are ideal candidates for outsourcing.
    • Outsourcing can be effective and successful with a narrow scope of engagement and an alignment to business outcomes.
    • Organizations that heavily weigh cost reduction as a significant driver for outsourcing are far less likely to realize the value they expected to receive.
    Business Enablement
    • Supports business-aligned ITAM opportunities & priorities
    • Highly specialized
    • Offers competitive advantages
    Map with axes 'Business Enablement' and 'Vendor's Performance Advantage' for determining whether or not to outsource.
    Vendor’s Performance Advantage
    • Talent or access to skills
    • Economies of scale
    • Access to technology
    • Does not require deep knowledge of your business

    Decide what to outsource

    It’s rarely all or nothing.

    Ask yourself:
    • How important is this activity or capability to ITAM, IT, and business priorities and goals?
    • Is it a non-commodity IT service that can improve customer satisfaction?
    • Is it a critical service to the business and the specialized knowledge must remain in-house?
    • Does the function require access to talent or skills not currently available in-house, and is cost-prohibitive to obtain?
    • Are there economies of scale that can help us meet growing demand?
    • Does the vendor provide access to best-of-breed tools and solutions that can handle the integration, management, maintenance and support of the complete system?

    You may ultimately choose to engage a single vendor or a combination of multiple vendors who can best meet your ITAM needs.

    Establishing effective vendor management processes, where you can maximize the amount of service you receive while relying on the vendor’s expertise and ability to scale, can help you make your asset management practice a net cost-saver.

    ITAM activities and capabilities
    • Contract review
    • Software audit management
    • Asset tagging
    • Asset disposal and recycling
    • Initial ITAM record creation
    • End-user device imaging
    • End-user device deployment
    • End-user software provisioning
    • End-user image management
    • ITAM database administration
    • ELP report creation
    • ITAM process management
    • ITAM report generation
    ITAM-adjacent activities and capabilities
    • Tier 1 support/service desk
    • Deskside/field support
    • Tier 3 support
    • IT Procurement
    • Device management/managed IT services
    • Budget development
    • Applications development, maintenance
    • Infrastructure hosting (e.g. cloud or colocation)
    • Infrastructure management and support
    • Discovery/monitoring tools management and support

    2.2 Identify outsourcing opportunities

    1-2 hours

    Input: Understanding of current ITAM processes and challenges

    Output: Understanding of potential outsourcing opportunities

    Materials: The table in this slide, and insight in previous slides, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    At a high level, discuss which functions of ITAM are good candidates for outsourcing.

    Start with the previous slide for examples of outsourcing activities or capabilities directly related to or adjacent to the ITAM practice. Categorize these activities as follows:

    Outsource Potentially Outsource Insource
    • Asset disposal/recycling
    • ELP report creation
    • ITAM process management

    Go through the list of activities to potentially or definitely outsource and confirm:

    1. Will outsourcing solve a resourcing need for an existing process, or can you deliver this adequately in-house?
    2. Will outsourcing improve the effectiveness and efficiency of current processes? Will it deliver more effective service channels or improved levels of reliability and performance consistency?
    3. Will outsourcing provide or enable enhanced service capabilities that your IT customers could use, and which you cannot deliver in-house due to lack of scale or capacity?

    Answering “no” to more than one of these questions suggests a need to further review options to ensure the goals are aligned with the potential value of the service offerings available.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.3: Centralize or decentralize ITAM capabilities

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Outline where the team(s) responsible for ITAM sit across the organization, who they report to, and who they need to work with across IT and the business.

    Align ITAM with IT’s structure

    ITAM’s structure will typically align with the larger business and IT structure. The wrong structure will undermine your ability to meet ITAM goals and lead to frustration, missed work, inefficiency, and loss of value.

    Which of the four archetypes below reflects the structure you need?

    1. Centralized — ITAM is entirely centralized in a single function, which reports into a central IT department.
    2. Decentralized — Local IT groups are responsible and accountable for ITAM. They may coordinate informally but do not report to any central team.
    3. Hybrid-Shared Services — Local IT can opt in to shared services but must follow centrally set ITAM practices to do so, usually with support from a shared ITAM function.
    4. Hybrid-Federated — Local IT departments are free to develop their own approach to ITAM outside of core, centrally set requirements.

    Centralized ITAM

    Total coordination, control, and oversight

    • ITAM accountability, policies, tools, standards, and expertise – in this model, they’re all concentrated in a single, specialized IT asset management practice. Accountability, authority, and oversight are concentrated in the central function as well.
    • A central ITAM team will benefit from knowledge sharing and task specialization opportunities. They are a visible single point of contact for ITAM-related questions
    • The central ITAM team will coordinate ITAM activities across the organization to optimize spend, manage risk, and enhance service. Any local IT teams are supported by and directly answerable to the central ITAM team for ITAM activities.
    • There is a single, centrally managed ITAM database. Wherever possible, this database should be integrated with other tools to support cross-solution automation (e.g. integrate AD to automatically reflect user identity changes in the ITAM database).
    • This model drives cross-organization coordination and oversight, but it may not be responsive to specific and nuanced local requirements.
    Example: Centralized
    Example of a Centralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Decentralized ITAM

    Maximize choice

    • ITAM accountability and oversight are entirely devolved to local or regional IT and/or ITAM organizations, which are free to set their own priorities, goals, policies, and standards. This model maximizes the authority of local groups to build practices that meet local requirements.
    • It may be challenging to resource and mature local practices. ITAM maturity will vary from one local organization to the next.
    • It is more likely that ITAM managers are a part-time role, and sometimes even a non-IT role. Local ITAM teams or coordinators may coordinate and share knowledge informally, but specialization can be challenging to build or leverage effectively across the organization.
    • There is likely no central ITAM tool. Local tools may be acquired, implemented, and integrated by local IT departments to suit their own needs, which can make it very difficult to report on assets organization-wide – for example, to establish compliance on an enterprise software contract.
    Example: Decentralized


    Example of a Decentralized ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working or reporting relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Hybrid: Federation

    Centralization with a light touch

    • A middle ground between centralized and decentralized ITAM, this model balances centralized decision making, specialization, and governance with local autonomy.
    • A central team will define organization-wide ITAM goals, develop capabilities, policies, and standards, and monitor compliance by local and central teams. All local teams must comply with centrally defined requirements, but they can also develop further capabilities to meet local goals.
    • For example, there will typically be a central ITAM database that must be used for at least a subset of assets, but other teams may build their own databases for day-to-day operations and export data to the central database as required.
    • There are often overlapping responsibilities in this model. A strong collaborative relationship between central and local ITAM teams is especially important here, particularly after major changes to requirements, processes, tools, or staffing when issues and breakdowns are more likely.
    Example: Federation


    Example of a Federation ITAM.

    Solid line. Direct reporting relationship

    Purple solid line. Oversight/governance

    Dotted line. Dotted line working or reporting relationship

    Hybrid: Shared Services

    Optional centralization

    • A special case of federated ITAM that balances central control and local autonomy, but with more power given to local IT to opt out of centralized shared services that come with centralized ITAM requirements.
    • ITAM requirements set by the shared services team will support management, allocation, and may have showback or chargeback implications. Following the ITAM requirements is a condition of service. If a local organization chooses to stop using shared services, they are (naturally) no longer required to adhere to the shared services ITAM requirements.
    • As with the federated model, local teams may develop further capabilities to meet local goals.
    Example: Shared Services


    Example of a Shared Services ITAM.

    Solid line. Direct reporting relationship

    Dotted line. Dotted line working relationship

    Blue dotted line. Informal working relationships, knowledge sharing

    Structure data collection & analysis

    Consider the implications of structure on data.

    Why centralize?
    • There is a need to build reports that aggregate data on assets organization-wide, rather than just assets within a local environment.
    • Decentralized ITAM tracking isn’t producing accurate or usable data, even for local purposes.
    • Tracking tools have overlapping functionality. There’s an opportunity to rationalize spend, management and support for ITAM tools.
    • Contract centralization can optimize spend and manage risks, but only with the data required to manage those contracts.
    Why decentralize?
    • Tracking and reporting on local assets is sufficient to meet ITAM goals; there is limited or no need to track assets organization-wide.
    • Local teams have the skills to track and maintain asset data; subsidiaries have appropriate budgets and tools to support ITAM tracking.
    • Decentralized ITSM/ITAM tools are in place, populated, and accurate.
    • The effort to consolidate tools and processes may outweigh the benefits to data centralization.
    • Lots of variability in types of assets and the environment is stable.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Local teams must understand the why and how of centralized data tracking and be held accountable for assigned responsibilities.
    • The asset tool should offer both centralized and localized views of the data.
    Requirements for success:
    • Guidelines and expectations for reporting to centralized asset management team will be well defined and supported.
    • Local asset managers will have opportunity to collaborate with others in the role for knowledge transfer and asset trading, where appropriate.

    Structure budget and contract management

    Contract consolidation creates economies of scale for vendor management and license pooling that strengthen your negotiating position with vendors and optimize spend.

    Why centralize?
    • Budgeting, governance, and accountability are already centralized. Centralized ITAM practices can support the existing governance practices.
    • Centralizing contract management and negotiation can optimize spend and/or deliver access to better service.
    • Centralize management for contracts that cover most of the organization, are highly complex, involve large spend and/or higher risk, and will benefit from specialization of asset staff.
    Why decentralize?
    • Budgeting, governance, and accountability rest with local organizations.
    • There may be increased need for high levels of customer responsiveness and support.
    • Decentralize contract management for contracts used only by local groups (e.g. a few divisions, a few specialized functions), and that are smaller, low risk, and come with standard terms and conditions.
    Requirements for success:
    • A centralized IT asset management solution is implemented and managed.
    • Contract terms must be harmonized across the organization.
    • Centralized fulfillment is as streamlined as possible. For example, software contracts should include the right to install at any time and pay through a true-up process.
    Requirements for success:
    • Any expectations for harmonization with the centralized asset management team will be well defined and supported.
    • Local asset managers can collaborate with other local ITAM leads to support knowledge transfer, asset swapping, etc.

    Structure technology management

    Are there opportunities to centralize or decentralize support functions?

    Why centralize?
    • Standard technologies are deployed organization-wide.
    • There are opportunities to improve service and optimize costs by consolidating knowledge, service contracts, and support functions.
    • Centralizing data on product supply allows for easier harvest and redeployment of assets by a central support team.
    • A stable, central support function can better support localized needs during seasonal staffing changes, mergers and acquisitions.
    Why decentralize?
    • Technology is unique to a local subset of users or customers.
    • Minimal opportunity for savings or better support by consolidating knowledge, service contracts, or support functions.
    • Refresh standards are set at a local level; new tech adoption may be impeded by a reliance on older technologies, local budget shortfalls, or other constraints.
    • Hardware may need to be managed locally if shipping costs and times can’t reasonably be met by a distant central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable centralized support.
    • Keep a central calendar of contract renewals, including reminders to start work on the renewal no less than 90 days prior. Prioritize contracts with high dollar value or high risk.
    • The central asset management solution should be configured to provide data that can enable the central support team.
    Requirements for success:
    • Ensure required processes, technologies, skills, and knowledge are in place to enable decentralized support.
    • Decentralized support teams must understand and adhere to ITAM activities that are part of support work (e.g. data entry, data audits).
    • The central asset management solution should be configured to provide data that can enable the central support team, or decentralized asset solutions must be funded, and teams trained on their use.

    2.3 Review ITAM Structure

    1-2 hours

    Input: Understanding of current organizational structure, Understanding of challenges and opportunities related to the current structure

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Outline the current model for your organization and identify opportunities to centralize or decentralize ITAM-related activities.

    1. What model best describes how ITAM should be structured in your organization? Modify the slide outlining structure as a group to outline your own organization, as required.
    2. In the table below, outline opportunities to centralize or decentralize data tracking, budget and contract management, and technology management activities.
    Centralize Decentralize
    Data collection & analysis
    • Make better use of central ITAM database.
    • Support local IT departments building runbooks for data tracking during lifecycle activities (create templates, examples)
    Budget and contract management
    • Centralize Microsoft contracts.
    • Create a runbook to onboard new companies to MSFT contracts.
    • Create tools and data views to support local department budget exercises.
    Technology management
    • Ensure all end-user devices are visible to centrally managed InTune, ConfigMgr.
    • Enable direct shipping from vendor to local sites.
    • Establish disposal/pickup at local sites.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.4: Create a RACI

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Review the role of the IT asset manager.
    • Identify who’s responsible, accountable, consulted, and informed for key ITAM activities.

    Empower your asset manager

    The asset manager is the critical ITAM role. Ensure they’re positioned to succeed.

    There’s too much change in the technology and business environment to expect ITAM to be “a problem to solve.” It is a practice that requires care and feeding through regular iteration to achieve success. At the helm of this practice is your asset manager, whose approach and past experience will have a significant impact on how you approach ITAM.

    The asset manager role requires a variety of skills, knowledge, and abilities including:

    • Operations, process, and practice management.
    • An ability to communicate, influence, negotiate, and facilitate.
    • Organizational knowledge and relationship management.
    • Contract and license agreement analysis, attention to detail.
    • Natural curiosity and a willingness to learn.
    • A strong understanding of technologies in use by the organization, and how they fit into the asset management program.
    Where the asset manager sits in the organization will also have an impact on their focus and priorities. When the asset manager reports into a service team, their focus will often reflect their team’s focus: end-user devices and software, customer satisfaction, request fulfillment. Asset teams that report into a leadership or governance function will be more likely to focus on organization-wide assets, governance, budget management, and compliance.

    “Where your asset manager sits, and what past experience they have, is going to influence how they do asset management.” (Jeremy Boerger, Consultant & Author)

    “It can be annoying at times, but a good IT asset manager will poke their nose into activities that do not obviously concern them, such as programme and project approval boards and technical design committees. Their aim is to identify and mitigate ITAM risks BEFORE the technology is deployed as well as to ensure that projects and solutions ‘bake in’ the necessary processes and tools that ensure IT assets can be managed effectively throughout their lifecycle.” (Kylie Fowler, ITAM by Design, 2017)

    IT asset managers must have a range of skills and knowledge

    • ITAM Operations, Process, and Practice Management
      The asset manager is typically responsible for managing and improving the ITAM practice and related processes and tools. The asset manager may administer the ITAM tool, develop reports and dashboards, evaluate and implement new technologies or services to improve ITAM maturity, and more.
    • Organizational Knowledge
      An effective IT asset manager has a good understanding of your organization and its strategy, products, stakeholders, and culture.
    • Technology & Product Awareness
      An IT asset manager must learn about new and changing technologies and products adopted by the organization (e.g. IoT, cloud) and develop recommendations on how to track and manage them via the ITAM practice.
    A book surrounded by icons corresponding to the bullet points.
    • People Management
      Asset managers often manage a team directly and have dotted-line reports across IT and the business.
    • Communication
      Important in any role, but particularly critical where learning, listening, negotiation, and persuasion are so critical.
    • Finance & Budgeting
      A foundational knowledge of financial planning and budgeting practices is often helpful, where the asset manager is asked to contribute to these activities.
    • Contract Review & Analysis
      Analyze new and existing contracts to evaluate changes, identify compliance requirements, and optimize spend.

    Assign ITAM responsibilities and accountabilities

    Align authority and accountability.
    • A RACI exercise will help you discuss and document accountability and responsibility for critical ITAM activities.
    • When responsibility and accountability are not currently well documented, it’s often useful to invite a representative of the roles identified to participate in this alignment exercise. The discussion can uncover contrasting views on responsibility and governance, which can help you build a stronger management and governance model.
    • The RACI chart can help you identify who should be involved when making changes to a given activity. Clarify the variety of responsibilities assigned to each key role.
    • In the future, you may need to define roles in more detail as you change your hardware and software asset management procedures.

    R

    Responsible: The person who actually gets the job done.

    Different roles may be responsible for different aspects of the activity relevant to their role.

    A

    Accountable: The one role accountable for the activity (in terms completion, quality, cost, etc.)

    Must have sufficient authority to be held accountable; responsible roles are often accountable to this role.

    C

    Consulted: Must have the opportunity to provide meaningful input at certain points in the activity.

    Typically, subject matter experts or stakeholders. The more people you must consult, the more overhead and time you’ll add to a process.

    I

    Informed: Receives information regarding the task, but has no requirement to provide feedback.

    Information might relate to process execution, changes, or quality.

    2.4 Conduct a RACI Exercise

    1-2 hours

    Input: An understanding of key roles and activities in ITAM practices, An understanding of your organization, High-level structure of your ITAM program

    Output: A RACI diagram for IT asset management

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    Let’s face it – RACI exercises can be dry. We’ve found that the approach below is more collaborative, engaging, and effective compared to filling out the table as a large group.

    1. Create a shared working copy of the RACI charts on the following slides (e.g. write it out on a whiteboard or provide a link to this document and work directly in it).
    2. Review the list of template roles and activities as a group. Add, change, or remove roles and activities from the table as needed.
    3. Divide into small groups. Assign each group a set of roles, and have them define whether that role is accountable, responsible, consulted, or informed for each activity in the chart. Refer to the previous slide for context on RACI. Give everyone 15 minutes to update their section of the chart.
    4. Come back together as a large group to review the chart. First, check for accountability – there should generally be just one role accountable for each activity. Then, have each small group walk through their section, and encourage participants to ask questions. Is there at least one role responsible for each task, and what are they responsible for? Does everyone listed as consulted or informed really need to be? Make any necessary adjustments.

    Add your results to your copy of the ITAM Strategy Template

    Define ITAM governance activities

    RACI Chart for ITAM governance activities. In the first column is a list of governance activities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Document asset management responsibilities and accountabilities

    RACI Chart for ITAM asset management responsibilities and accountabilities. In the first column is a list of responsibilities and accountabilities, and the row headers are positions within a company. Fields are marked with an R, A, C, or I.

    Step 2.5: Align ITAM with other Service Management Practices

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Establish shared and separate responsibilities for asset and configuration management.
    • Identify how ITAM can support other practices, and how other practices can support ITAM.

    Asset vs. Configuration

    Asset and configuration management look at the same world through different lenses.
    • IT asset management tends to focus on each IT asset in its own right: assignment or ownership, its lifecycle, and related financial obligations and entitlements.
    • Configuration management is focused on configuration items (CIs) that must be managed to deliver a service and the relationships and integrations to other CIs.
    • ITAM and configuration management teams and practices should work closely together. Though asset and configuration management focus on different outcomes, they tend use overlapping tools and data sets. Each practice, when working effectively, can strengthen the other.
    • Many objects will exist in both the CMDB and AMDB, and the data on those shared objects will need to be kept in sync.
    Asset and Configuration Management: An Example

    Configuration Management Database (CMDB)

    A database of uniquely identified configuration items (CIs). Each CI record may include information on:
    Service Attributes

    Supported Service(s)
    Service Description, Criticality, SLAs
    Service Owners
    Data Criticality/Sensitivity

    CI Relationships

    Physical Connections
    Logical Connections
    Dependencies

    Arrow connector.

    Discovery, Normalization, Dependency Mapping, Business Rules*

    Manual Data Entry

    Arrow connector.
    This shared information could be attached to asset records, CI records, or both, and it should be synchronized between the two databases where it’s tracked in both.
    Hardware Information

    Serial, Model and Specs
    Network Address
    Physical Location

    Software Installations

    Hypervisor & OS
    Middleware & Software
    Software Configurations

    Arrow connector.

    Asset Management Database (AMDB)

    A database of uniquely identified IT assets. Each asset record may include information on:
    Procurement/Purchasing

    Purchase Request/Purchase Order
    Invoice and Cost
    Cost Center
    Vendor
    Contracts and MSAs
    Support/Maintenance/Warranties

    Asset Attributes

    Model, Title, Product Info, License Key
    Assigned User
    Lifecycle Status
    Last ITAM Audit Date
    Certificate of Disposal

    Arrows connecting multiple fields.

    IT Security Systems

    Vulnerability Management
    Threat Management
    SIEM
    Endpoint Protection

    IT Service Management (ITSM) System

    Change Tickets
    Request Tickets
    Incident Tickets
    Problem Tickets
    Project Tickets
    Knowledgebase

    Financial System/ERP

    General Ledger
    Accounts Payable
    Accounts Receivable
    Enterprise Assets
    Enterprise Contract Database

    (*Discovery, dependency mapping, and data normalization are often features or modules of configuration management, asset management, or IT service management tools.)

    2.5 Integrate ITAM and configuration practices

    45 minutes

    Input: Knowledge of the organization’s configuration management processes

    Output: Define how ITAM and configuration management will support one another

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Configuration manager

    Work through the table below to identify how you will collaborate and synchronize data across ITAM and configuration management practices and tools.

    What are the goals (if any currently exist) for the configuration management practice? Connect configuration items to services to support service management.
    How will configuration and asset management teams collaborate? Weekly status updates. As-needed working sessions.
    Shared visibility on each others’ Kanban tracker.
    Create tickets to raise and track issues that require collaboration or attention from the other team.
    How can config leverage ITAM? Connect CIs to financial, contractual, and ownership data.
    How can ITAM leverage config? Connect assets to services, changes, incidents.
    What key fields will be primarily tracked/managed by ITAM? Serial number, unique ID, user, location, PO number, …
    What key fields will be primarily tracked/managed by configuration management? Supported service(s), dependencies, service description, service criticality, network address…

    Add your results to your copy of the ITAM Strategy Template

    ITAM supports service management

    Decoupling asset management from other service management practices can result in lost value. Establish how asset management can support other service management practices – and how those practices can support ITAM.

    Incident Management

    What broke?
    Was it under warranty?
    Is there a service contract?
    Was it licensed?
    Who was it assigned to?
    Is it end-of-life?

    ITAM
    Practice

    Request Management

    What can this user request or purchase?
    What are standard hardware and software offerings?
    What does the requester already have?
    Are there items in inventory to fulfil the request?
    Did we save money by reissuing equipment?
    Is this a standard request?
    What assets are being requested regularly?

    What IT assets are related to the known issue?
    What models and vendors are related to the issue?
    Are the assets covered by a service contract?
    Are other tickets related to this asset?
    What end-of-life assets have been tied to incidents recently?

    Problem Management

    What assets are related to the change?
    Is the software properly licensed?
    Has old equipment been properly retired and disposed?
    Have software licenses been returned to the pool?
    Is the vendor support on the change part of a service contract?

    Change Enablement

    2.5. Connect with other IT service practices

    45 minutes

    Input: Knowledge of existing organizational IT service management processes

    Output: Define how ITAM will help other service management processes, and how other service management processes will help ITAM

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Service leads

    Complete the table below to establish what ITAM can provide to other service management practices, and what other practices can provide to ITAM.

    Practice ITAM will help Will help ITAM
    Incident Management Provide context on assets involved in an incident (e.g. ownership, service contracts). Track when assets are involved in incidents (via incident tickets).
    Request Management Oversee request & procurement processes. Help develop asset standards. Enter new assets in ITAM database.
    Problem Management Collect information on assets related to known issues. Report back on models/titles that are generating known issues.
    Change Enablement Provide context on assets for change review. Ensure EOL assets are retired and licenses are returned during changes.
    Capacity Management Identify ownership, location for assets at capacity. Identify upcoming refreshes or purchases.
    Availability Management Connect uptime and reliability to assets. Identify assets that are causing availability issues.
    Monitoring and Event Management Provide context to events with asset data. Notify asset of unrecognized software and hardware.
    Financial Management Establish current and predict future spending. Identify upcoming purchases, renewals.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.6: Evaluate ITAM tools and integrations

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • Create a list of the ITAM tools currently in use, how they’re used, and their current limitations.
    • Identify new tools that could provide value to the ITAM practice, and what needs to be done to acquire and implement them.

    “Everything is connected. Nothing is also connected.” (Dirk Gently’s Holistic Detective Agency)

    Establish current strengths and gaps in your ITAM toolset

    ITAM data quality relies on tools and integrations that are managed by individuals or teams who don’t report directly to the ITAM function.

    Without direct line of sight into tools management, the ITAM team must influence rather than direct improvement initiatives that are in some cases critical to the performance of the ITAM function. To more effectively influence improvement efforts, you must explicitly identify what you need, why you need it, from which tools, and from which stakeholders.

    Data Sources
    Procurement Tools
    Discovery Tools
    Active Directory
    Purchase Documents
    Spreadsheets
    Input To Asset System(s) of Record
    ITAM Database
    ITSM Tool
    CMDB
    Output To Asset Data Consumption
    ITFM Tools
    Security Tools
    TEM Tools
    Accounting Tools
    Spreadsheets
    “Active Directory plays a huge role in audit defense and self-assessment, but no-one really goes out there and looks at Active Directory.

    I was talking to one organization that has 1,600,000 AD records for 100,000 employees.” (Mike Austin, Founder, MetrixData 360)

    2.6 Evaluate ITAM existing technologies

    30 minutes

    Input: Knowledge of existing ITAM tools

    Output: A list of prioritized organizational goals, An initial assessment of how ITAM can support these goals

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify the use, limitations, and next steps for existing ITAM tools, including those not directly managed by the ITAM team.

    1. What tools do we have today?
    2. What are they used for? What are their limitations?
    3. Who manages them?
    4. What actions could we take to maximize the value of the tools?
    Existing Tool Use Constraints Owner Proposed Action?
    ITAM Module
    • Track HW/SW
    • Connect assets to incident, request
    • Currently used for end-user devices only
    • Not all divisions have access
    • SAM capabilities are limited
    ITAM Team/Service Management
    • Add license for additional read/write access
    • Start tracking infra in this tool
    Active Directory
    • Store user IDs, organizational data
    Major data quality issues IT Operations
    • Work with AD team to identify issues creating data issues

    Add your results to your copy of the ITAM Strategy Template

    2.6 Identify potential new tools

    30 minutes

    Input: Knowledge of tooling gaps, An understanding of available tools that could remediate gaps

    Output: New tools that can improve ITAM capabilities, including expected value and proposed next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers

    Identify tools that are required to support the identified goals of the ITAM practice.

    1. What types of tools do we need that we don’t have?
    2. What could these tools help us do?
    3. What needs to be done next to investigate or acquire the appropriate tool?
    New Tool Expected Value Proposed Next Steps
    SAM tool
    • Automatically calculate licensing entitlements from contract data.
    • Automatically calculate licensing requirements from discovery data.
    • Support gap analyses.
    • Further develop software requirements.
    • Identify vendors in the space and create a shortlist.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.7: Create a plan for internal and external audits

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Establish your approach to internal data audits.
    • Create a high-level response plan for external audits.

    Validate ITAM data via internal audits

    Data audits provide assurance that the records in the ITAM database are as accurate as possible. Consider these three approaches:

    Compare Tool Records

    Audit your data by comparing records in the ITAM system to other discovery sources.

    • Ideally, use three separate data sources (e.g. ITAM database, discovery tool, security tool). Use a common field, such as the host name, to compare across fields. (To learn more about discovery tool analysis, see Jeremy Boerger’s book, Rethinking IT Asset Management.)
    • Run reports to compare records and identify discrepancies. This could include assets missing from one system or metadata differences such as different users or installed software.
    • Over time, discrepancies between tools should be well understood and accepted; otherwise, they should be addressed and remediated.
    IT-led Audit

    Conduct a hands-on investigation led by ITAM staff and IT technicians.

    • In-person audits require significant effort and resources. Each audit should be scoped and planned ahead of time to focus on known problem areas.
    • Provide the audit team with exact instructions on what needs to be verified and recorded. Depending on the experience and attention to detail of the audit team, you may need to conduct spot checks to ensure you’re catching any issues in the audit process itself.
    • Automation should be used wherever possible (e.g. through barcodes, scanners, and tables for quick access to ITAM records).
    User-led audit

    Have users validate the IT assets assigned to them.

    • Even more than IT-led audits: don’t use this approach too frequently; keep the scope as narrow as possible and the process as simple as possible.
    • Ensure users have all the information and tools they’ll need readily available to complete this task, or the result will be ineffective and will only frustrate your users.
    • Consider a process integrated with your ITSM tool: once a year, when a user logs in to the portal, they will be asked to enter the asset code for their laptop (and provided with instructions on where to find that code). Investigate discrepancies between assignments and ITAM records.

    2.7 Set an approach to internal data audits

    30 minutes

    Input: An understanding of current data audit capabilities and needs

    Output: An outline of how you’ll approach data audits, including frequency, scope, required resources

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team

    Review the three internal data audit approaches outlined on the previous slide, and identify which of the three approaches you’ll use. For each approach, complete the fields in the table below.

    Audit Approach How often? What scope? Who’s involved? Comments
    Compare tool records Monthly Compare ITAM DB, Intune/ConfigMgr, and Vulnerability Scanner Data; focus on end-user devices to start Asset manager will lead at first.
    Work with tool admins to pull data and generate reports.
    IT-led audit Annual End-user devices at a subset of locations Asset manager will work with ITSM admins to generate reports. In-person audit to be conducted by local techs.
    User-led audit Annual Assigned personal devices (start with a pilot group) Asset coordinator to develop procedure with ITSM admin. Run pilot with power users first.

    Add your results to your copy of the ITAM Strategy Template

    Prepare for and respond to external audits and true-ups

    Are you ready when software vendors come knocking?

    • Vendor audits are expensive.
    • If you’re out of compliance, you will at minimum be required to pay the missing license fees. At their discretion, vendors may choose to add punitive fees and require you to cover the hourly cost of their audit teams. If you choose not to pay, the vendor could secure an injunction to cut off your service, which in many cases will be far more costly than the fines. And this is aside from the intangible costs of the disruption to your business and damaged relationships between IT, ITAM, your business, and other partners.
    • Having a plan to respond to an audit is critical to reducing audit risk. Preparation will help you coordinate your audit response, ensure the audit happens on the most favorable possible terms, and even prevent some audits from happening in the first place.
    • The best defense, as they say, is a good offense. Good ITAM and SAM processes will allow you to track acquisition, allocation, and disposal of software licenses; understand your licensing position; and ensure you remain compliant whenever possible. The vendor has no reason to audit you when there’s nothing to find.
    • Know when and where your audit risk is greatest, so you can focus your resources where they can deliver the most value.
    “If software audits are a big part of your asset operations, you have problems. You can reduce the time spent on audits and eliminate some audits by having a proactive ITAM practice.” (Sandi Conrad, Principal Research Director)

    Info-Tech Insight

    Audit defense starts long before you get audited. For an in-depth review of your audit approach, see Info-Tech’s Prepare and Defend Against a Software Audit.

    Identify areas of higher audit risk

    Watch for these warning signs
    • Your organization is visibly fighting fires. Signs of disorder may signal to vendors that there are opportunities to exploit via an audit. Past audit failures make future audits more likely.
    • You are looking for ways to decrease spend. Vendors may counter attempts to true-down licensing by launching an audit to try to find unlicensed software that provides them leverage to negotiate maintained or even increased spending.
    • Your license/contract terms with the vendor are particularly complex or highly customized. Very complex terms may make it harder to validate your own compliance, which may present opportunities to the vendor in an audit.
    • The vendor has earned a reputation for being particularly aggressive with audits. Some vendors include audits as a standard component of their business model to drive revenue. This may include acquiring smaller vendors or software titles that may not have been audit-driven in the past, and running audits on their new customer base.

    “The reality is, software vendors prey on confusion and complication. Where there’s confusion, there’s opportunity.” (Mike Austin, Founder, MetrixData 360)

    Develop an audit response plan

    You will be on the clock once the vendor sends you an audit request. Have a plan ready to go.
    • Don’t panic: Resist knee-jerk reactions. Follow the plan.
    • Form an audit response team and centralize your response: This team should be led by a member of the ITAM group, and it should include IT leadership, software SMEs, representatives from affected business areas, vendor management, contract management, and legal. You may also need to bring on a contractor with deep expertise with the vendor in question to supplement your internal capabilities. Establish clearly who will be the point of contact with the vendor during the audit.
    • Clarify the scope of the audit: Clearly establish what the audit will cover – what products, subsidiaries, contracts, time periods, geographic regions, etc. Manage the auditors to prevent scope creep.
    • Establish who covers audit costs: Vendors may demand the auditee cover the hourly cost of their audit team if you’re significantly out of compliance. Consider asking the vendor to pay for your team’s time if you’re found to be compliant.
    • Know your contract: Vendors’ contracts change over time, and it’s no guarantee that even your vendor’s licensing experts will be aware of the rights you have in your contract. You must know your entitlements to negotiate effectively.
    1. Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    2. Acknowledge receipt of audit notice.
    3. Negotiate timing and scope of the audit.
    4. Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    5. Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    6. Compare entitlements to installed software.
    7. Investigate any anomalies (e.g. unexpected or non-compliant software).
    8. Review results with the audit response team.

    2.7 Clarify your vendor audit response plan

    1 hour

    Input: Organizational knowledge on your current audit response procedures

    Output: Audit response team membership, High-level audit checklist, A list of things to start, stop, and continue doing as part of the audit response

    Materials: Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    1. Who’s on the audit response team, and what’s their role? Who will lead the team? Who will be the point of contact with the auditor?
    2. What are the high-level steps in our audit response workflow? Use the example checklist below as a starting point.
    3. What do we need to start, stop, and continue doing in response to audit requests?

    Example Audit Checklist

    • Bring the audit request received to the attention of ITAM and IT leadership. Assemble the response team.
    • Acknowledge receipt of audit notice.
    • Negotiate timing and scope of the audit.
    • Direct staff not to remove or acquire licenses for software under audit without directly involving the ITAM team first.
    • Gather installation data and documentation to establish current entitlements, including original contract, current contract, addendums, receipts, invoices.
    • Compare entitlements to installed software.
    • Investigate any anomalies (e.g. unexpected or non-compliant software).
    • Review results with the audit response team.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.8: Improve budget processes

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers
    • ITAM business partners

    Outcomes

    • Identify what you need to start, stop, and continue to do to support budgeting processes.

    Improve budgeting and forecasting

    Insert ITAM into budgeting processes to deliver significant value.

    Some examples of what ITAM can bring to the budgeting table:
    • Trustworthy data on deployed assets and spending obligations tied to those assets.
    • Projections of hardware due for replacement in terms of quantity and spend.
    • Knowledge of IT hardware and software contract terms and pricing.
    • Lists of unused or underused hardware and software that could be redeployed to avoid spend.
    • Comparisons of spend year-over-year.

    Being part of the budgeting process positions ITAM for success in other ways:

    • Helps demonstrate the strategic value of the ITAM practice.
    • Provides insight into business and IT strategic projects and priorities for the year.
    • Strengthens relationships with key stakeholders, and positions the ITAM team as trusted partners.

    “Knowing what you have [IT assets] is foundational to budgeting, managing, and optimizing IT spend.” (Dave Kish, Info-Tech, Practice Lead, IT Financial Management)

    Stock image of a calculator.

    2.8 Build better budgets

    20 minutes

    Input: Context on IT budgeting processes

    Output: A list of things to start, stop, and continue doing as part of budgeting exercises

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, ITAM business partners

    What should we start, stop, and continue doing to support organizational budgeting exercises?

    Start Stop Continue
    • Creating buckets of spend and allocating assets to those buckets.
    • Zero-based review on IaaS instances quarterly.
    • Develop dashboards plugged into asset data for department heads to view allocated assets and spend.
    • Create value reports to demonstrate hard savings as well as cost avoidance.
    • Waiting for business leaders to come to us for help (start reaching out with reports proactively, three months before budget cycle).
    • % increases on IT budgets without further review.
    • Monthly variance budget analysis.
    • What-if analysis for asset spend based on expected headcount increases.

    Add your results to your copy of the ITAM Strategy Template

    Step 2.9: Establish a documentation framework

    Participants

    • Project sponsor and lead facilitator
    • ITAM team

    Outcomes

    • Identify key documentation and gaps in your documentation.
    • Establish where documentation should be stored, who should own it, who should have access, and what should trigger a review.

    Create ITAM documentation

    ITAM documentation will typically support governance or operations.

    Long-term planning and governance
    • ITAM policy and/or related policies (procurement policy, security awareness policy, acceptable use policy, etc.)
    • ITAM strategy document
    • ITAM roadmap or burndown list
    • Job descriptions
    • Functional requirements documents for ITAM tools

    Operational documentation

    • ITAM SOPs (hardware, software) and workflows
    • Detailed work instructions/knowledgebase articles
    • ITAM data/records
    • Contracts, purchase orders, invoices, MSAs, SOWs, etc.
    • Effective Licensing Position (ELP) reports
    • Training and communication materials
    • Tool and integration documentation
    • Asset management governance, operations, and tools typically generate a lot of documentation.
    • Don’t create documentation for the sake of documentation. Prioritize building and maintaining documentation that addresses major risks or presents opportunities to improve the consistency and reliability of key processes.
    • Maximize the value of ITAM documentation by ensuring it is as current, accessible, and usable as it needs to be.
    • Clearly identify where documentation is stored and who should have access to it.
    • Identify who is accountable for the creation and maintenance of key documentation, and establish triggers for reviews, updates, and changes.

    Consider ITAM policies

    Create policies that can and will be monitored and enforced.
    • Certain requirements of the ITAM practice may need to be backed up by corporate policies: formal statements of organizational expectations that must be recognized by staff, and which will lead to sanctions/penalties if breached.
    • Some organizations will choose to create one or more ITAM-specific policies. Others will include ITAM-related statements in other existing policies, such as acceptable use policies, security training and awareness policies, procurement policies, configuration policies, e-waste policies, and more.
    • Ensure that you are prepared to monitor compliance with policies and evenly enforce breaches of policy. Failing to consistently enforce your policies exposes you and your organization to claims of negligence or discriminatory conduct.
    • For a template for ITAM-specific policies, see Info-Tech’s policy templates for Hardware Asset Management and Software Asset Management.

    2.9 Establish documentation gaps

    15-30 minutes

    Input: An understanding of existing documentation gaps and risks

    Output: Documentation gaps, Identified owners, repositories, access rights, and review/update protocols

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, Optional: IT managers, ITAM business partners

    Discuss and record the following:

    • What planning/governance, operational, and tooling documentation do we still need to create? Who is accountable for the creation and maintenance of these documents?
    • Where will the documentation be stored? Who can access these documents?
    • What will trigger reviews or changes to the documents?
    Need to Create Owner Stored in Accessible by Trigger for review
    Hardware asset management SOP ITAM manager ITAM SharePoint site › Operating procedures folder
    • All IT staff
    • Annual review
    • As-needed for major tooling changes that require a documentation update

    Add your results to your copy of the ITAM Strategy Template

    Step 2.10: Create a roadmap and communication plan

    Participants

    • Project sponsor and lead facilitator
    • ITAM team
    • IT leaders and managers

    Outcomes

    • A timeline of key ITAM initiatives.
    • Improvement ideas aligned to key initiatives.
    • A communication plan tailored to key stakeholders.
    • Your ITAM Strategy document.

    “Understand that this is a journey. This is not a 90-day project. And in some organizations, these journeys could be three or five years long.” (Mike Austin, MetrixData 360)

    2.10 Identify key ITAM initiatives

    30-45 minutes

    Input: Organizational strategy documents

    Output: A roadmap that outlines next steps

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    1. Identify key initiatives that are critical to improving practice maturity and meeting business goals.
    2. There should only be a handful of really key initiatives. This is the work that will have the greatest impact on your ability to deliver value. Too many initiatives muddy the narrative and can distract from what really matters.
    3. Plot the target start and end dates for each initiative in the business and IT transformation timeline you created in Phase 1.
    4. Review the chart and consider – what new capabilities should the ITAM practice have once the identified initiatives are complete? What transformational initiatives will you be better positioned to support?

    Add your results to your copy of the ITAM Strategy Template

    Transformation Timeline

    Example transformation timeline with row headers 'Business Inititiaves', 'IT Initiatives', and 'ITAM Initiatives'. Each initiative is laid out along the timeline appropriately.

    2.10 Align improvement ideas to initiatives

    45 minutes

    Input: Key initiatives, Ideas for ITAM improvement collected over the course of previous exercises

    Output: Concrete action items to support each initiative

    Materials: The table in the next slide, Your copy of the ITAM Strategy Template

    Participants: ITAM team, IT leaders and managers, Project sponsor

    As you’ve been working through the previous exercises, you have been tracking ideas for improvement – now we’ll align them to your roadmap.

    1. Review the list of ideas for improvement you’ve produced over the working sessions. Consolidate the list – are there any ideas that overlap or complement each other? Record any new ideas. Frame each idea as an action item – something you can actually do.
    2. Connect the action items to initiatives. It may be that not every action item becomes part of a key initiative. (Don’t lose ideas that aren’t part of key initiatives – track them in a separate burndown list or backlog.)
    3. Identify a target completion date and owner for each action item that’s part of an initiative.

    Add your results to your copy of the ITAM Strategy Template

    Example ITAM initiatives

    Initiative 1: Develop hardware/software standards
    Task Target Completion Owner
    Laptop standards Q1-2023 ITAM manager
    Identify/eliminate contracts for unused software using scan tool Q2-2023 ITAM manager
    Review O365 license levels and standard service Q3-2023 ITAM manager

    Initiative 2: Improve ITAM data quality
    Task Target Completion Owner
    Implement scan agent on all field laptops Q3-2023 Desktop engineer
    Conduct in person audit on identified data discrepancies Q1-2024 ITAM team
    Develop and run user-led audit Q1-2024 Asset manager

    Initiative 3: Acquire & implement a new ITAM tool
    Task Target Completion Owner
    Select an ITAM tool Q3-2023 ITAM manager
    Implement ITAM tool, incl. existing data migration Q1-2024 ITAM manager
    Training on new tool Q1-2024 ITAM manager
    Build KPIs, executive dashboards in new tool Q2-2024 Data analyst
    Develop user-led audit functionality in new tool Q3-2024 ITAM coordinator

    2.10 Create a communication plan

    45 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    Develop clear, consistent, and targeted messages to key ITAM stakeholders.

    1. Modify the list of stakeholders in the first column.
    2. What benefits should those stakeholders realize from ITAM? What impact may the proposed improvements have on them? Refer back to exercises from Phase 1, where you identified key stakeholders, their priorities, and how ITAM could help them.
    3. Identify communication channels (in-person, email, all-hands meeting, etc.) and timing – when you’ll distribute the message. You may choose to use more than one channel, and you may need to convey the message more than once.
    Group ITAM Benefits Impact Channel(s) Timing
    CFO
    • More accurate IT spend predictions
    • Better equipment utilization and value for money
    • Sponsor integration project between ITAM DB and financial system
    • Support procurement procedures review
    Face-to-face – based on their availability Within the next month
    CIO
    • Better oversight into IT spend
    • Data to help demonstrate IT value
    • Resources required to support tool and ITAM process improvements
    Standing bi-monthly 1:1 meetings Review strategy at next meeting
    IT Managers
    Field Techs

    Add your results to your copy of the ITAM Strategy Template

    2.10 Put the final touches on your ITAM Strategy

    30 minutes

    Input: Proposed ITAM initiatives, Stakeholder priorities and goals, and an understanding of how ITAM can help them meet those goals

    Output: A high-level communication plan to communicate the benefits and impact of proposed changes to the ITAM program

    Materials: The table in this slide, Your copy of the ITAM Strategy Template

    Participants: IT asset manager, Project sponsor

    You’re almost done! Do a final check of your work before you send a copy to your participants.

    1. Summarize in three points the key findings from the activities you’ve worked through. What have you learned? What are your priorities? What key message do you need to get across? Add these to the appropriate slide near the start of the ITAM Strategy Template.
    2. What are your immediate next steps? Summarize no more than five and add them to the appropriate slide near the start of the ITAM Strategy Template.
      1. Are you asking for something? Approval for ITAM initiatives? Funding? Resources? Clearly identify the ask as part of your next steps.
    3. Are the KPIs identified in Phase 1 still valid? Will they help you monitor for success in the initiatives you’ve identified in Phase 2? Make any adjustments you think are required to the KPIs to reflect the additional completed work.

    Add your results to your copy of the ITAM Strategy Template

    Research Contributors and Experts

    Kylie Fowler
    Principal Consultant
    ITAM Intelligence

    Kylie is an experienced ITAM/FinOps consultant with a track record of creating superior IT asset management frameworks that enable large companies to optimize IT costs while maintaining governance and control.

    She has operated as an independent consultant since 2009, enabling organizations including Sainsbury's and DirectLine Insurance to leverage the benefits of IT asset management and FinOps to achieve critical business objectives. Recent key projects include defining an end-to-end SAM strategy, target operating model, policies and processes which when implemented provided a 300% ROI.

    She is passionate about supporting businesses of all sizes to drive continuous improvement, reduce risk, and achieve return on investment through the development of creative asset management and FinOps solutions.

    Rory Canavan
    Owner and Principal Consultant
    SAM Charter

    Rory is the founder, owner, and principal consultant of SAM Charter, an internationally recognized consultancy in enterprise-wide Software & IT Asset Management. As an industry leader, SAM Charter is uniquely poised to ensure your IT & SAM systems are aligned to your business requirements.

    With a technical background in business and systems analysis, Rory has a wide range of first-hand experience advising numerous companies and organizations on the best practices and principles pertaining to software asset management. This experience has been gained in both military and civil organizations, including the Royal Navy, Compaq, HP, the Federation Against Software Theft (FAST), and several software vendors.

    Research Contributors and Experts

    Jeremy Boerger
    Founder, Boerger Consulting
    Author of Rethinking IT Asset Management

    Jeremy started his career in ITAM fighting the Y2K bug at the turn of the 21st century. Since then, he has helped companies in manufacturing, healthcare, banking, and service industries build and rehabilitate hardware and software asset management practices.

    These experiences prompted him to create the Pragmatic ITAM method, which directly addresses and permanently resolves the fundamental flaws in current ITAM and SAM implementations.

    In 2016, he founded Boerger Consulting, LLC to help business leaders and decision makers fully realize the promises a properly functioning ITAM can deliver. In his off time, you will find him in Cincinnati, Ohio, with his wife and family.

    Mike Austin
    Founder and CEO
    MetrixData 360

    Mike Austin leads the delivery team at MetrixData 360. Mike brings more than 15 years of Microsoft licensing experience to his clients’ projects. He assists companies, from Fortune 500 to organizations with as few as 500 employees, with negotiations of Microsoft Enterprise Agreements (EA), Premier Support Contracts, and Select Agreements. In addition to helping negotiate contracts, he helps clients build and implement software asset management processes.

    Previously, Mike was employed by Microsoft for more than 8 years as a member of the global sales team. With Microsoft, Mike successfully negotiated more than a billion dollars in new and renewal EAs. Mike has also negotiated legal terms and conditions for all software agreements, developed Microsoft’s best practices for global account management, and was awarded Microsoft’s Gold Star Award in 2003 and Circle of Excellence in 2008 for his contributions.

    Bibliography

    “Asset Management.” SFIA v8. Accessed 17 March 2022.

    Boerger, Jeremy. Rethinking IT Asset Management. Business Expert Press, 2021.

    Canavan, Rory. “C-Suite Cheat Sheet.” SAM Charter, 2021. Accessed 17 March 2022.

    Fisher, Matt. “Metrics to Measure SAM Success.” Snow Software, 26 May 2015. Accessed 17 March 2022.

    Flexera (2021). “State of ITAM Report.” Flexera, 2021. Accessed 17 March 2022.

    Fowler, Kylie. “ITAM by design.” BCS, The Chartered Institute for IT, 2017. Accessed 17 March 2022.

    Fowler, Kylie. “Ch-ch-ch-changes… Is It Time for an ITAM Transformation?” ITAM Intelligence, 2021. Web. Accessed 17 March 2022.

    Fowler, Kylie. “Do you really need an ITAM policy?” ITAM Accelerate, 15 Oct. 2021. Accessed 17 March 2022.

    Hayes, Chris. “How to establish a successful, long-term ITAM program.” Anglepoint, Sept. 2021. Accessed 17 March 2022.

    ISO/IEC 19770-1-2017. IT Asset Management Systems – Requirements. Third edition. ISO, Dec 2017.

    Joret, Stephane. “IT Asset Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Jouravlev, Roman. “IT Service Financial Management: ITIL® 4 Practice Guide”. Axelos, 2020.

    Pagnozzi, Maurice, Edwin Davis, Sam Raco. “ITAM Vs. ITSM: Why They Should Be Separate.” KPMG, 2020. Accessed 17 March 2022.

    Rumelt, Richard. Good Strategy, Bad Strategy. Profile Books, 2013.

    Stone, Michael et al. “NIST SP 1800-5 IT Asset Management.” Sept, 2018. Accessed 17 March 2022.

    Operations management

    • Buy Link or Shortcode: {j2store}12|cart{/j2store}
    • Related Products: {j2store}12|crosssells{/j2store}
    • Up-Sell: {j2store}12|upsells{/j2store}
    • member rating overall impact (scale of 10): 10.0/10
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Infra and Operations
    • Parent Category Link: /infra-and-operations
    IT Operations is all about effectiveness. We make sure that you deliver reliable services to the clients and users within the company.

    Develop Your Agile Approach for a Successful Transformation

    • Buy Link or Shortcode: {j2store}163|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $86,469 Average $ Saved
    • member rating average days saved: 16 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization wants to shorten delivery time and improve quality by adopting Agile delivery methods.
    • You know that Agile transformations are complex and difficult to implement.
    • Your organization may have started using Agile, but with only limited success.
    • You want to maximize your Agile transformation’s chances of success.

    Our Advice

    Critical Insight

    • Agile transformations are more likely to be successful when the entire organization understands Agile fundamentals, principles, and practices; the “different way of working” that Agile requires; and the role each person plays in its success.

    Impact and Result

    • Understand the “what and why” of Agile.
    • Identify your organization’s biggest Agile pain points.
    • Gain a deeper understanding of Agile principles and practices, and apply these to your Agile pain points.
    • Create a list of action items to address your organization’s Agile challenges.

    Develop Your Agile Approach for a Successful Transformation Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify common Agile challenges

    Identify your organization's biggest Agile pain points so you can focus attention on those topics that are impacting your Agile capabilities the most.

    • Develop Your Agile Approach for a Successful Transformation – Phases 1-2

    2. Establish a solid foundation for Agile delivery

    Ensure that your organization has a solid understanding of Agile principles and practices to help ensure your Agile transformation is successful. Understand Agile's different way of working and identify the steps your organization will need to take to move from traditional Waterfall delivery to Agile.

    • Roadmap for Transition to Agile

    3. Backlog Management Module: Manage your backlog effectively

    The Backlog Management Module helps teams develop a better understanding of backlog management and user story decomposition. Improve your backlog quality by implementing a three-tiered backlog with quality filters.

    4. Scrum Simulation Module: Simulate effective Scrum practices

    The Scrum Simulation Module helps teams develop a better understanding of Scrum practices and the behavioral blockers affecting Agile teams and organizational culture. This module features two interactive simulations to encourage a deeper understanding of good Scrum practices and Agile principles.

    • Scrum Simulation Exercise (Online Banking App)

    5. Estimation Module: Improve product backlog item estimation

    The Estimation Module helps teams develop a better understanding of Agile estimation practices and how to apply them. Teams learn how Agile estimation and reconciliation provide reliable planning estimates.

    6. Product Owner Module: Establish an Effective Product Owner Role

    The Product Owner Module helps teams understand product management fundamentals and a deeper understanding of the product owner role. Teams define their product management terminology, create quality filters for PBIs moving through the backlog, and develop their product roadmap approach for key audiences.

    7. Product Roadmapping Module: Create effective product roadmaps

    The Product Roadmapping Module helps teams understand product road mapping fundamentals. Teams learn to effectively use the six tools of Product Roadmapping.

    [infographic]

    Further reading

    Develop Your Agile Approach for a Successful Transformation

    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Analyst Perspective

    Understand Agile fundamentals, principles, and practices so you can apply them effectively in your organization.

    Pictures of Alex Ciraco and Hans Eckman

    Alex Ciraco and Hans Eckman
    Application Practice
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    • Your organization wants to shorten delivery time and improve quality by adopting Agile delivery methods.
    • You know that Agile transformations are complex and difficult to implement.
    • Your organization may have started using Agile, but with only limited success.
    • You want to maximize your Agile transformation's chances of success.

    Common Obstacles

    • People seem to have different, conflicting, or inadequate knowledge of Agile principles and practices.
    • Your organization is not seeing the full benefits that Agile promises, and project teams aren't sure they are "doing Agile right."
    • Confusion and misinformation about Agile is commonplace in your organization.

    Info-Tech's Approach

    • Use our Common Agile Challenges Survey to identify your organization's Agile pain points.
    • Leverage this blueprint to level-set the organization on Agile fundamentals.
    • Address your survey's biggest Agile pain points to see immediate benefits and improvements in the way you practice Agile in your organization.

    Info-Tech Insight

    Agile transformations are more likely to be successful when the entire organization genuinely understands Agile fundamentals, principles and practices, as well as the role each person plays in its success. Focus on developing a solid understanding of Agile practices so your organization can "Be Agile", not just "Do Agile".

    Info-Tech's methodology

    1. Identify Common Agile Challenges

    2. Establish a Solid Foundation for Agile Delivery

    3. Agile Modules

    Phase Steps

    1.1 Identify common agile challenges

    2.1 Align teams with Agile fundamentals

    2.2 Interpret your common Agile challenges survey results

    2.3 (Optional) Move stepwise to iterative Agile delivery

    2.4 Identify insights and team feedback

    • Backlog Management Module:
      Manage Your Backlog Effectively
    • Scrum Simulation Module:
      Simulate Effective Scrum Practices
    • Estimation Module:
      Improve Product Backlog Item Estimation
    • Product Owner Module:
      Establish an Effective Product Owner Role
    • Product Roadmapping Module: Create Effective Product Roadmaps
    Phase Outcomes

    Understand common challenges associated with Agile transformations and identify your organization's struggles.

    Establish and apply a uniform understanding of Agile fundamentals and principles.

    Create a roadmap for your transition to Agile delivery and prioritized challenges.

    Foster deeper understanding of Agile principles and practices to resolve pain points.

    Develop your agile approach for a successful transformation

    Everyone's Agile journey is not the same.

    agile journey for a successful transformation

    Application delivery continues to fall short

    78% of IT professionals believe the business is "usually" or "always" out of sync with project requirements.
    Source: "10 Ways Requirements Can Sabotage Your Projects Right From the Start"

    Only 34% of software is rated as both important and effective by users.

    Source: Info-Tech's CIO Business Vision Diagnostic

    Agile DevOps is a progression of cultural, behavioral, and process changes. It takes time.

    An image of the trail to climb Mount Everest, with the camps replaced by the main steps of the agile approach to reaching Nirvana.

    Enhancements and maintenance are misunderstood

    an image showing the relationship between enhancements and maintenance.

    Source: "IEEE Transactions on Software Engineering"

    Why Agile/DevOps? It's about time to value

    Leaders and stakeholders are frustrated with long lead times to implement changes. Agile/DevOps promotes smaller, more frequent releases to start earning value sooner.

    A frequency graph showing the Time to delivering value depends on Frequency of Releases

    Time to delivering value depends on Frequency of Releases

    Embrace change, don't "scope creep" it

    64% of IT professionals adopt Agile to enhance their ability to manage changing priorities.

    71% of IT professionals found their ability to manage changing priorities improved after implementing Agile.

    Info-Tech Insight

    Traditional delivery processes work on the assumption that product requirements will remain constant throughout the SDLC. This results in delayed delivery of product enhancements which are critical to maintaining a positive customer experience.

    Adapted from: "12th Annual State of Agile Report"

    Agile's four core values

    "…while there is value in the items on the right, we value the items on the left more."
    – Source: "The Agile Manifesto"

    We value. . .

    Individuals and Interactions

    OVER

    Processes and Tools

    Working Software

    OVER

    Comprehensive Documentation

    Customer Collaboration

    OVER

    Contract Negotiation

    Responding to Change

    OVER

    Following a Plan

    Being Agile

    OVER

    Being Prescriptive

    Harness Agile's cultural advantages

    Collaboration

    • Team members leverage all their experience working toward a common goal.

    Iterations

    • Cycles provide opportunities for more product feedback.

    Continual Improvement

    • Self-managing teams continually improve their approach for the next iteration.

    Prioritization

    • The most important needs are addressed in the current iteration.

    Compare Waterfall and Agile – the "what" (how are they different?)

    This is an example of the Waterfall Approach.

    A "One and Done" Approach (Planning & Documentation Based)
    Elapsed time to deliver any value: Months to years

    This is an example of the Agile Approach

    An "Iterative" Approach (Empirical/Evidence Based)
    Elapsed time to deliver any value: Weeks

    Be aware of common myths around Agile

    1. … solve development and communication issues.
    2. … ensure you will finish requirements faster.
    3. … mean you don't need planning and documentation.

    "Although Agile methods are increasingly being adopted in globally distributed settings, there is no panacea for success."
    – "Negotiating Common Ground in Distributed Agile Development: A Case Study Perspective."

    "Without proper planning, organizations can start throwing more resources at the work which spirals into the classic Waterfall issues of managing by schedule."
    – Kristen Morton, Associate Implementation Architect,
    OneShield Inc., Info-Tech Interview

    Agile* SDLC

    With shared ownership instead of silos, we can deliver value at the end of every iteration (aka sprint)

    An image of the Agile SDLC Approach.

    * There are many Agile methodologies to choose from, but Scrum is by far the most widely used (and is shown above).

    Key Elements of the Agile SDLC

    • You are not "one-and-done." There are many short iterations with constant feedback.
    • There is an empowered product owner. This is a single authoritative voice that represents stakeholders.
    • There is a fluid product backlog. This enables prioritization of requirements "just-in-time."
    • Cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
    • Working, tested code at the end of each sprint. Value becomes more deterministic along sprint boundaries.
    • Demonstrate to stakeholders. Allow them to see and use the functionality and provide necessary feedback.
    • Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
    • Continuous improvement through sprint retrospectives.
    • "Internally Governed" when done right (the virtuous cycle of sprint-demo-feedback).

    A backlog stores and organizes PBIs at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    • Detailed Appropriately: Product backlog items (PBIs) are broken down and refined as necessary.
    • Emergent: The backlog grows and evolves over time as PBIs are added and removed.
    • Estimated: The effort a PBI requires is estimated at each tier.
    • Prioritized: The PBIs value and priority are determined at each tier.

    (Perforce, 2018)

    An image showing the Ideas; Qualified; Ready; funnel leading to the sprint approach.

    Outline the criteria to proceed to the next tier via quality filters

    Expand the concepts of defining "ready" and "done" to include the other stages of a PBIs journey through product planning.

    An image showing the approach you will use to Outline the criteria to proceed to the next tier via quality filters

    Info-Tech Insight: A quality filter ensures quality is met and teams are armed with the right information to work more efficiently and improve throughput.

    Deliverables

    Many steps in this blueprint are accompanied by supporting deliverables to help you accomplish your goals.

    Common Agile Challenges Survey
    Survey the organization to understand which of the common Agile challenges the organization is experiencing

    A screenshot from Common Agile Challenges Survey

    Roadmap for Transition to Agile
    Identify steps you will take to move your organization toward Agile delivery

    A screenshot from Roadmap for Transition to Agile

    Blueprint benefits

    IT Benefits

    Business Benefits

    • Consistent Agile delivery teams.
    • Delivery prioritized with business needs and committed work is achievable.
    • Improved ability to adjust future delivery cycles to meet changing business, market, and end-user needs.
    • Increased alignment and stability of resources with products and technology areas.
    • Reduction in the mean time to delivery of product backlog items.
    • Reduction in technical debt.
    • Better delivery alignment with enterprise goals, vision, and outcomes.
    • Improved coordination with product owners and stakeholders.
    • Quantifiable value realization following each release.
    • Product decisions made at the right time and with the right input.
    • Improved team morale and productivity.
    • Improved operational efficiency and process automation.
    • Increased employee retention and quality of new hires.
    • Reduction in accumulated project risk.

    Measure the value of this blueprint

    Implementing quality and consistent Agile practices improves SDLC metrics and reduces time to value.

    • Use Select and Use SDLC Metrics Effectivelyto track and measure the impact of Agile delivery. For example:
      • Reduction in PBI wait time
      • Improve throughput
      • Reduction in defects and defect severity
    • Phase 1 helps you prepare and send your Common Agile Challenges Survey.
    • Phase 2 builds a transformation plan aligned with your top pain points.

    Align Agile coaching and practices to address your key pain points identified in the Common Agile Challenges Survey.

    A screenshot from Common Agile Challenges Survey

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation

    What does a typical GI on this topic look like?

    This is an image of the eight calls which will take place over phases 1-3.

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 6 to 8 calls over the course of 1 to 2 months.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Phases 1-2
    1.5 - 3.0 days estimated

    Backlog Management
    0.5 - 1.0 days estimated

    Scrum Simulation
    1.25 - 2.25 days estimated

    Estimation
    1.0 - 1.25 days estimated

    Product Owner
    1.0 - 1.75 days estimated

    Product Roadmapping
    0.5 - 1.0 days estimated

    Establish a Solid Foundation for Agile Delivery

    Define the
    IT Target State

    Assess the IT
    Current State

    Bridge the Gap and
    Create the Strategy

    Establish an Effective Product Owner Role

    Create Effective Product Roadmaps

    Activities

    1.1 Gather Agile challenges and gaps
    2.1 Align teams with Agile fundamentals
    2.2 Interpret your common Agile challenges survey results
    2.3 (Optional) Move stepwise to iterative Agile delivery
    2.4 Identify insights and team feedback

    1. User stories and the art of decomposition
    2. Effective backlog management and refinement
    3. Identify insights and team feedback
    1. Scrum sprint planning and retrospective simulation
    2. Pass the balls – sprint velocity game
    1. Improve product backlog item estimation
    2. Agile estimation fundamentals
    3. Understand the wisdom of crowds
    4. Identify insights and team feedback
    1. Understand product management fundamentals
    2. The critical role of the product owner
    3. Manage effective product backlogs and roadmaps
    4. Identify insights and team feedback
    1. Identify your product roadmapping pains
    2. The six "tools" of product roadmapping
    3. Product roadmapping exercise

    Deliverables

    1. Identify your organization's biggest Agile pain points.
    2. Establish common Agile foundations.
    3. Prioritize support for a better Agile delivery approach.
    4. Plan to move stepwise to iterative Agile delivery.
    1. A better understanding of backlog management and user story decomposition.
    1. Scrum sprint planning and retrospective simulation
    2. Pass the balls – sprint velocity game
    1. Improve product backlog item estimation
    2. Agile estimation fundamentals
    3. Understand the wisdom of crowds
    4. Identify insights and team feedback
    1. Understand product management fundamentals
    2. The critical role of the product owner
    3. Manage effective product backlogs and roadmaps
    4. Identify insights and team feedback
    1. Understand product vs. project orientation.
    2. Understand product roadmapping fundamentals.

    Agile Modules

    For additional assistance planning your workshop, please refer to the facilitation planning tool in the appendix.

    Related Info-Tech Research

    Mentoring for Agile Teams
    Get practical help and guidance on your Agile transformation journey.

    Implement DevOps Practices That Work
    Streamline business value delivery through the strategic adoption of DevOps practices.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale
    Deliver value at the scale of your organization through defining enterprise product families.

    Phase 1

    Phase 1

    Phase 2

    Agile Modules

    1.1 Identify common Agile challenges

    2.1 Align teams with Agile fundamentals

    2.2 Interpret your common Agile challenges survey results

    2.3 (Optional) Move stepwise to iterative Agile delivery

    2.4 Identify insights and team feedback

    • Backlog Management Module: Manage Your Backlog Effectively
    • Scrum Simulation Module: Simulate Effective Scrum Practices
    • Estimation Module: Improve Product Backlog Item Estimation
    • Product Owner Module: Establish an Effective Product Owner Role
    • Product Roadmapping: Create Effective Product Roadmaps

    This phase will walk you through the following activities:

    • Decide who will participate in the Common Agile Challenges Survey
    • Compile the results of the survey to identify your organization's biggest pain points with Agile

    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Develop Your Agile Approach for a Successful Transformation

    Step 1.1

    Identify common Agile challenges

    Activities

    1.1 Distribute Common Agile Challenges Survey and collect results

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of your organization's Agile pain points.

    Focus Agile support where it is most needed

    A screenshot from Common Agile Challenges Survey

    Info-Tech Insight

    There isn't one approach that cures all the problems your Agile teams are facing. First, understand these common challenges, then develop a plan to address the root causes.

    Use Info-Tech's Common Agile Challenges Survey to determine common issues and what problems individual teams are facing. Use the Agile modules and supporting guides in this blueprint to provide targeted support on what matters most.

    Exercise 1.1.1 Distribute Common Agile Challenges Survey

    30 minutes

    1. Download Survey Template: Info-Tech Common Agile Challenges Survey template.
    2. Create your own local copy of the Common Agile Challenges Survey by using the template. The Common Agile Challenges Survey will help you to identify which of the many common Agile-related challenges your organization may be facing.
    3. Decide on the teams/participants who will be completing the survey. It is best to distribute the survey broadly across the organization and include participants from several teams and roles.
    4. Copy the link for your local survey and distribute it for participants to complete (we suggest giving them one week to complete it).
    5. Collect the consolidated survey results in preparation for the next phase.
    6. NOTE: Using this survey template requires having access to Microsoft Forms. If you do not have access to Microsoft Forms, an Info-Tech analyst can perform the survey for you.

    Output

    • Your organization's biggest Agile pain points

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Record the results in the Roadmap for Transition to Agile Template

    Phase 2

    Establish a Solid Foundation for Agile Delivery

    Phase 1

    Phase 2

    Agile Modules

    1.1 Identify common Agile challenges

    2.1 Align teams with Agile fundamentals

    2.2 Interpret your common Agile challenges survey results

    2.3 (Optional) Move stepwise to iterative Agile delivery

    2.4 Identify insights and team feedback

    • Backlog Management Module: Manage Your Backlog Effectively
    • Scrum Simulation Module: Simulate Effective Scrum Practices
    • Estimation Module: Improve Product Backlog Item Estimation
    • Product Owner Module: Establish an Effective Product Owner Role
    • Product Roadmapping: Create Effective Product Roadmaps

    This phase will walk you through the following activities:

    • Gain a fundamental understanding of Agile
    • Understand why becoming Agile is hard
    • Identify steps needed to become more Agile
    • Understand your biggest Agile pain points

    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Step 2.1

    Align teams with Agile fundamentals

    Activities

    2.1.1 Share what Agile means to you
    2.1.2 (Optional) Contrast two delivery teams
    2.1.3 (Optional) Dissect the Agilist's Oath
    2.1.4 (Optional) Create your prototype definitions of ready
    2.1.5 (Optional) Create your prototype definitions of done
    2.1.6 Identify the challenges of implementing agile in your organization

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of what Agile is and why we do it.

    Exercise 2.1.1 Share what Agile means to you

    30-60 minutes

    1. What is Agile? Why do we do it?
    2. As a group, discuss and capture your thoughts on:
      1. What is Agile (its characteristics, practices, differences from alternatives, etc.)?
      2. Why do we do it (its drivers, benefits, advantages, etc.)?
    3. Capture your findings in the table below:

    What is Agile?

    Why do we do it?

    (e.g. Agile mindset, principles, and practices)

    (e.g. benefits)

    Output

    • Your current understanding of Agile and its benefits

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Why Agile/DevOps? It's about time to value

    Leaders and stakeholders are frustrated with long lead times to implement changes. Agile/DevOps promotes smaller, more frequent releases to start earning value sooner.

    A graph demonstrating the increased frequency of release expected over time, from 1960 - present

    Time to delivering value depends on frequency of releases.
    Source: 5Q Partners

    The pandemic accelerated the speed of digital transformation

    With the massive disruption preventing people from gathering, businesses shifted to digital interactions with customers.

    December 2019 - 36%; acceleration of 3 years; July 2020 - 58%.

    Companies also accelerated the pace of creating digital or digitally enhanced products and services.

    December 2019 - 35%; acceleration of 3 years; July 2020 - 55%.

    (McKinsey, 2020 )

    "The Digital Economy incorporates all economic activity reliant on or significantly enhanced by the use of digital inputs, including digital technologies, digital infrastructure, digital services and data."
    (OECD Definition)

    What does "elite" DevOps look like?

    This is an image of an annotated table showing what elite devops looks like.

    Where are you now?
    Where do You Want to Be?

    * Google Cloud/Accelerate State of DevOps 2021

    Realize and sustain value with DevOps

    Businesses with elite DevOps practices…

    973x more frequent faster lead time code deployments from commit to deploy, 3x 6570x lower change failure rate faster time to recover.

    Waterfall vs. Agile – the "what" (How are they different?)

    This is an example of the Waterfall Approach.

    A "One and Done" Approach (Planning & Documentation Based)
    Elapsed time to deliver any value: Months to years

    This is an example of the Agile Approach

    An "Iterative" Approach (Empirical/Evidence Based)
    Elapsed time to deliver any value: Weeks

    (Optional) Exercise 2.1.2 A tale of two teams

    Discussion (5-10 minutes)

    As a group, discuss how these teams differ

    Team 1:
    An image of the business analyst passing the requirements baton to the architect runner.

    Team 2:
    An image of team of soldiers carrying a heavy log up a beach

    Image Credit: DVIDS

    Discuss differences between these teams:
    • How are they different?
    • How would you coach/train/manage/lead?
    • How does team members' behavior differ?
    • How would you measure each team?
    What would have to happen at your organization to make working like this possible?

    Output

    • How your organization can support Agile behavior and mindset

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Dissect the Agilist's Oath

    Read and consider each element of the oath.

    • As a member of this Scrum team, I recognize that we are all equally and collectively responsible for the success of this project.
    • Success is defined as achieving the best possible outcome for our stakeholders given the constraints of time, money, and circumstances we will face.
    • We will achieve this by working collaboratively with our product owner to regularly deliver high-quality, working, tested code that can be demonstrated, and we will adjust our path forward based on the feedback we receive.
    • I will holistically embrace the concept of "good enough for now" into my work practices, because I know that waiting for the best/perfect solution does not yield optimal results.
    • Collectively, we will work to holistically minimize risk for the project across all phases and disciplines.
    • My primary role will be _____ [PO, SM, BA, Dev, Arch, Test, Ops, etc.], but I will contribute wherever and however best serves the current needs of the project.
    • I recognize that working in Agile/Scrum is not an excuse to ignore important things like adequate design and documentation. Collectively, we will ensure that these things are completed incrementally to a level of detail and quality which adequately serves the organization and stakeholders.
    • We are a team, and we will succeed or fail as one.

    Exercise 2.1.3 (Optional) Dissect the Agilist's Oath

    30 minutes

    1. Each bullet point in the Agilist's Oath is chosen to convey one of eight key messages about Agile practices and the mindset change that's required by everyone involved.
    2. As a group, discuss the "message" for each bullet point in the Agilist's Oath. Then identify which of them would be "easy" and "hard" to achieve in your organization.
    • As a member of this Scrum team, I recognize that we are all equally and collectively responsible for the success of this project.
    • Success is defined as achieving the best possible outcome for our stakeholders given the constraints of time, money, and circumstances we will face.
    • We will achieve this by working collaboratively with our product owner to regularly deliver high-quality, working, tested code that can be demonstrated, and we will adjust our path forward based on the feedback we receive.
    • I will holistically embrace the concept of "good enough for now" into my work practices, because I know that waiting for the best/perfect solution does not yield optimal results.
    • Collectively, we will work to holistically minimize risk for the project across all phases and disciplines.
    • My primary role will be _____ [PO, SM, BA, Dev, Arch, Test, Ops, etc.], but I will contribute wherever and however best serves the current needs of the project.
    • I recognize that working in Agile/Scrum is not an excuse to ignore important things like adequate design and documentation. Collectively, we will ensure that these things are completed incrementally to a level of detail and quality which adequately serves the organization and stakeholders.
    • We are a team, and we will succeed or fail as one.

    Which aspects of the Agilist's Oath are "easy" in your org?

    Which aspects of the Agilist's Oath are "hard" in your org?

    Output

    • How your organization can support Agile behavior and mindset

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Be aware of common myths around Agile

    Agile does not . . . .

    1. … solve development and communication issues.
    2. … ensure you will finish requirements faster.
    3. … mean you don't need planning and documentation.

    "Although Agile methods are increasingly being adopted in globally distributed settings, there is no panacea for success."
    – "Negotiating Common Ground in Distributed Agile Development: A Case Study Perspective."

    "Without proper planning, organizations can start throwing more resources at the work which spirals into the classic Waterfall issues of managing by schedule."
    – Kristen Morton, Associate Implementation Architect,
    OneShield Inc., Info-Tech Interview

    Agile's four core values

    "…while there is value in the items on the right, we value the items on the left more."
    – Source: "The Agile Manifesto"

    We value. . .

    Individuals and Interactions

    OVER

    Processes and Tools

    Working Software

    OVER

    Comprehensive Documentation

    Customer Collaboration

    OVER

    Contract Negotiation

    Responding to Change

    OVER

    Following a Plan

    Being Agile

    OVER

    Being Prescriptive

    Consider the traditional/Waterfall SDLC

    With siloes and handoffs, valuable product is delivered only at the end of an extended project lifecycle.

    This is an image of the Traditional Waterfall SDLC approach

    View additional transition models in the appendix

    Agile* SDLC

    With shared ownership instead of silos, we can deliver value at the end of every iteration (aka sprint)

    Key Elements of the Agile SDLC

    • You are not "one-and-done". There are many short iterations with constant feedback.
    • There is an empowered product owner. This is a single authoritative voice that represents stakeholders.
    • There is a fluid product backlog. This enables prioritization of requirements "just-in-time"
    • Cross-functional, self-managing team. This team makes commitments and is empowered by the organization to do so.
    • Working, tested code at the end of each sprint. Value becomes more deterministic along sprint boundaries.
    • Demonstrate to stakeholders. Allow them to see and use the functionality and provide necessary feedback.
    • Feedback is being continuously injected back into the product backlog. This shapes the future of the solution.
    • Continuous improvement through sprint retrospectives.
    • "Internally Governed" when done right (the virtuous cycle of sprint-demo-feedback).

    This is a picture of the Agile SDLC approach.

    * There are many Agile methodologies to choose from, but Scrum (shown above) is by far the most widely used.

    Scrum roles and responsibilities

    Product Owner

    Scrum Master

    Team Members

    Responsible

    • For identifying the product features and their importance in the final deliverable.
    • For refining and reprioritizing the backlog that identifies which features will be delivered in the next sprint based on business importance.
    • For clearing blockers and escalations when necessary.
    • For leading scrums, retrospectives, sprint reviews, and demonstrations.
    • For team building and resolving team conflicts.
    • For creating, testing, deploying, and supporting deliverables and valuable features.
    • For self-managing. There is no project manager assigning tasks to each team member.

    Accountable

    • For delivering valuable features to stakeholders.
    • For ensuring communication throughout development.
    • For ensuring high-quality deliverables for the product owner.

    Consulted

    • By the team through collaboration, rather than contract negotiation.
    • By the product owner on resolution of risks.
    • By the team on suggestions for improvement.
    • By the scrum master and product owner during sprint planning to determine level of complexity of tasks.

    Informed

    • On the progress of the current sprint.
    • By the team on work completed during the current sprint.
    • On direction of the business and current priorities.

    Scrum ceremonies

    Are any of these challenges for your organization? Done When:

    Project Backlog Refinement (PO & SM): Prepare user stories to be used in the next two to three future sprints. User stories are broken down into small manageable pieces of work that should not span sprints. If a user story is too big for a sprint, it is broken down further here. The estimation of the user story is examined, as well as the acceptance criteria, and each is adjusted as necessary from the Agile team members' input.

    Regularly over the project's lifespan

    Sprint Planning (PO, SM & Delivery Team): Discuss the work for the upcoming sprint with the business. Establish a clear understanding of the expectations of the team and the sprint. The product owner decides if priority and content of the user stories is still accurate. The development team decides what they believe can be completed in the sprint, using the user stories, in priority order, refined in backlog refinement.

    At/before the start of each sprint

    Daily Stand-Up (SM & Delivery Team): Coordinate the team to communicate progress and identify any roadblocks as quickly as possible. This meeting should be kept to fifteen minutes. Longer conversations are tabled for a separate meeting. These are called "stand-ups" because attendees should stay standing for the duration, which helps keep the meeting short and focused. The questions each team member should answer at each meeting: What did I do since last stand-up? What will I do before the next stand-up? Do I have any roadblocks?

    Every day during the sprint

    Sprint Demo (PO, SM, Delivery Team & Stakeholders): Review and demonstrate the work completed in the sprint with the business (demonstrate working and tested code which was developed during the sprint and gather stakeholder feedback).

    At the end of each sprint

    Sprint Retrospective (SM & Delivery Team & PO): Discuss how the sprint worked to determine if anything can be changed to improve team efficiency. The intent of this meeting is not to find/place blame for things that went wrong, but instead to find ways to avoid/alleviate pain points.

    At the end of each sprint

    Sample delivery sprint calendar

    The following calendar illustrates a two-week Scrum cadence (including ceremonies). This diagram is for illustrative purposes only. The length of the sprint and timing of ceremonies may differ from delivery team to delivery team based on their needs and schedules.

    An image of a sample sprint delivery calendar

    Sample delivery sprint calendar

    The following calendar illustrates a three-week Scrum cadence (including ceremonies). This diagram is for illustrative purposes only. The length of the sprint and timing of ceremonies may differ from delivery team to delivery team based on their needs and schedules.

    An image of a sample sprint delivery calendar

    Ensure your teams have the right information

    Implement and enforce your definition of ready at each stage of planning. Ensure your teams understand the required tasks by clarifying the definition of done.*

    Ready

    Done
    • The request has a defined problem, and the value is understood.
    • The request is documented, and the owner is identified.
    • Business and IT roles are committed to participating in estimation and planning activities.
    • Estimates and plans are made and validated with IT teams and business representatives.
    • Stakeholders and decision makers accept the estimates and plans as well as the related risks.
    • Estimates and plans are documented and slated for future review.

    * Note that your definitions of ready and done may vary from project to project, and they should be decided on collectively by the delivery team at the beginning of the project (part of setting their "norms") and updated if/when needed.

    Exercise 2.1.4 (Optional) Create definition of ready and done for an oil change

    10-15 minutes

    Step 1:

    1. As a group, create a definition of ready and done for doing an oil change (this will help you to understand the nature and value of a definition of ready and done using a relatable example):

    Definition of Ready

    Checklist:

    Definition of Done

    Checklist – For each user story:

    The checklist of things that must be true/done to begin the oil change.

    • We have the customer's car and keys
    • We know which grade of oil the customer wants

    The checklist of things that must be true/done at the end of the oil change.

    • The oil has been changed
    • A reminder sticker has been placed on windshield

    Exercise 2.1.4 (Optional) Create your prototype definitions of ready

    30-60 minutes

    Step 2:

    1. As a group, review the two sample definitions of ready below and select the one you consider to be the best starting point for your prototype definition of ready.

    Definition of Ready SAMPLE 1:

    Checklist – For each user story:

    • Technical and business risks are identified.
    • Resources are available for development.
    • Story has been assigned to a sprint/iteration.
    • Organizational business value is defined.
    • A specific user has been identified.
    • Stakeholders and needs defined.
    • Process impacts are identified.
    • Data needs are defined.
    • Business rules and non-functional requirements are identified.
    • Acceptance criteria are ready.
    • UI design work is ready.
    • Story has been traced to the project, epic, and sprint goal.

    Definition of Ready SAMPLE 2:

    Checklist – For each user story:

    • The value of story to the user is clearly indicated.
    • The acceptance criteria for story have been clearly described.
    • User story dependencies identified.
    • User story sized by delivery team.
    • Scrum team accepts user experience artifacts.
    • Performance criteria identified, where appropriate.
    • Person who will accept the user story is identified.
    • The team knows how to demo the story.

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.1.4 (Optional) Create your prototype definitions of ready

    30-60 minutes

    Step 3:

    1. As a group, using the selected sample as your starting point, decide what changes need to be made (keep/add/delete/modify):

    Definition of Ready Checklist – For each user story:

    Disposition

    The value of story to the user is clearly indicated.

    Keep as is

    The acceptance criteria for story have been clearly described. Keep as is
    User story dependencies identified. Modify to: "Story has been traced to the project, epic, and sprint goal"
    User story sized by delivery team. Modify to: "User Stories have been sized by the Delivery team using Story Points"
    Scrum team accepts user experience artifacts. Keep as is
    Performance criteria identified, where appropriate. Keep as is
    Person who will accept the user story is identified.

    Delete

    The team knows how to demo the story. Keep as is

    Add: "Any performance related criteria have been identified where appropriate"

    Add: "Any data model related changes have been identified where needed"

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.1.4 (Optional) Create your prototype definitions of ready

    30-60 minutes

    Step 4:

    1. As a group, capture and agree on your prototype definition of ready*:

    Definition of Ready

    Checklist – For each user story:

    User stories and related requirements contain clear descriptions of what is expected of a given functionality. Business value is identified.

    • The value of the story to the user is clearly indicated.
    • The acceptance criteria for the story have been clearly described.
    • Story has been traced to the project, epic, and sprint goal.
    • User stories have been sized by the delivery team using story points.
    • Scrum team accepts user experience artifacts.
    • Performance criteria identified, where appropriate.
    • The team knows how to demo the story.
    • Any performance-related criteria have been identified where appropriate.
    • Any data-model-related changes have been identified where needed.

    Record the results in the Roadmap for Transition to Agile Template

    * This checklist helps Agile teams determine if the stories in their backlog are ready for sprint planning. As your team gains experience with Agile, tailor this list to your needs and follow it until the practice becomes second nature.

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.1.5 (Optional) Create your prototype definitions of done

    30-60 minutes

    Step 5:

    1. As a group, review the two sample definitions of ready below and select the one you consider to be the best starting point for your prototype definition of ready:

    SAMPLE 1:

    Definition of Done Checklist – For each user story:

    • Design complete
    • Code compiles
    • Static code analysis has been performed and passed
    • Peer reviewed with coding standards passed
    • Code merging completed
    • Unit tests and smoke tests are done/functional (preferably automated)
    • Meets the steps identified in the user story
    • Unit & QA test passed
    • Usability testing completed
    • Passes functionality testing including security testing
    • Data validation has been completed
    • Ready to be released to the next stage

    SAMPLE 2:

    Definition of Done Checklist – For each user story:

    • Work was completed in a way that a professional would say they are satisfied with their work.
    • Work has been seen by multiple team members.
    • Work meets the criteria of satisfaction described by the customer.
    • The work is part of a package that will be shared with the customer as soon as possible.
    • The work and any learnings from doing the work have been documented.
    • Completion of the work is known by and visible to all team members.
    • The work has passed all quality, security, and completeness checks as defined by the team.

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.1.4 (Optional) Create your prototype definitions of done

    30-60 minutes

    Step 6:

    1. As a group, using the selected sample as your starting point, decide what changes need to be made (keep/add/delete/modify):

    Definition of Ready Checklist – For each user story:

    Disposition

    • Work was completed in a way that a professional would say they are satisfied with their work.
    Keep as is
    • Work has been seen by multiple team members.
    Delete
    • Work meets the criteria of satisfaction described by the customer.
    Modify to: "All acceptance criteria for the user story have been met"
    • The work is a part of a package that will be shared with the customer as soon as possible.
    Modify to: "The user story is ready to be demonstrated to Stakeholders"
    • The work and any learnings from doing the work has been documented.
    Keep as is
    • Completion of the work is known by and visible to all team members.
    Keep as is
    • The work has passed all quality, security, and completeness checks as defined by the team.
    Modify to: "Unit, smoke and regression testing has been performed (preferably automated), all tests were passed"
    Add: "Any performance related criteria associated with the story have been met"

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.1.4 (Optional) Create your prototype definitions of done

    30-60 minutes

    Step 7:

    1. As a group, capture and agree on your prototype Definition of Done*:

    Definition of Done

    Checklist – For each user story:

    When the user story is accepted by the product owner and is ready to be released.

    • Work was completed in a way that a professional would say they are satisfied with their work.
    • All acceptance criteria for the user story have been met.
    • The user story is ready to be demonstrated to stakeholders.
    • The work and any learnings from doing the work have been documented.
    • Completion of the work is known by and visible to all team members.
    • Unit, smoke, and regression testing has been performed (preferably automated), and all tests were passed.
    • Any performance-related criteria associated with the story have been met.

    Record the results in the Roadmap for Transition to Agile Template

    * This checklist helps Agile teams determine if the stories in their backlog are ready for sprint planning. As your team gains experience with Agile, tailor this list to your needs and follow it until the practice becomes second nature.

    Output

    • Prototype definitions of ready and done for your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Getting to "Agile DevOps Nirvana" is hard, but it's worth it.

    An image of the trail to climb Mount Everest, from camps 1-4

    Agile DevOps is a progression of cultural, behavioral, and process changes.
    It takes time.

    An image of the trail to climb Mount Everest, with the camps replaced by the steps to deploy Agile, to reach Agile/Devops Nirvana

    Agile DevOps may be hard, but it's worth it…

    It turns out Waterfall is not as good at reducing risk and ensuring delivery after all.

    CHAOS RESOLUTION BY AGILE VERSUS WATERFALL
    Size Method Successful Challenged Failed
    All Size Projects Agile 39% 52% 9%
    Waterfall 11% 60% 29%

    Standish Group; CHAOS REPORT 2015

    "I believe in this [Waterfall] concept, but the implementation described above is risky and invites failure."

    – Winston W. Royce

    Compare Waterfall to Agile

    Waterfall

    Agile

    Roles and Responsibilities

    Silo your resources

    Defined/segregated responsibilities

    Handoffs between siloes via documents

    Avoid siloes

    Collective responsibility

    Transitions instead of handoffs

    Belief System

    Trust the process

    Assign tasks to individuals

    Trust the delivery team

    Assign ownership/responsibilities to the team

    Planning Approach

    Create a detailed plan before work begins

    Follow the plan

    High level planning only

    The plan evolves over project lifetime

    Delivery Approach

    One and done (big bang delivery at end of project)

    Iterative delivery (regularly demonstrate working code)

    Governance Approach

    Phases and gates

    Artifacts and approvals

    Demo working tested code and get stakeholder feedback

    Support delivery team and eliminate roadblocks

    Approach to Stakeholders

    Involved at beginning and end of project

    "Arm's length" relationship with delivery team

    Involved throughout project (sprint by sprint)

    Closely involved with delivery team (through full time PO)

    Approach to Requirements/Scope

    One-time requirements gathering at start of project

    Scope is fixed at beginning of project ("carved in stone")

    On going requirements gathering and refinement over time

    Scope is roughly determined at beginning (expect change)

    Approach to Changing Requirements

    Treats change like it is "bad"

    Onerous CM process (discourages change)

    Scope changes "require approval" and are disruptive

    Accepts change as natural part of development.

    Light Change Management process (change is welcome)

    Scope changes are handled like all changes

    Hybrid SDLC: Wagile/Agilfall/WaterScrumFall

    Valuable product delivered in multiple releases

    A picture of a hybrid waterfall - Agile approach.

    If moving directly from Waterfall to Agile is too much for your organization, this can be a valuable interim step (but it won't give you the full benefits of Agile, so be careful about getting stuck here).

    Exercise 2.1.6 Identify the challenges of implementing Agile in your organization

    30-60 minutes

    1. As a group, discuss:
      1. Why being Agile may be difficult in your organization?
      2. What are some of the roadblocks and speed bumps you may face?
      3. What incremental steps might the organization take toward becoming Agile?

    Record the results in the Roadmap for Transition to Agile Template

    Output

    • Why being Agile is hard in your organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Step 2.2

    Align teams with Agile fundamentals

    Activities

    2.2.1 Review the results of your Common Agile Challenges Survey (30-60 minutes)
    2.2.2 Align your support with your top five challenges

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your organization's biggest Agile pain points.

    Be aware of common Agile challenges

    The road to Agile is filled with potholes, speedbumps, roadblocks, and brick walls!

    1. Establish an effective product owner role (PO)
    2. Uncertainty about minimum viable product (MVP)
    3. How non-Agile teams (like architecture, infosec, operations, etc.) work with Agile teams
    4. Project governance/gating process
    5. What is the role of a PM/PMO in Agile?
    6. How to budget/plan Agile projects
    7. How to contract and work with an Agile vendor
    8. An Agile skills deficit (e.g. new-to-Agile teams who have difficulty "doing Agile right")
    9. General resistance to change in the organization
    10. Lack of Agile training, piloting, and coaching
    11. Different Agile approaches are used by different teams
    12. Backlog management and user story decomposition challenges
    13. Quality assurance challenges
    14. Hierarchical management practices and organization boundaries
    15. Difficulty with establishing autonomous Agile teams
    16. Lack of management support for Agile
    17. Poor Agile estimation practices
    18. Difficulty creating effective product roadmaps in Agile
    19. How do we know when an Agile project is ready to go live?
    20. Sprint goals are not being consistently met, or sprint deliverables that are full of bugs

    Exercise 2.2.1 Review the results of your Common Agile Challenges Survey

    30-60 minutes

    1. Using the results of your Common Agile Challenges Survey, fill in the bar chart with your top five pain points:

    A screenshot from Common Agile Challenges Survey

    Output

    • Your organization's biggest Agile pain points identified and prioritized

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.2.2 Align your support with your top five challenges

    30 minutes

    Using the Agile Challenges support mapping on the following slides, build your transformation plan and supporting resources. You can build your plan by individual team results or as an enterprise approach.

    Priority Agile Challenge Module Name and Sequence
    1
    1. Agile Foundations
    2. ?
    2
    1. Agile Foundations
    2. ?
    3
    1. Agile Foundations
    2. ?
    4
    1. Agile Foundations
    2. ?
    5
    1. Agile Foundations
    2. ?

    Output

    • Your organization's Agile Challenges transformation plan

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Map challenges to supporting modules

    Agile Challenges

    Supporting Resources

    Difficulty establishing an effective product owner (PO) or uncertainty about the PO role

    Modules:

    • Agile Foundations
    • Establish an Effective Product Owner Role
    Uncertainty about minimum viable product (MVP) and how to identify your MVP

    Modules:

    • Agile Foundations
    • Simulate Effective Scrum Practices
    How non-Agile teams (like architecture, info sec, operations, etc.) work with Agile teams

    Modules:

    • Agile Foundations
    • Work With Non-Agile Teams (Future)
    Project Governance/Gating processes that are unfriendly to Agile

    Modules:

    • Agile Foundations
    • Establish Agile-Friendly Gating (Future)
    Uncertainty about the role of a PM/PMO in Agile

    Modules:

    • Agile Foundations
    • Understand the role of PM/PMO in Agile Delivery (Future)
    Uncertainty about how to budget/plan Agile projects

    Modules:

    • Agile Foundations
    • Simulate Effective Scrum Practices
    • Understand Budgeting and Funding for Agile Delivery (Future)
    Creating an Agile friendly RFP/Contract (e.g. how to contract and work with an Agile vendor)

    Modules:

    • Agile Foundations
    • Work Effectively with Agile Vendors (Future)

    Note: Modules listed as (Future) are in development and may be available in draft format.

    Map challenges to supporting modules

    Agile Challenges

    Supporting Resources

    An Agile skills deficit (e.g. new-to-Agile teams who have difficulty "doing Agile right")

    Modules:

    • Agile Foundations
    General resistance in the organization to process changes required by Agile

    Modules:

    • Agile Foundations
    • Manage Organizational Change to Support Agile Delivery (Future)
    Lack of Agile training, piloting and coaching being offered by the organization

    Modules:

    • Agile Foundations
    Different Agile approaches are used by different teams, making it difficult to work together

    Modules:

    • Agile Foundations
    • Build Your Scrum Playbook (Future)
    Backlog management challenges (e.g. how to manage a backlog, and make effective use of Epics, Features, User Stories, Tasks and Bugs)

    Modules:

    • Agile Foundations
    • Manage Your Backlog Effectively
    Quality Assurance challenges (testing not being done well on Agile projects)

    Modules:

    • Agile Foundations
    • Establish Effect Quality Assurance for Agile Delivery (Future);
    • Use Test Automation Effectively (Future)
    Hierarchical management practices and organization boundaries make it difficult to be Agile

    Modules:

    • Agile Foundations
    • Manage Organizational Change to Support Agile Delivery (Future)

    Note: Modules listed as (Future) are in development and may be available in draft format.

    Map challenges to supporting modules

    Agile Challenges

    Supporting Resources

    Difficulty with establishing autonomous Agile teams (self managing, cross functional teams that are empowered by the organization to deliver)

    Modules:

    • Agile Foundations
    • Manage Organizational Change to Support Agile Delivery (Future)
    Lack of management support for Agile

    Modules:

    • Agile Foundations
    • Manage Organizational Change to Support Agile Delivery (Future)
    Poor understanding of Agile estimation techniques and how to apply them effectively

    Modules:

    • Agile Foundations
    • Estimation Module
    Difficulty creating effective product roadmaps in Agile

    Modules:

    • Agile Foundations
    • Product Roadmapping Tool
    How do we know when an Agile project is ready to go live

    Modules:

    • Agile Foundations
    • Decide When to Go Live (Future)
    Sprint goals are not being consistently met, or Sprint deliverables that are full of bugs

    Modules:

    • Agile Foundations
    • Establish Effect Quality Assurance for Agile Delivery (Future);
    • Use Test Automation Effectively (Future)

    Note: Modules listed as (Future) are in development and may be available in draft format.

    Map challenges to supporting blueprints

    Agile Challenges

    Supporting Resources

    Difficulty establishing an effective product owner (PO) or uncertainty about the PO role

    Blueprints: Build a Better Product Owner; Managing Requirements in an Agile Environment

    Uncertainty about minimum viable product (MVP) and how to identify your MVP

    Blueprints: Deliver on Your Digital Product Vision; Managing Requirements in an Agile Environment

    How non-Agile teams (like architecture, info sec, operations, etc.) work with Agile teams

    Blueprints: Create a Horizontally Optimized SDLC to Better Meet Business Demands, Extend Agile Practices Beyond IT, Implement DevOps Practices That Work; Build Your BizDevOps Playbook, Embed Security into the DevOps Pipeline

    Project Governance/Gating processes that are unfriendly to Agile

    Blueprints: Streamline Your Management Process to Drive Performance, Drive Business Value With a Right-Sized Project Gating Process

    Uncertainty about the role of a PM/PMO in Agile

    Blueprints: Define the Role of Project Management in Agile and Product-Centric Delivery, Create a Horizontally Optimized SDLC to Better Meet Business Demands

    Uncertainty about how to budget/plan Agile projects

    Blueprints: Identify and Reduce Agile Contract Risk

    Creating an Agile friendly RFP/Contract (e.g. how to contract and work with an Agile vendor)

    Blueprints: Identify and Reduce Agile Contract Risk

    Note: Modules listed as (Future) are in development and may be available in draft format.

    Map challenges to supporting blueprints

    Agile Challenges

    Supporting Resources

    An Agile skills deficit (e.g. new-to-Agile teams who have difficulty "doing Agile right")

    Blueprints: Perform an Agile Skills Assessment; Mentoring for Agile Teams

    General resistance in the organization to process changes required by Agile

    Blueprints: Master Organizational Change Management Practices

    Lack of Agile training, piloting and coaching being offered by the organization

    Blueprints: Perform an Agile Skills Assessment; Mentoring for Agile Teams

    Different Agile approaches are used by different teams, making it difficult to work together

    Blueprints: Create a Horizontally Optimized SDLC to Better Meet Business Demands, Extend Agile Practices Beyond IT

    Backlog management challenges (e.g. how to manage a backlog, and make effective use of epics, features, user stories, tasks and bugs)

    Blueprints: Deliver on Your Digital Product Vision, Managing Requirements in an Agile Environment

    Quality Assurance challenges (testing not being done well on Agile projects)

    Blueprints: Build a Software Quality Assurance Program, Automate Testing to Get More Done

    Hierarchical management practices and organization boundaries make it difficult to be Agile

    Blueprints: Master Organizational Change Management Practices

    Map challenges to supporting blueprints

    Agile Challenges

    Supporting Resources

    Difficulty with establishing autonomous Agile teams (self managing, cross functional teams that are empowered by the organization to deliver)

    Blueprints: Master Organizational Change Management Practices

    Lack of management support for Agile

    Blueprints: Master Organizational Change Management Practices

    Poor understanding of Agile estimation techniques and how to apply them effectively

    Blueprints: Estimate Software Delivery with Confidence, Managing Requirements in an Agile Environment

    Difficulty creating effective product roadmaps in Agile

    Blueprints: Deliver on Your Digital Product Vision

    How do we know when an Agile project is ready to go live

    Blueprints: Optimize Applications Release Management,Drive Business Value With a Right-Sized Project Gating Process, Managing Requirements in an Agile Environment

    Sprint goals are not being consistently met, or sprint deliverables that are full of bugs

    Blueprints: Build a Software Quality Assurance Program, Automate Testing to Get More Done, Managing Requirements in an Agile Environment

    Step 2.3

    Move stepwise to iterative Agile delivery (Optional)

    Activities

    2.3.1 (Optional) Identify a hypothetical project
    2.3.2 (Optional) Capture your traditional delivery approach
    2.3.3 (Optional) Consider what a two-phase delivery looks like
    2.3.4 (Optional) Consider what a four-phase delivery looks like
    2.3.5 (Optional) Consider what a four-phase delivery with monthly sprints looks like
    2.3.6 (Optional) Decide on your target state and the steps required to get there

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand the changes that must take place in your organization to support a more Agile delivery approach.

    Moving stepwise from traditional to Agile

    Your transition to Agile and more frequent releases doesn't need to be all at once. Organizations may find it easier to build toward smaller iterations.

    An image of the stepwise approach to adopting Agile.

    Exercise 2.3.1 (Optional) Identify a hypothetical project

    15-30 minutes

    1. As a group, consider some typical, large, mission-critical system deliveries your organization has done in the past (name a few as examples).
    2. Imagine a project like this has been assigned to your team, and the plan calls for delivering the system using your traditional delivery approach and taking two years to complete.
    3. Give this imaginary project a name (e.g. traditional project, our project).

    Name of your imaginary 2-year long project:

    e.g. Big Bang ERP

    Brief Project Description:

    e.g. Replace home-grown legacy ERP with a modern COTS product in a single release scheduled to be delivered in 24 months

    Record this in the Roadmap for Transition to Agile Template

    Info-Tech Best Practice

    For best results, complete these sub-exercises with representatives from as many functional areas as possible
    (e.g. stakeholders, project management, business analysis, development, testing, operations, architecture, infosec)

    Output

    • An imaginary delivery project that is expected to take 2 years to complete

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.2 (Optional) Capture your traditional delivery approach

    30 minutes

    1. As a group, discuss and capture the high-level steps followed (after project approval) in your traditional delivery approach using the table below and on the next page.

    Step

    Description

    Who is involved

    1
    • Gather detailed requirements (work with project stakeholders to capture all requirements of the system and produce a Detailed Requirements Document)

    PM, Business Analysts, Stakeholders, etc.

    2
    • Produce a Detailed Design Document (develop a design that will meet all requirements identified in the Detailed Requirements Document)
    • Produce a Detailed Test Plan for acceptance of the system
    • Produce a Detailed Project Plan for the system delivery
    • Perform threat and privacy assessment (using the detailed requirements and design documents, perform a Threat Risk Assessment and Privacy Impact Analysis)
    • Submit detailed design to Architecture Review Board
    • Provide Operations with full infrastructure requirements
    PM, Architects, InfoSec, ARB, Operations, etc.
    3
    • Develop software (follow the Detailed Design Document and develop a system which meets all requirements)
    • Perform Unit Testing on all modules of the system as they are developed
    PM, Developers, etc.
    4
    • Create Production Environment based on project specification
    • Perform Integration testing of all modules to ensure the system works as designed
    • Produce an Integration Test Report capturing the results of testing and any deficiencies
    PM, Testers, etc.
    5
    • Fix all Sev 1 and Sev 2 deficiencies found during Integration Testing
    • Perform regression testing
    • Perform User Acceptance Testing as per the Detailed Test Plan
    PM, Developers, Testers, Stakeholders, etc.
    6
    • Product Deployment Plan
    • Perform User and Operations Training
    • Produce updated Threat Risk Assessment and Privacy Impact Analysis
    • Seek CAB (Change Approval Board) approval to go live
    PM, Developers, Testers, Operations, InfoSec, CAB, etc.
    7
    • Close out and Lessons Learned
    • Verify value delivery
    PM, etc.

    Output

    • The high-level steps in your current (traditional) delivery approach and who is involved in each step

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.2 (Optional) Capture your traditional delivery approach

    Step

    Description

    Who is involved

    1
    • Gather detailed requirements (work with project stakeholders to capture all requirements of the system and produce a Detailed Requirements Document)

    PM, Business Analysts, Stakeholders, etc.

    2
    • Produce a Detailed Design Document (develop a design that will meet all requirements identified in the Detailed Requirements Document)
    • Produce a Detailed Test Plan for acceptance of the system
    • Produce a Detailed Project Plan for the system delivery
    • Perform threat and privacy assessment (using the detailed requirements and design documents, perform a Threat Risk Assessment and Privacy Impact Analysis)
    • Submit detailed design to Architecture Review Board
    • Provide Operations with full infrastructure requirements
    PM, Architects, InfoSec, ARB, Operations, etc.
    3
    • Develop software (follow the Detailed Design Document and develop a system which meets all requirements)
    • Perform Unit Testing on all modules of the system as they are developed
    PM, Developers, etc.
    4
    • Create Production Environment based on project specification
    • Perform Integration testing of all modules to ensure the system works as designed
    • Produce an Integration Test Report capturing the results of testing and any deficiencies
    PM, Testers, etc.
    5
    • Fix all Sev 1 and Sev 2 deficiencies found during Integration Testing
    • Perform regression testing
    • Perform User Acceptance Testing as per the Detailed Test Plan
    PM, Developers, Testers, Stakeholders, etc.
    6
    • Product Deployment Plan
    • Perform User and Operations Training
    • Produce updated Threat Risk Assessment and Privacy Impact Analysis
    • Seek CAB (Change Approval Board) approval to go live
    PM, Developers, Testers, Operations, InfoSec, CAB, etc.
    7
    • Close out and Lessons Learned
    • Verify value delivery
    PM, etc.

    Output

    • The high-level steps in your current (traditional) delivery approach and who is involved in each step

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.3 (Optional) Consider what a two-phase delivery looks like

    30 minutes

    1. As a group, imagine that project stakeholders tell you two years is too long to wait for the project, and they want to know if they can have something (even if it's not the whole thing) in production sooner.
    2. Now imagine that you are able to convince the stakeholders to work with you to do the following:
      1. Identify their most important project requirements.
      2. Work with you to describe a valuable subset of the project requirements which reflect about ½ of all features they need (call this Phase 1).
      3. Work with you to get this Phase 1 of the project into production in about 1 year.
      4. Agree to leave the remaining requirements (e.g. the less important ones) until Phase 2 (second year of project).
    3. As a group, identify:
      1. How hard this would be for your organization to do, on a scale of 1 to 10.
      2. Identify what changes are needed to make this happen (consider people, processes, and technology).
      3. Capture your results using the table on the following slide.

    Output

    • The high-level steps in your current (traditional) delivery approach and who is involved in each step

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.3 (Optional) Consider what a two-phase delivery looks like

    30 minutes

    1. What would be needed to let you deliver a two-year project in two one-year phases considering people, process, and technology?

    People

    Processes

    Technology

    • e.g. Stakeholders would need to make hard decisions about which features are more valuable/important than others (and stick to them)
    • e.g. Delivery team and stakeholders would need to work closely together to determine what is a feasible and valuable set of features which can go live in Phase 1
    • e.g. Operations will need to be prepared to support Phase 1 (earlier than before), and then support an updated system after Phase 2
    • e.g. No significant change to traditional processes other than delivering in two phases
    • e.g. Need to decide whether requirements for the full project need to be gathered up front, or do you just do Phase 1, and then Phase 2
    • e.g. No significant changes other than we need a production environment sooner, and infrastructure requirements for the full project may be different from what is needed just for Phase 1

    How difficult would this be to achieve in your organization? (1-easy, 10-next to impossible)

    e.g. 2

    Output

    • Understand how your organization would deliver a large project in two phases

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.4 (Optional) Consider what a four-phase delivery looks like

    30 minutes

    1. Now, imagine that project stakeholders tell you that even one year is still too long to wait for something of value in production, and they want to know if they can have something (even if it's not the whole thing) in production sooner.
    2. Now imagine that you are able to convince the stakeholders to work with you to do the following:
      1. From the "Phase 1" requirements in Exercise 2.3.3, they will identify the most important ones that they need first.
      2. They will work with you to describe a valuable subset of these project requirements which reflect about ½ of all features they need (call this Phase 1A).
      3. They will work with you to get this Phase 1A of the project into production in about six months.
      4. Agree to leave all the remaining requirements (e.g. the less important ones) until later phases.
    1. As a group, identify:
      1. How hard this would be for your organization to do, on a scale of 1 to 10?
      2. Identify what changes are needed to make this happen (consider people, processes, and technology).
      3. Capture your results using the table on the following slide.

    Output

    • Understand how your organization would deliver a large project in two phases

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.4 (Optional) Consider what a four-phase delivery looks like

    30 minutes

    1. What more would be needed to let you deliver a two-year project in four, six-month phases considering people, process, and technology?

    People

    Processes

    Technology

    • e.g. Stakeholders would need to make even harder (and faster) decisions about which features are most valuable/important than others.
    • e.g. Because we will be delivering releases so quickly, we'll ask the stakeholders to nominate a "primary contact" who can make decisions on requirements for each phase (also to answer questions from the project team, when needed, so they aren't slowed down).
    • e.g. Delivery team and the "primary contact" would work closely together to determine what is a feasible and valuable set of features to go live within Phase 1A, and then repeat this for the remaining Phases.
    • e.g. Operations will need to be prepared to support Phase 1A (even earlier than before), and then support the remaining phases. Ask them to dedicate someone as primary contact for this series of releases, and who provides guidance/support as needed.

    e.g. Heavy and time-consuming process steps (e.g. architecture reviews, data modelling, infosec approvals, change approval board) will need to be streamlined and made more "iteration-friendly."

    e.g. Gather detailed requirements only for Phase 1A, and leave the rest as high-level requirements to be more fully defined at the beginning of each subsequent phase.

    • e.g. We will need (at a minimum) a Production, and a Pre-production environment set up (and earlier in the project lifecycle) and solid regression testing at the end of each phase to ensure the latest Release doesn't break anything.
    • e.g. Since we will be going into production multiple times over this 2-year project, we should consider using automation (e.g. automated build, automated regression testing, and automated deployment).

    How difficult would this be to achieve in your organization? (1-easy, 10-next to impossible)

    e.g. 5

    Output

    • Understand how your organization would deliver a large project in two phases

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.5 (Optional) Consider what a four-phase delivery with monthly sprints looks like

    30 minutes

    1. Now, imagine that project stakeholders tell you that they are happy with the six-month release approach (e.g. expect to go live four times over the two-year project, with each release providing increased functionality), but they want to see your team's progress frequently between releases.
    2. Additionally, stakeholders tell you that instead of asking you to provide the traditional monthly project status reports, they want you to demonstrate whatever features you have built and work for the system on a monthly basis. This will be done in the form of a demonstration to a selected list of stakeholders each month.
    3. Each month, your team must show working, tested code (not prototypes or mockups, unless asked for) and demonstrate how this month's deliverable brings value to the business.
    4. Furthermore, the stakeholders would like to be able to test out the system each month, so they can play with it, test it, and provide feedback to your team about what they like and what they feel needs to change.
    5. To help you to achieve this, the stakeholders designate their primary contact as the "product owner" (PO) who will be dedicated to the project and will help your team to decide what is being delivered each month. The PO will be empowered by the stakeholders to make decisions on scope and priority on an expedited basis and will also answer questions on their behalf when your team needs guidance.
    6. You agree with the stakeholders these one-month deliverables will be called "sprints."

    Output

    • Understand how your organization would deliver a large project in two phases

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.5 (Optional) Consider what a four-phase delivery with monthly sprints looks like

    30 minutes

    1. What more would be needed to let you deliver a two-year project in 24 one-month sprints (plus four six-month releases) considering people, process, and technology?

    People

    Processes

    Technology

    • e.g. The team will need to work closely with the product owner (and/or stakeholders) on a continuous basis to understand requirements and their relative priority
    • e.g. Stakeholders will need to be available for demos and testing at the end of each sprint, and provide feedback to the team as quickly as possible
    • e.g. all functional siloes within IT (e.g. analysts, architects, infosec, developers, testers, operations) will need to work hand in hand on a continuous basis to deliver working tested code into a demo/test environment at the end of each sprint
    • e.g. there isn't enough time in each sprint to have team members working in siloes, instead, we will need to work together as a team to ensure that all aspects of the sprint (requirements, design, build, test, etc.) are worked on as needed (team is equally and collectively responsible for delivery of each sprint)
    • e.g. We can't deliver much in 1-month sprints if we work in siloes and are expected to do traditional documentation and handoffs (e.g. requirements document), so we will use a fluid project backlog instead of requirements documents, we will evolve our design iteratively over the course of the many sprints, and we will need to streamline the CAB process to allow for faster (more frequent) deployments
    • e.g. We will need to evolve the system's data model iteratively over the course of many sprints (rather than a one-and-done approach at the beginning of the project)
    • e.g. We will need to quickly decide the scope to be delivered in each sprint (focusing on highest value functionality first). Each sprint should have a well-defined "goal" that the team is trying to achieve
    • We will need any approval processes (e.g. architecture review, infosec review, CAB approval) to be streamlined and simplified in order to support more frequent and iterative deployment of the system
    • e.g. We will need to maximize our use of automation (build, test, and deploy) in order to maximize what we can deliver in each sprint (Note: the ROI on automation is much higher when we deliver in sprints than in a one-and-done delivery because we are iterating repeatedly over the course of the project
    • e.g. We will need to quickly stand-up environments (dev, test, prod, etc.) and to make changes/enhancements to these environments quickly (it makes sense to leverage infrastructure as a service [IaaS] techniques here)
    • e.g. We will need to automate our security related testing (e.g. static and dynamic security testing, penetration testing, etc.) so that it can be run repeatedly before each release moves into production. We may need to evolve this automated testing with each sprint depending on what new features/functions are being delivered in each release

    How difficult would this be to achieve in your organization? (1-easy, 10-next to impossible)

    e.g. 8

    Output

    • Understand how your organization would deliver a large project in two phases

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.6 (Optional) Define the steps to reach your target state

    30 minutes

    1. From Exercises 2.3.1-2.3.5, identify your current state on the stepwise transition from traditional to Agile (e.g. one-and-done).
    2. Then, identify your desired future state (e.g. 24 one-month sprints with six-month releases).
    3. Now, review your people, process, and technology changes identified in Exercises 2.3.1-2.3.5 and create a roadmap for this transition using the table on the next slide.

    Identify your current state from Exercises 2.3.1-2.3.5

    e.g. One-and-done

    Identify your desired state from Exercises 2.3.1-2.3.5

    e.g. 24x1 Month Sprints

    Output

    • A roadmap and timeline for adopting a more Agile delivery approach

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.3.6 (Optional) Define the steps to reach your target state

    30 minutes

    1. Fill in the table below with your next steps. Identify who will be responsible for each step along with the timeline for completion: "Now" refers to steps you will take in the immediate future (e.g. days to weeks), "Next" refers to steps you will take in the medium term (e.g. weeks to months), and "Later" refers to long-term items (e.g. months to years).

    Now

    Next Later

    What are you going to do now?

    What are you going to do very soon?

    What are you going to do in the future?

    Roadmap Item

    Who

    Date

    Roadmap Item

    Who

    Date

    Roadmap Item

    Who

    Date

    Work with Stakeholders to identify a product owner for the project.

    AC

    Jan 1

    Break down full deliverable into 4 phases with high level requirements for each phase

    DL

    Feb 15

    Work with operations to set up Dev, Test, Pre-Prod, and Prod environments for first phase (make use of automation/scripting)

    DL

    Apr 15

    Work with PO and stakeholders to help them understand Agile approach

    Jan 15

    Work with PO to create a project backlog for the first phase deliverable

    JK

    Feb 28

    Work with QA group to select and implement test automation for the project (start with smoke and regression tests)

    AC

    Apr 30

    Work with project gating body, architecture, infosec and operations to agree on incremental deliveries for the project and streamlined activities to get there

    AC

    Mar 15

    Record the results in the Roadmap for Transition to Agile Template

    Output

    • A roadmap and timeline for adopting a more Agile delivery approach

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Step 2.4

    Identify insights and team feedback

    Activities

    2.4.1 Identify key insights and takeaways
    2.4.2 Perform an exit survey

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your key insights and takeaways from Phase 2

    Exercise 2.4.1 Identify key insights and takeaways

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the intro to Agile presentation?
      2. What if any takeaways do participants feel are needed as a result of the presentation?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:
    What key insights have you gained? What takeaways have you identified?
    • (e.g. better understanding of Agile mindset, principles, and practices)
    • (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Exercise 2.4.2 Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Agile Modules

    Prioritize Agile support with your top challenges

    Backlog Management

    Scrum Simulation

    Estimation

    Product Owner

    Product Roadmapping

    1: User stories and the art of decomposition

    2: Effective backlog management & refinement

    3: Identify insights and team feedback

    1: Scrum sprint planning and retrospective simulation

    2: Pass the balls – sprint velocity game

    1: Improve product backlog item estimation

    2: Agile estimation fundamentals

    3: Understand the wisdom of crowds

    4: Identify insights and team feedback

    1: Understand product management fundamentals

    2: The critical role of the product owner

    3: Manage effective product backlogs and roadmaps

    4: Identify insights and team feedback

    1: Identify your product roadmapping pains

    2: The six "tools" of product roadmapping

    3: Product roadmapping exercise

    Organizations often struggle with numerous pain points around Agile delivery.
    The Common Agile Challenges Survey results will help you identify and prioritize the organization's biggest (most cited) pain points. Treat these pain points like a backlog and address the biggest ones first.

    Agile modules provide supporting activities:
    Each module provides guidance and supporting activities related to a specific Agile challenge from your survey. These modules can be arranged to meet each organization's or team's needs while providing cohesive and consistent messaging. For additional supporting research, please visit the Agile / DevOps Resource Center.
    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Backlog Management Module

    Manage your backlog effectively

    Activities

    Backlog 1.1 Identify your backlog and user story decomposition pains
    Backlog 1.2 What are user stories and why do we use them?
    Backlog 1.3 User story decomposition: password reset
    Backlog 1.4 (Optional) Decompose a real epic

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of backlog management and user story decomposition.

    Backlog Exercise 1.1 Identify your backlog and user story decomposition pains

    30-60 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What specific challenges you are facing with backlog management
      2. What specific challenges you are facing with user story decomposition
    1. Capture your findings in the table below:

    What are your specific backlog management and user story decomposition challenges?

    • (e.g. We have trouble telling the difference between epics, features, user stories, and tasks)
    • (e.g. We often don't finish all user stories in a sprint because some of them turn out to be too big to complete in one sprint)

    Output

    • Your specific backlog management and user story decomposition challenges

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    User stories and the art of decomposition

    User stories are core to Agile delivery.

    Good user story decomposition practices are key to doing Agile effectively.

    Agile doesn't use traditional "shoulds" and "shalls" to capture requirements

    Backlog Exercise 1.2 What are user stories and why do we use them?

    30-60 minutes

    1. User stories are a simple way of capturing requirements in Agile and have the form:

    Why do we capture requirements as user stories (what value do they provide)?

    How do they differ from traditional (should/shall) requirements (and are they better)?

    What else stands out to you about user stories?

    as a someone I want something so that achieve something.

    Example:
    As a banking customer, I want to see the current balance of my accounts so that I can know how much money I have in each account.

    Output

    • A better understanding of user stories and why they are used in Agile delivery

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    User stories are "placeholders for conversations"

    User stories enable collaboration and conversations to fully determine actual business requirements over time.

    e.g. As a banking customer, I want to see the current balance of my accounts so that I can know how much money I have in each account.

    Requirements, determined within the iterations, outline the steps to complete the story: how the user will access their account, the types of funds allowed, etc.

    User stories allow the product owners to prioritize and manage the product needs (think of them as "virtual sticky notes").

    User stories come in different "sizes"

    These items form a four-level hierarchy: epics, features, user stories, and tasks.
    They are collectively referred to as product backlog items or (PBIs)

    A table with the following headings: Agile; Waterfall; Relationship; Definition

    The process of taking large PBIs (e.g. epics and features) and breaking them down in to small PBIs (e.g. user stories and tasks) is called user story decomposition and is often challenging for new-to-Agile teams

    Backlog Exercise 1.3 User story decomposition: password reset

    30-60 minutes

    1. As a group, consider the following feature, which describes a high-level requirement from a hypothetical system:
      • FEATURE: As a customer, I want to be able to set and reset my password, so that I can transact with the system securely.
    2. Imagine your delivery team tells you that this is user story is too large to complete in one sprint, so they have asked you to decompose it into smaller pieces. Work together to break this feature down into several smaller user stories:
    User Story 1: User Story 2: User Story 3:
    As A I Want So That. As A I Want So That. As A I Want So That.

    Output

    • An epic which has been decomposed into smaller user stories which can be completed independently

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Backlog Exercise 1.3 User story decomposition: password reset

    Epic: As a customer, I want to be able to set and reset my password, so that I can transact securely.

    A single epic can be broken down into multiple user stories

    User Story 1: User Story 2: User Story 3: User Story 4:
    This is a picture of user story 1 This is a picture of user story 2 This is a picture of user story 3 This is a picture of user story 4

    Acceptance Criteria:
    Given that the customer has a password that they want to change,
    When the administrator clicks reset password on the admin console,
    Then the system will change the password and send it to the user.

    Acceptance Criteria:
    Given that the customer has a password that they want to change,
    When they click reset password in the system,
    Then the system will allow them to choose a new password and will save it the password and send it to the user.

    Acceptance Criteria:
    Given that the customer has not logged onto the system before,
    When they initially log in,
    Then the system will prompt them to change their password.

    Acceptance Criteria:
    Given that a password is stored in the database,
    When anyone looks at the password field in the database,
    Then the actual password will not be visible or easily decrypted.

    Are enablers included in your backlogs? Should they be?

    An enabler is any support activity needed to provide the means for future functionality. Enablers build out the technical foundations (e.g. architecture) of the product and uphold technical quality standards.

    Your audience will dictate the level of detail and granularity you should include in your enabler, but it is a good rule of thumb to stick to the feature level.

    Enablers

    Description

    Enabler Epics

    Non-functional and other technical requirements that support your features (e.g. data and system requirements)

    Enabler Capabilities of Features

    Enabler Stories

    Consider the various types of enabler

    Exploration

    Architectural

    Any efforts toward learning customer or user needs and creation of solutions and alternatives. Exploration enablers are heavily linked to learning milestones.

    Any efforts toward building components of your architecture. These will often be linked to delivery teams other than your pure development team.

    Infrastructure

    Compliance

    Any efforts toward building various development and testing environments. Again, these are artifacts that will relate to other delivery teams.

    Any efforts toward regulatory and compliance requirements in your development activities. These can be both internal and external.

    Source: Scaled Agile, "Enablers."

    Create, split, and bundle your PBIs

    The following questions can be helpful in dissecting an epic down to the user story level. The same line of thinking can also be useful for bundling multiple small PBIs together.

    An image showing how to Create, split, and bundle your PBIs

    Backlog Exercise 1.4 (Optional)
    Decompose a real epic

    30 minutes

    1. As a group, select a real epic or feature from one of your project backlogs which needs to be decomposed:
    2. Work together to decompose this epic down into several smaller features and/or user stories (user stories must be small enough to reasonably be completed within a sprint):

    Epic to be decomposed:

    As a ____ I want _____ so that ______

    User Story 1: User Story 2: User Story 3:
    As A I Want So That. As A I Want So That. As A I Want So That.

    Output

    • A real epic from your project backlog which has been decomposed into smaller features and user stories

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Backlog Management Module

    Manage your backlog effectively

    Activities

    Backlog 2.1 Identify enablers and blockers

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Backlog PBI filters.
    • A better understanding of backlog types and levels.

    Effective backlog management and refinement

    Working with a tiered backlog

    an image showing the backlog tiers: New Idea; Ideas; Qualified; Ready - sprint.

    Use a tiered approach to managing your backlog, and always work on the highest priority items first.

    Distinguish your specific goals for refining in the product backlog vs. planning for a sprint itself

    Often backlog refinement is used interchangeably or considered a part of sprint planning. The reality is they are very similar, as the required participants and objectives are the same however, there are some key differences.

    An image of a Venn diagram comparing Backlog Refinement to sprint Planning.

    A better way to view them is "pre-planning" and "planning."

    A backlog stores and organizes PBIs at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    • Detailed Appropriately: Product backlog items (PBIs) are broken down and refined as necessary.
    • Emergent: The backlog grows and evolves over time as PBIs are added and removed.
    • Estimated: The effort a PBI requires is estimated at each tier.
    • Prioritized: The PBIs value and priority are determined at each tier.

    (Perforce, 2018)

    An image showing the Ideas; Qualified; Ready; funnel leading to the sprint approach.

    Backlog tiers facilitate product planning steps

    An image of the product planning steps facilitated by Backlog Tiers

    Each activity is a variation of measuring value and estimating effort to validate and prioritize a PBI.

    A PBI meets our definition of done and passes through to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

    Backlog Exercise 2.1 Build a starting checklist of quality filters

    60 minutes

    1. Quality filters provide a checklist to ensure each Product Backlog Item (PBI) meets our definition of Done and is ready to move to the next backlog group (status).
    2. Create a checklist of basic descriptors that must be completed between each backlog level.
    3. If you completed this exercise in a different Module, review and update it here.
    4. Use this information to start your product strategy playbook in Deliver on Your Digital Product Vision.

    An image of the backlog tiers, identifying where product backlog and sprint backlog are

    Output

    • List of enablers and blockers to establishing product owners

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Outline the criteria to proceed to the next tier via quality filters

    Expand the concepts of defining "ready" and "done" to include the other stages of a PBIs journey through product planning.

    An image showing the approach you will use to Outline the criteria to proceed to the next tier via quality filters

    Info-Tech Insight: A quality filter ensures quality is met and teams are armed with the right information to work more efficiently and improve throughput.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver. Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Facilitator slides: Explaining MVP

    Notes and Instructions

    The primary intent of this exercise is to explain the complex notion of MVP (it is one of the most misunderstood and contentious issues in Agile delivery). The exercise is intended to explain it in a simple and digestible way that will fundamentally change participants' understanding of MVP.

    Note that the slide contains animations.

    Imagine that your stakeholder tells you they want a blue 4-door sedan (consider this our "MVP" at this point), and you decide to build it the traditional way. As you build it (tires, then frame, then body, then joint body with frame and install engine), the stakeholder doesn't have anything they can use, and so they are only happy (and able to get value) at the end when the entire car is finished (point out the stakeholder "faces" go from unhappy to happy in the end).
    Animation 1:
    When we use Agile methods, we don't want to wait until the end before we have something the stakeholders can use. So instead of waiting until the entire car is completed, we decide our first iteration will be to give the stakeholder "a simple (blue) wheeled transportation device"…namely a skateboard that they can use for a little while (it's not a car, but it is something the stakeholder can use to get places).
    Animation 2:
    After the stakeholder has tried out the skateboard, we ask for feedback. They tell us the skateboard helped them to get around faster than walking, but they don't like the fact that it is so hard to maintain your balance on it. So, we add a handle to the skateboard to turn it into a scooter. The stakeholder then uses the scooter for a while. Stakeholder feedback says staying balanced on the scooter is much easier, but they don't have a place to put groceries when they go shopping, so can we do something about that?
    (Continued on next slide…)

    Facilitator slides: Explaining MVP

    Notes and Instructions
    Animation 3:
    Next, we build the stakeholder a bicycle and let them use it for a while before asking for feedback. The stakeholder tells us they love the bicycle, but they admit they get tired on long trips, so is there something we can do about that?
    Animation 4:
    So next we add a motor to the bicycle to turn it into a motorcycle, and again we give it to the stakeholder to use for a while. When we ask the stakeholder for feedback, they tell us that they love the motorcycle so much because they love the feeling of the wind in their hair, they've decided that they no longer want a 4-door sedan, but instead would prefer a blue 2-door convertible.
    Animation 5:
    And so, for our last iteration, we build the stakeholder what they actually wanted (a blue 2-door convertible) instead of what they asked for (a blue 4-door sedan), and we see that they are happier than they would have been if we had delivered the traditional way.

    INSIGHTS:

    • An MVP cannot be fully known at the beginning of a project (it is the "journey" of creating the MVP with stakeholders that defines what it looks like in the end).
    • Sometimes, stakeholders don't (or can't) know what they want until they see it.
    • There is no "straight path" to your MVP, you determine the path forward based on what you learned in the previous iterations.
    • This approach is part of the "power of Agile" and demonstrates why Agile can produce better outcomes and happier stakeholders.

    Understanding minimum viable product

    NOT Like This:

    This is a series of images. The top half of the image, shows building a car by starting with the wheels. The bottom Image shows the progression from skateboard, to scooter, to bike, to motorcycle, to car.

    It's Like This:

    Use iterations to maximize value delivery

    An image showing how to use iterations to maximize value delivery.

    Use iterations to reduce accumulated risk

    An image showing how to use iterations to reduce accumulated risk.

    Understanding MVP
    (always be ready to go live)

    A great and wise pharaoh hires two architects to build his memorial pyramids.

    An image shows two architects contribution to pyramid construction.

    Understanding MVP
    (always be ready to go live)

    Several years go by, and then…

    The pharaoh is on his death bed.

    Backlog Management Module

    Manage your backlog effectively

    Activities

    Backlog 3.1 Identify key insights and takeaways
    Backlog 3.2 Perform exit survey and capture results

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your key insights and takeaways.

    Backlog Exercise 3.1 Identify key insights and takeaways

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the Intro to Agile presentation?
      2. What if any takeaways do participants feel are needed as a result of the presentation?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:

    What key insights have you gained?

    What takeaways have you identified?

    • (e.g. better understanding of Agile mindset, principles, and practices)
    • (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Backlog Exercise 3.2 Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Agile Modules

    Prioritize Agile support with your top challenges

    Backlog Management

    Scrum Simulation

    Estimation

    Product Owner

    Product Roadmapping

    1: User stories and the art of decomposition

    2: Effective backlog management & refinement

    3: Identify insights and team feedback

    1: Scrum sprint planning and retrospective simulation

    2: Pass the balls – sprint velocity game

    1: Improve product backlog item estimation

    2: Agile estimation fundamentals

    3: Understand the wisdom of crowds

    4: Identify insights and team feedback

    1: Understand product management fundamentals

    2: The critical role of the product owner

    3: Manage effective product backlogs and roadmaps

    4: Identify insights and team feedback

    1: Identify your product roadmapping pains

    2: The six "tools" of product roadmapping

    3: Product roadmapping exercise

    Organizations often struggle with numerous pain points around Agile delivery.
    The Common Agile Challenges Survey results will help you identify and prioritize the organization's biggest (most cited) pain points. Treat these pain points like a backlog and address the biggest ones first.

    Agile modules provide supporting activities:
    Each module provides guidance and supporting activities related to a specific Agile challenge from your survey. These modules can be arranged to meet each organization's or team's needs while providing cohesive and consistent messaging. For additional supporting research, please visit the Agile / DevOps Resource Center.
    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Scrum Simulation Module

    Scrum sprint planning and retrospective simulation

    Activities

    1.1 Identify your scrum pains
    1.2 Review scrum simulation intro
    1.3 Create a mock backlog
    1.4 Review sprint 0
    1.5 Determine a budget and timeline
    1.6 Understand minimum viable product
    1.7 Plan your first sprint
    1.8 Do a sprint retrospective
    1.9 "What if" exercise (understanding what a fluid backlog really means)
    1.10 A sprint 1 example
    1.11 Simulate more sprints

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of Scrum (particularly backlog management and user story decomposition).

    Facilitator slides: Scrum Simulation Introduction

    Introduction Tab

    Talk to the nature of the Scrum team:

    • Collective ownership/responsibility for delivery.
    • The organization has given you great power. With great power comes great responsibility.
    • You may each be specialists in some way, but you need to be prepared to do anything the project requires (no one goes home until everyone can go home).
    • Product owner: Special role, empowered by the organization to act as a single, authoritative voice for stakeholders (again great power/responsibility), determines requirements and priorities, three ears (business/stakeholders/team), holds the vision for the project, answer questions from the team (or finds someone who can answer questions), must balance autonomy with stakeholder needs, is first among equals on the Scrum team, is laser-focused on getting the best possible outcome with the resources, money, and circumstances ← PO acts as the "pathfinder" for the project.
    • Talk about the criticality and qualities of the PO: well-respected, highly collaborative, wise decision maker, a "get it done" type (healthy bias toward immediacy), has a vision for product, understands stakeholders, can get stakeholders' attention when needed, is dedicated full-time to the project, can access help when needed, etc.
    • The rest of you are the delivery team (have avoided singling out an SM for this – not needed for the exercise – but SM is the servant leader/orchestra conductor for the delivery team. The facilitator should act as a pseudo-SM for this exercise).

    Speak about the "bank realizes that the precise scope of the first release can only be fully known at the end of the project" statement and what it means.

    Discuss exercise and everyone's roles (make sure everyone clear), make it as realistic as possible. Your level of participation will determine how much value you get.

    Discuss any questions the participants might have about the background section on the introduction tab. The exercise has been defined in a way that minimizes the scope and complexity of the work to be done by assuming there are existing web-capable services exposed to the bank's legacy system(s) and that the project is mostly about putting a deployable web front end in place.

    Speak about "definition of done": Why was it defined this way? What are the boundaries? What happens if we define it to be only up to unit testing?

    Facilitator slides: Scrum Simulation, Create a Mock Backlog

    Create a Mock Backlog Tab

    This exercise is intended to help participants understand the steps involved in creating an initial backlog and deciding on their MVP.

    Note: The output from this exercise will not be used in the remainder of the simulation (a backlog for the simulation already exists on tab Sprint 0) so don't overdo it on this exercise. Do enough to help the participants understand the basic steps involved (brainstorm features and functions for the app, group them into epics, and decide which will be in- and out-of-scope for MVP). Examples have been provided for all steps of this exercise and are shown in grey to indicate they should be replaced by the participants.

    Step 1: Have all participants brainstorm "features and functions" that they think should be available in the online banking app (stop once you have what feels like a "good enough" list to move on to the next step) – these do not need to be captured as user stories just yet.

    Step 2: Review the list of features and functions with participants and decide on several epics to capture groups of related features and functions (bill payments, etc.). Think of these as forming the high-level structure of your requirements. Now, organize all the features and functions from Step 1, into their appropriate epic (you can identify as many epics as you like, but try to keep them to a minimum).

    Step 3: Point out that on the Introduction tab, you were told the bank wants the first release to go live as soon as possible. So have participants go over the list of features and functions and identify those that they feel are most important (and should therefore go into the first release – that is, the MVP), and which they would leave for future releases. Help participants think critically and in a structured way about how to make these very hard decisions. Point out that the product owner is the ultimate decision maker here, but that the entire team should have input into the decision. Point out that all the features and functions that make up the MVP will be referred to as the "project backlog," and all the rest will be known as the "product backlog" (these are of course, just logical separations, there is only one physical backlog).

    Step 4: This step is optional and involves asking the participants to create user stories (e.g. "As a __, I want ___ so that ___") for all the epics and features and functions that make up their chosen MVP. This step is to get them used to creating user stories, because they will need to get used to doing this. Note that many who are new to Agile often have difficulty writing user stories and end up overdoing it (e.g. providing a long-winded list of things in the "I want ___" part of the user story for an epic) or struggling to come up with something for the "so that ____" part). Help them to get good at quickly capturing the gist of what should be in the user story (the details come later).

    Facilitator slides: Scrum Simulation, Budget and Timeline

    Project Budget and Timeline

    Total Number of Sprints = 305/20 = 15.25 → ROUND UP TO 16 (Why? You can't do a "partial sprint" – plus, give yourself a little breathing room.)

    Cost Per Sprint = 6 x $75 x 8 x 10 = $36,000

    Total Timeline = 16 * 2 = 32 Weeks

    Total Cost of First Release = $36,000 x 16 = $572,000

    Talk about the "commitment" a Scrum delivery team makes to the organization ("We can't tell you exactly what we will deliver, but based on what we know, if you give the team 32 weeks, we will deliver something like what is in the project backlog – subject to any changes our stakeholder tell us are needed"). Most importantly, the team commits to doing the most important backlog items first, so if we run out of time, the unfinished work will be the least valuable user stories. Lastly, to keep to the schedule/timeline, items may move in and out of the project backlog – this is part of the normal and important "horse trading" that takes place on health Agile projects.

    Speak to the fact that this approach allows you to provide a "deterministic" answer about how long a project will take and how much it will cost while keeping the project requirements flexible.

    Facilitator slides: Scrum Simulation, Sprint 0

    Sprint 0 Tab

    This is an unprioritized list, organized to make sense, and includes a user story (plus some stuff), and "good enough estimates" – How good?... Eh! (shoulder shrug)
    Point out the limited ("lazy") investment → Agile principle: simplicity, the art of maximizing the work not done.
    Point out that only way to really understand a requirement is to see a working example (requirements often change once the stakeholders see a working example – the "that's not what I meant" factor).

    Estimates are a balancing act (good enough that we understand the overall approximate size of this, and still acknowledges that more details will have to wait until we decide to put that requirement into a Sprint – remember, no one knows how long this project is going to take (or even what the final deliverable will look like) so don't over invest in estimates here.)

    Sprint velocity calculation is just a best guess → be prepared to find that your initial guess was off (but you will know this early rather than at the end of the project). This should lead to a healthy discussion about why the discrepancy is happening (sprint retrospectives can help here). Note: Sprint velocity doesn't assume working evenings and weekends!

    Speak to the importance of Sprint velocity being based on a "sustainable pace" by the delivery team. Calculations that implicitly expect sustained overtime in order to meet the delivery date must be avoided. Part of the power of Agile comes from this critical insight. Critical → Your project's execution will need to be adjusted to accommodate the actual sprint velocity of the team!

    Point out the "project backlog" and separation from the "product backlog" (and no sprint backlog yet!).

    Point out the function/benefits of the backlog:

    • A single holding place for all the work that needs to be done (so you don't forget/ignore anything).
    • Can calculate how much work is left to do.
    • A mechanism for prioritizing deliverables.
    • A list of placeholders for further discussion.
    • An evolving list that will grow and shrink over time.
    • A "living document" that must be maintained over the course of the project.

    Talk about large items in backlog (>20 pts) and how to deal with them (do we need to break them up now?).

    Give participants time to review the backlog: Questions/What would you be doing if this were real/We're going to collectively work through this backlog.
    Sprint 0 is your opportunity to: get organized as a team, do high level design, strategize on approach, think about test data, environments, etc. – it is the "Ready-Set" in "Ready-Set-Go."
    Think about doing a High/Med/Low value determination for each user story.

    Simulation Exercise 1.1 Identify your Scrum pains

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      • What specific challenges are you facing with your Scrum practices?
    2. Capture your findings in the table below:

    What are your specific Scrum challenges?

    • (e.g. We don't know how to decide on our minimum viable product (MVP), or what to start working on first)
    • (e.g. We don't have a product owner assigned to the project)
    • (e.g. Our daily standups often take 30-60 minutes to complete)
    • (e.g. We heard Scrum was supposed to reduce the number of meetings we have, but instead, meetings have increased)
    • (e.g. We don't know how to determine the budget for an Agile project)

    Output

    • Your specific Scrum related challenges

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.2 Review Scrum Simulation intro

    30 minutes

    1. Ask participants to read the Introduction tab in the Scrum Simulation Exercise(5 minutes)
    2. Discuss and answer any questions the participants may have about the introduction (5 minutes)
    3. Discuss the approach your org would use to deliver this using their traditional approach (5 minutes)

    This is an image of the Introduction tab in the Scrum Simulation Exercise

    How would your organization deliver this using their traditional approach?

    1. Capture all requirements in a document and get signoff from stakeholders
    2. Create a detailed design for the entire system
    3. Build and test the system
    4. Deploy it into production

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Simulation Exercise 1.3 Create a mock backlog

    30-60 minutes

    Step 1: Brainstorm "Features and Functions" that the group feels would be needed for this app

    Capture anything that you feel might be needed in the Online Banking Application:

    • See account balances
    • Pay a bill online
    • Set up payees for online bill payments
    • Make a deposit online
    • See a history of account transactions
    • Logon and logoff
    • Make an e-transfer
    • Schedule a bill payment for the future
    • Search for a transaction by payee/date/amount/etc.
    • Register for app
    • Reset password

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Create a mock initial backlog for the simulated project

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.3 Create a mock backlog

    30-60 minutes

    Step 2: Identify your epics

    1. Categorize your "Features and Functions" list into several epics for the application:

    Epics

    "Features and Functions" in This Epic

    Administration

    - Logon and logoff
    - Register for app
    - Reset password

    Accounts

    - See account balances
    - See a history of account transactions
    - Search for a transaction by payee/date/amount

    Bill payments

    - Set up payees for online bill payments
    - Pay a bill online
    - Schedule a bill payment for the future

    Deposits

    - Make a deposit online

    E-transfers

    - Make an e-transfer

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Create a mock initial backlog for the simulated project

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.3 Create a mock backlog

    30-60 minutes

    Step 3: Identify your MVP

    1. Decide which "Features and Functions" will be in your MVP and which will be delivered in future releases:

    YOUR MVP (Project Backlog)

    Epics

    "Features and Functions" in This Epic

    Administration

    - Logon and logoff
    - Register for app

    Accounts

    - See account balances
    - See a history of account transactions

    Bill payments

    - Set up payees for online bill payments
    - Pay a bill online

    FOR FUTURE RELEASES (Product Backlog)

    Epics

    In Scope

    Deposits- Make a deposit online
    Accounts- Search for a transaction by payee/date/amount/etc.
    Bill payments- Schedule a bill payment for the future

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Create a mock initial backlog for the simulated project

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.3 Create a mock backlog

    30-60 minutes

    Step 3: Identify your MVP

    1. Decide which "Features and Functions" will be in your MVP and which will be delivered in future releases:

    YOUR MVP EPICS

    Epics

    "Features and Functions" in This Epic

    Administration

    - Logon and logoff
    - Register for app

    Accounts

    - See account balances
    - See a history of account transactions

    Bill payments

    - Set up payees for online bill payments
    - Pay a bill online

    YOUR MVP USER STORIES

    Epics

    In Scope

    Logon and LogoffAs a user, I want to logon/logoff the app so I can do my banking securely
    Register for AppAs a user, I want to register to use the app so I can bank online
    See Account BalancesAs a user, I want to see my account balances so that I know my current financial status
    See a History of Account TransactionsAs a user, I want to see a history of my account transactions, so I am aware of where my money goes
    Set up Payees for Online Bill PaymentsAs a user, I want to set up payees so that I can easily pay my bills
    Pay a Bill OnlineAs a user, I want to pay bills online, so they get paid on time

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Create a mock initial backlog for the simulated project

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.4 Review
    Sprint 0

    The Online Banking Application of the spreadsheet for Sprint 0.

    Step 1: Set aside the Mock Backlog just created (you will be using the Backlog on Sprint 0 for remainder of exercise).
    Step 2: Introduce and walk through the Backlog on the Sprint 0 tab in the Scrum Simulation Exercise.
    Step 3: Discuss and answer any questions the participants may have about the Sprint 0 tab.
    Step 4: Capture any important issues or clarifications from this discussion in the table below.

    Important issues or clarifications from the Sprint 0 tab:

    • (e.g. What is the difference between the project backlog and the product backlog?)
    • (e.g. What do we do with user stories that are bigger than our sprint velocity?)
    • (e.g. Has the project backlog been prioritized?)
    • (e.g. How do we decide what to work on first?)

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Understand Sprint 0 for Scrum Simulation Exercise

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.4 Review
    Sprint 0

    30-60 minutes

    1. Using the information found on the Sprint 0 tab, determine the projected timeline and cost for this project's first release:

    GIVEN

    Total Story Points in Project Backlog (First Release): 307 Story Points
    Expected Sprint Velocity: 20 Story Points/Sprint
    Total Team Size (PO, SM and 4-person Delivery Team): 6 People
    Blended Hourly Rate Per Team Member (assume 8hr day): $75/Hour
    Sprint Duration: 2 Weeks

    DETERMINE

    Expected Number of Sprints to Complete Project Backlog:
    Cost Per Sprint ($):
    Total Expected Timeline (weeks):
    Total Cost of First Release:

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • How to determine expected cost and timeline for an Agile project

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    The Estimation Cone of Uncertainty

    The Estimation Cone of Uncertainty

    Simulation Exercise 1.6 Understanding minimum viable products (MVP)

    30 minutes

    1. Discuss your current understanding of MVP.

    How do you describe/define MVP?

    • (Discuss/capture your understanding of minimum viable product)

    Note: Refer to the facilitator slides for more guidance on how to deliver this exercise

    Output

    • Capture your current understanding of Minimum Viable Product

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Facilitator slides: Explaining MVP

    Notes and Instructions

    The primary intent of this exercise is to explain the complex notion of MVP (it is one of the most misunderstood and contentious issues in Agile delivery). The exercise is intended to explain it in a simple and digestible way that will fundamentally change participants' understanding of MVP.
    Note that the slide contains animations.

    Imagine that your stakeholder tells you they want a blue 4-door sedan (consider this our "MVP" at this point), and you decide to build it the traditional way. As you build it (tires, then frame, then body, then joint body with frame and install engine), the stakeholder doesn't have anything they can use, and so they are only happy (and able to get value) at the end when the entire car is finished (point out the stakeholder "faces" go from unhappy to happy in the end).

    Animation 1:
    When we use Agile methods, we don't want to wait until the end before we have something the stakeholders can use. So instead of waiting until the entire car is completed, we decide our first iteration will be to give the stakeholder "a simple (blue) wheeled transportation device"…namely a skateboard that they can use for a little while (it's not a car, but it is something the stakeholder can use to get places).

    Animation 2:
    After the stakeholder has tried out the skateboard, we ask for feedback. They tell us the skateboard helped them to get around faster than walking, but they don't like the fact that it is so hard to maintain your balance on it. So, we add a handle to the skateboard to turn it into a scooter. The stakeholder then uses the scooter for a while. stakeholder feedback says staying balanced on the scooter is much easier, but they don't have a place to put groceries when they go shopping, so can we do something about that?

    (Continued on next slide…)

    Facilitator slides: Explaining MVP

    Notes and Instructions

    Animation 3:
    So next we build the stakeholder a bicycle and let them use it for a while before asking for feedback. The stakeholder tells us they love the bicycle, but they admit they get tired on long trips, so is there something we can do about that?

    Animation 4:
    So next we add a motor to the bicycle to turn it into a motorcycle, and again we give it to the stakeholder to use for a while. When we ask the stakeholder for feedback, they tell us that they LOVE the motorcycle so much, and that because they love the feeling of the wind in their hair, they've decided that they no longer want a 4-door sedan, but instead would prefer a blue 2-door convertible.

    Animation 5:
    And so, for our last iteration, we build the stakeholder what they wanted (a blue 2-door convertible) instead of what they asked for (a blue 4-door sedan), and we see that they are happier than they would have been if we had delivered the traditional way.

    INSIGHTS:
    An MVP cannot be fully known at the beginning of a project (it is the "journey" of creating the MVP with stakeholders that defines what it looks like in the end).
    Sometimes, stakeholders don't (or can't) know what they want until they see it.
    There is no "straight path" to your MVP, you determine the path forward based on what you learned in the previous iterations.
    This approach is part of the "power of Agile" and demonstrates why Agile can produce better outcomes and happier stakeholders.

    Understanding minimum viable product

    NOT Like This:

    This is a series of images. The top half of the image, shows building a car by starting with the wheels. The bottom Image shows the progression from skateboard, to scooter, to bike, to motorcycle, to car.

    It's Like This:

    Use iterations to maximize value delivery

    An image showing how to use iterations to maximize value delivery

    Use iterations to reduce accumulated risk

    An image showing how to use iterations to reduce accumulated risk.

    Understanding MVP
    (always be ready to go live)

    A great and wise pharaoh hires two architects to build his memorial pyramids.

    An image shows two architects contribution to pyramid construction.

    Understanding MVP
    (always be ready to go live)

    Several years go by, and then…

    The pharaoh is on his death bed.

    Simulation Exercise 1.7 Plan your first sprint

    30-60 minutes

    Step 1: Divide participants into independent Scrum delivery teams (max 7-8 people per team) and assign a PO (5 minutes)
    Step 2: Instruct each team to work together to decide on their "MVP strategy" for delivering this project (10-15 minutes)
    Step 3: Have each team decide on which user stories they would put in their first sprint backlog (5-10 minutes)
    Step 4: Have each team report on their findings. (10 minutes)

    Describe your team's "MVP strategy" for this project (Explain why you chose this strategy):

    Identify your first sprint backlog (Explain how this aligns with your MVP strategy):

    What, if anything, did you find interesting, insightful or valuable by having completed this exercise:

    Output

    • Experience deciding on an MVP strategy and creating your first sprint backlog

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.8 Do a sprint retrospective

    30-60 minutes

    Step 1: Thinking about the work you did in Exercise 3.2.7, identify what worked well and what didn't
    Step 2: Create a list of "Start/Stop/Continue" items using the table below
    Step 3: Present your list and discuss with other teams

    1. Capture findings in the table below:

    Start:
    (What could you start doing that would make Sprint Planning work better?)

    Stop:
    (What didn't work well for the team, and so you should stop doing it?)

    Continue:
    (What worked well for the team, and so you should continue doing?)

    Output

    • Experience performing a sprint retrospective

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.9 "What if" exercise (understanding what a fluid backlog really means)

    30-60 minutes

    1. As a team, consider what you would do in each of the following scenarios (treat each one as an independent scenario rather than cumulative):

    Scenario:

    How would you deal with this:

    After playing with and testing the Sprint 1 deliverable, your stakeholders find several small bugs that need to be fixed, along with some minor changes they would like made to the system. The total amount of effort to address all of these is estimated to be 4 story points in total.

    (e.g. First and foremost, put these requests into the Project Backlog, then…)

    Despite your best efforts, your stakeholders tell you that your Sprint 1 deliverable missed the mark by a wide margin, and they have major changes they want to see made to it.

    Several stakeholders have come forward and stated that they feel strongly that the "DEPOSIT – Deposit a cheque by taking a photo" User Story should be part of the first release, and they would like to see it moved from the Product Backlog to the project backlog (Important Note: they don't want this to change the delivery date for the first release)

    Output

    • A better understanding of how to handle change using a fluid project backlog

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.10 A Sprint 1 example

    30-60 minutes

    1. Consider the following example of what your Sprint 1 deliverable could be:

    An example of what your Sprint 1 deliverable could be.

    Output

    • Better understanding of an MVP strategy

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.10 A Sprint 1 example

    30-60 minutes

    1. As a group, discuss this approach, including:
      1. The pros and cons of the approach.
      2. Is this a shippable increment?
      3. What more would you need to do to make it a shippable increment?
    2. Capture your findings in the table below:

    Discussion

    Output

    • Better understanding of an MVP strategy

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 1.11 Simulate more sprints

    30-60 minutes

    1. As a group, continue to simulate more sprints for the online banking app:
      1. Simulate the planning, execution, demo, and retro stages for additional sprints
      2. Stop when you have had enough
    2. Capture your learnings in the table below:

    Discussion and learnings

    Output

    • Better understanding of an MVP strategy

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Scrum Simulation Module

    Simulate effective scrum practices

    Activities

    2.1 Execute the ball passing sprints

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Model and understand behavioral blockers and patterns affecting Agile teams and organizational culture.

    Pass the balls – sprint velocity game

    Goal 1. Pass as many balls as possible (Story Points) through the system during each sprint.
    Goal 2. Improve your estimation and velocity after each retrospective.

    Backlog

    An image of Sprint, passing balls from one individual to another until you reach the completion point.

    Points Completed

    Rules:

    1. Two people cannot touch the ball at the same time.
    2. Only the first and last person can hold more than one ball at a time.
    3. Every person on the Delivery Team must touch the ball at least once per sprint.
    4. Each team must record its results during the retrospective.

    Scoring:

    1. One point for every ball that completes the system.
    2. Minus one point for every dropped ball.

    Epic 1: 3 sprints

    1. 1-minute Planning
    2. 2-minute Sprints
    3. 1-minute Retrospective

    Group Retrospective
    Epic 2: 3 sprints (repeat)

    1. 1-minute Planning
    2. 2-minute Sprints
    3. 1-minute Retrospective

    Simulation Exercise 1.11 Simulate more sprints

    30-60 minutes

    Goal 1: Pass as many balls (Story Points) through the system during each sprint.
    Goal 2: Improve your estimation and velocity after each retrospective.

    1. Epic 1: 3 sprints
      1. 1-minute Planning
      2. 2-minute Sprints
      3. 1-minute Retrospective
    2. Group Retrospective
    3. Epic 2: 3 sprints
      1. 1-minute Planning
      2. 2-minute Sprints
      3. 1-minute Retrospective
    4. Group Retrospective
    5. Optionally repeat for additional sprints with team configurations or scenarios

    Rules:

    1. Two people cannot touch the ball at the same time.
    2. Only the first and last person can hold more than one ball at a time.
    3. Every person on the delivery team must touch the ball at least once per sprint.
    4. Each team must record its results during the retrospective.

    Scoring:

    1. One point for every ball that completes the system.
    2. Minus one point for every dropped ball.

    Output

    • Understand basic estimation, sprint, and retrospective techniques.
    • Experience common Agile behavior challenges.

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Facilitator slides: Sprint velocity game

    Goal:

    Pass as many balls as possible through the system during each cycle.

    Game Setup

    • Divide into teams of 8-16 people. If you have a smaller group, form one team rather than two smaller teams to start. The idea is to cause chaos with too many people in the delivery flow. See alternate versions for adding additional Epics with smaller teams.
    • Read out the instructions and ensure teams understand each one. Note that no assistance will be given during the sprints.

    Use your phone's timer to create 2-minute cycles:

    • 1-minute sprint planning
    • 2-minute delivery sprint
    • 1-minute retrospective and results recording
    • Run 3-4 cycles, then stop for a facilitated discussion of their observations and challenges.
    • Begin epic 2 and run for 3-4 more cycles.

    Facilitator slides: Sprint velocity game

    • Game Cycles
      • Epic 1: 3 complete cycles
      • 1-minute Planning
      • 2-minute Sprints
      • 1-minute Sprint retrospective
    • Group Retrospective
      • Discuss each sprint, challenges, and changes made to optimize throughput.
    • Epic 2: 3 complete cycles
      • 1-minute Planning
      • 2-minute Sprints
      • 1-minute Sprint retrospective
    • Group Retrospective
      • Discuss each sprint, challenges, and changes made to optimize throughput.
    • Game Rules
      • Each ball must have airtime. No ball cannot touch two people at the same time.
      • No person can hold more than one ball at a time.
      • Ball must be passed by every person on a team.
      • You may not pass a ball to a person directly to the person on your left or right.
      • Each team must keep score and record their results during the Retrospective.
    • Scoring
      • 1 point for every ball that completes the system.
      • Minus 1 point for every dropped ball.

    Facilitator slides: Sprint velocity game

    Facilitator Tips

    • Create a feeling of competition to get the teams to rush and work against each other. The goal is to show how this culture must be broken in Agile and DevOps. Then challenge the teams against natural silos and not focus on enterprise goals.
    • Create false urgency to increase stress, errors, and breakdowns in communication.
    • Look for patterns of traditional delivery and top-down management that limit delivery. These will emerge naturally, and teams will fall back into familiar patterns under stress.
    • Look for key lessons you want to reinforce and bring out ball game examples to help teams relate to something that is easier to understand.

    Alternate Versions

    • Run Epic 1 as one team, then have them break into typical Agile teams of 4-9 people. Compare results.
    • Run Epics with different goals: How would their approach change?
      • Fastest delivery
      • Highest production
      • Lowest defect rate
    • Have teams assign a scrum master to coordinate delivery. A scrum master and product owner are part of the overall team, but not part of the delivery team. They would not need to pass balls during each sprint.
    • Increase sprint time. Discuss right sizing sprint to complete work.
    • Give each team different numbers of balls, but don't tell them. Alternately, start each team with half as many balls, then double for Epic 2. Discuss how the sprint backlog affected their throughput.

    Facilitator slides: Sprint velocity game

    Trends to Look For and Discuss

    • False constraints - patterns where teams unnecessarily limited themselves.
    • Larger teams could have divided into smaller working teams, passing the balls between working groups.
    • Instructions did not limit that "team" meant everyone in the group. They could have formed smaller groups to process more work. LEAN
    • Using the first sprint for planning only. More time to create a POC.
    • Teams will start communicating but will grow silent, especially in later sprints. Stress interactions over the process.
    • Borrowing best practices from other teams.
    • Using retrospectives to share ideas with other teams. Stress needs to align with the company's goals, not just the team's goals.
    • How did they treat dropped balls? Rejected as errors, started over (false constraint), or picked up and continued?

    Trends to Look For and Discuss

    • Did individuals dominate the planning and execution, or did everyone feel like an equal member of the team?
    • Did they consider assigning a scrum master? The scrum master and product owner are part of the overall team, but not part of the Delivery Team. They would not need to pass balls during each Sprint.
    • What impacted their expected number of balls completed? Did it help improve quality or was it a distraction?
    • What caused their improvement in velocity? Draw the connection between how teams must work together and the need for stability.
    • Discuss the overall goal and constraints. Did they understand what the desired outcome was? Where did they make assumptions? Add talking points:
      • What if the goal was overall completed balls?
      • What if it was zero defect? No dropped balls.
      • What if it was the fastest delivery? Each ball through the system in the shortest time? Were they timing each ball?

    Scrum Simulation Module

    Simulate effective scrum practices

    Activities

    3.1 Identify key insights and takeaways

    3.2 Perform exit survey and capture results

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your key insights and takeaways

    Simulation Exercise 3.1
    Identify key insights and takeaways

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the Intro to Agile presentation?
      2. What if any takeaways do participants feel are needed as a result of the presentation?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:

    What key insights have you gained?

    What takeaways have you identified?

    • (e.g. better understanding of Agile mindset, principles, and practices)
    • (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Simulation Exercise 3.2
    Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Agile Modules

    Prioritize Agile support with your top challenges

    Backlog Management

    Scrum Simulation

    Estimation

    Product Owner

    Product Roadmapping

    1: User stories and the art of decomposition

    2: Effective backlog management & refinement

    3: Identify insights and team feedback

    1: Scrum sprint planning and retrospective simulation

    2: Pass the balls – sprint velocity game

    1: Improve product backlog item estimation

    2: Agile estimation fundamentals

    3: Understand the wisdom of crowds

    4: Identify insights and team feedback

    1: Understand product management fundamentals

    2: The critical role of the product owner

    3: Manage effective product backlogs and roadmaps

    4: Identify insights and team feedback

    1: Identify your product roadmapping pains

    2: The six "tools" of product roadmapping

    3: Product roadmapping exercise

    Organizations often struggle with numerous pain points around Agile delivery.
    The Common Agile Challenges Survey results will help you identify and prioritize the organization's biggest (most cited) pain points. Treat these pain points like a backlog and address the biggest ones first.

    Agile modules provide supporting activities:

    Each module provides guidance and supporting activities related to a specific Agile Challenge from your survey. These modules can be arranged to meet each organization's or team's needs while providing cohesive and consistent messaging. For additional supporting research, please visit the Agile / DevOps Resource Center.

    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Estimation Module

    Improve product backlog item estimation

    Activities

    1.1 Identify your estimation pains

    1.2 (Optional) Why do we estimate?

    1.3 How do you estimate now?

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of Agile estimation practices and how to apply them.

    Establish consistent Agile estimation fundamentals

    an image of a hierarchy answering the question What is an estimate.

    Know the truth about estimates and their potential pitfalls.

    Then, understand how Agile estimation works to avoid these pitfalls.

    Estimation Exercise 1.1 Identify your estimation pains

    30-60 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What specific challenges are you facing with your estimation practices today
      2. Capture your findings in the table below:

    What are your specific Estimation challenges?

    • (e.g. We don't estimate consistently)
    • (e.g. Our estimates are usually off by a large margin)
    • (e.g. We're not sure what approach to use when estimating)

    Output

    • Your specific estimation related challenges

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 1.2 (Optional) Why do we estimate?

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. Why do we do estimates?
      2. What value/merit do estimates have?
    2. Capture your findings in the table below:

    Why would/should you do estimates?

    • (e.g. Our stakeholders need to know how long it will take to deliver a given feature/function)

    Output

    • Better understanding of the need for estimates

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 1.2 (Optional) Why do we estimate?

    30 minutes

    1. Estimation has its merits
    2. Here are some sample reasons for estimates:
      • "Estimates allow us to predict when a sprint goal will be met, and therefore when a substantial increment of value will be delivered."
      • "Our estimates help our stakeholders plan ahead. They are part of the value we provide."
      • "Estimates help us to de-risk scope of uncertain size and complexity."
      • "Estimated work can be traded in and out of scope for other work of similar size. Without estimates, you can't trade."
      • "The very process of estimation adds value. When we estimate we discuss requirements in more detail and gain a better understanding of what is needed."
      • "Demonstrates IT's commitment to delivering valuable products and changes."
      • "Supports business ambitions with customers and stakeholders."
      • "Helps to build a sustainable value-delivery cadence."

    Source: DZone, 2013.

    Output

    • Better understanding of the need for estimates

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 1.3 How do you estimate now?

    30 minutes

    1. As a group, speak about now you currently estimate in your organization.
    2. Capture your findings in the table below:

    Why would/should you do estimates?

    • (e.g. We don't do estimates)
    • (e.g. We ask the person assigned to each task in the project plan to estimate how long it will take)

    Output

    • Your current estimation approach

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Module

    Improve product backlog item estimation

    Activities

    2.1 (Optional) Estimate a real PBI

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of Agile estimation practices and how to apply them.

    Don't expect your estimates to be accurate!

    The average rough order of magnitude estimates for software are off by is up to 400%.
    Source: Boehm, 1981

    Estimate inaccuracy has many serious repercussions on the project and organization

    66%

    Average cost overrun(1)

    33%

    Average schedule overrun (1)

    17%

    Average benefits shortfall)1)

    (1) % of software projects with given issue

    Source: McKinsey & Company, 2012

    The Estimation Cone of Uncertainty

    The Estimation Cone of Uncertainty

    What is Agile estimation?

    There is no single Agile estimation technique. When selecting an approach, adopt an Agile estimation technique that works for your organization, and don't be afraid to adapt it to your circumstances. Remember: all estimates are wrong, so use them with care and skepticism.

    • Understands and accepts the limitations of any estimation process.
    • Leverages good practices to counteract these limitations (e.g. wisdom of crowds, quality-first thinking).
    • Doesn't over-invest in individual estimate accuracy (but sees their value "in aggregate").
    • Approach can change from project to project or team to team and evolves/matures over the project lifespan.
    • Uses the estimation process as an effective tool to:
      • Make commitments about what can be accomplished in a sprint (to establish capacity).
      • Convey a measure of progress and rough expected completion dates to stakeholders (including management).

    Info-Tech Insight

    All estimates are wrong, but some can be useful (leverage the "wisdom of crowds" to improve your estimation practices).

    There are many Agile estimation techniques to choose from…

    Consensus-Building Techniques
    Planning Poker

    Most popular by far (stick with one of these unless there is a good reason to consider others)

    This approach uses the Delphi method, where a group collectively estimates the size of a PBI, or user stories, with cards numbered by story points. See our Estimate Software Delivery With Confidence blueprint.

    T-Shirt Sizing

    This approach involves collaboratively estimating PBIs against a non-numerical system (e.g. small, medium, large). See DZone and C# Corner for more information.

    Dot Voting

    This approach involves giving participants a set number of dot stickers or marks and voting on the PBIs (and options) to deliver. See Dotmocracy and Wikipedia for more information.

    Bucket System

    This approach categorizes PBIs by placing them into defined buckets, which can then be further broken down through dividing and conquering. See Agile Advice and Crisp's Blog for more information.

    Affinity Mapping

    This approach involves the individual sizing and sorting of PBIs, and then the order of these PBIs are collaboratively edited. The grouping is then associated with numerical estimates or buckets if desired. See Getting Agile for more information.

    Ordering Method

    This approach involves randomly ordering items on a scale ranging from low to high. Each member will take turns moving an item one spot lower or higher where it seems appropriate. See Apiumhub, Sheidaei Blog (variant), and SitePoint (Relative Mass Valuation) for more information.

    Ensure your teams have the right information

    Estimate accuracy and consistency improve when it is clear what you are estimating (definition of ready) and what it means to complete the PBI (definition of done).
    Be sure to establish and enforce your definition of ready/done throughout the project.

    Ready

    Done
    • The value of the story to the user is indicated.
    • The acceptance criteria for the story have been clearly described.
    • Person who will accept the user story is identified.
    • The team knows how to demo the story…
    • Design complete, code compiles, static code analysis has been performed and passed.
    • Peer reviewed with coding standards passed.
    • Unit test and smoke test are done/functional (preferably automated).
    • Passes functionality testing including security testing…

    What are story points?

    Many organizations use story point sizing to estimate their PBIs
    (e.g. epics, features, user stories, and tasks)

    • A story point is a (unitless) measure of the relative size, complexity, risk, and uncertainty, of a PBI.
    • Story points do not correspond to the exact number of hours it will take to complete the PBI.
    • When using story points, think about them in terms of their size relative to one another.
    • The delivery team's sprint velocity and capacity should also be tracked in story points.

    How do you assign a point value to a user story? There is no easy answer outside of leveraging the experience of the team. Sizes are based on relative comparisons to other PBIs or previously developed items. Example: "This user story is 3 points because it is expected to take 3 times more effort than that 1-point user story."Therefore, the measurement of a story point is only defined through the team's experience, as the team matures.

    Can you equate a point to a unit of time? First and foremost, for the purposes of backlog prioritization, you don't need to know the time, just its size relative to other PBIs. For sprint planning, release planning, or any scenario where timing is a factor, you will need to have a reasonably accurate sprint capacity determined. Again, this comes down to experience.

    "Planning poker" estimation technique

    Leverage the wisdom of crowds to improve your estimates

    an image of the user story points and the Fibonacci sequence

    Planning poker: This approach uses the Delphi method, where a group collectively estimates the size of a PBI or user story, using cards with story points on them.

    Materials: Each participant has deck of cards, containing the numbers of the Fibonacci sequence.

    Typical Participants: Product owner, scrum master (usually acts as facilitator), delivery team.

    Steps:

    1. The facilitator will select a user story.
    2. The product owner answers any questions about the user story from the group.
    3. The group makes their first round of estimates, where each participant individually selects a card without showing it to anyone, and then all selections are revealed at once.
    4. If there is consensus, the facilitator records the estimate and moves onto step 1 for another user story.
    5. If there are discrepancies, the participants should state their case for their selection (especially high or low outliers) and engage in constructive debate.
    6. The group makes an additional round of estimates, where step 3-6 are completed until there is a reasonable consensus.
    7. If the consensus is the user story is too large to fit into a sprint or too poorly defined, then the user story should be decomposed or rewritten.

    Estimation Exercise 2.1 (Optional) Estimate a real PBI

    30-60 minutes

    Step 1: As a group, select a real epic, feature, or user story from one of your project backlogs which needs to be estimated:

    PBI to be Estimated:

    As a ____ I want _____ so that ______

    Step 2: Select one person in your group to act as the product owner and discuss/question the details of the selected PBI to improve your collective understanding of the requirement (the PO will do their best to explain the PBI and answer any questions).
    Step 3: Make your first round of estimates using either T-shirt sizing or the Fibonacci sequence. Be sure to agree on the boundaries for these estimates (e.g. "extra-small" (XS) is any work that can be completed in less than an hour, while "extra-large" (XL) is anything that would take a single person a full sprint to deliver – a similar approach could be used for Fibonacci where a "1" is less than an hour's work, and "21" might be a single person for a full sprint). Don't share your answer until everyone has had a chance to decide on their Estimate value for the PBI.
    Step 4: Have everyone share their chosen estimate value and briefly explain their reasoning for the estimate. If most estimate values are the same/similar, allow the group to decide whether they have reached a "collective agreement" on the estimate. If not, repeat step 3 now that everyone has had a chance to explain their initial Estimate.
    Step 5: Capture the "collective" estimate for the PBI here:

    Our collective estimate for this PBI:

    e.g. 8 story points

    Output

    • A real PBI from your project backlog which has estimated using planning poker

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Module

    Improve product backlog item estimation

    Activities

    3.1 Guess the number of jelly beans (Round 1) (15 minutes)
    3.2 Compare the average of your guesses (15 minutes)
    3.3 Guess the number of gumballs (Round 2) (15 minutes)
    3.4 Compare your guesses against the actual number

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • A better understanding of why Agile estimation and reconciliation provides reliable estimates for planning.

    Facilitator Slides: Agile Estimation (Wisdom of Crowds Exercise – Rounds 1 and 2)

    Notes and Instructions

    The exercise is intended to mimic the way Planning Poker is performed in Agile Estimation. Use the exercise to demonstrate the power of the Wisdom of Crowds and how, in circumstances where the exact answer to a question is not known, asking several people for their opinion often produces more accurate results than most/any individual opinion.

    Some participants will tend to "shout out an answer" right away, so be sure to tell participants not to share their answers until everyone has had an opportunity to register their guess (this is particularly important in Round 1, where we are trying to get unvarnished guesses from the participants).

    In Round 1:

    • Be sure to emphasize that participants are guessing the total number of jelly beans in the jar (sometimes people think it is just the number visible)
    • Once all guesses are gathered and you've calculated the error for them (and the average guess), review the results with participants (Note: the actual number of jelly beans in the jar is 1600 (it is "greyed out" on the bottom line of the table – you can make it visible by turning off the grey highlight on that cell in the table)
    • Most of the time, the average guess will be closer to the actual than most (if not all) individual guesses (but be prepared for the fact that this doesn't always happen – this is especially true when the number of participants is small)
    • When discussing the results, ask participants to share the "method" they used to make their guess (particularly those who were closest to the actual). This part of the exercise can help them to make more accurate guesses in Round 2

    In Round 2:

    • Note that this time, participants are guessing the total number of visible gumballs in the image (both whole and partial gumballs are counted)
    • Once all guesses are gathered and you've calculated the error for them (and the average guess), review the results with participants (Note: the actual number of visible gumballs is 1600 (it is "greyed out" on the bottom line of the table – you can make it visible by turning off the grey highlight on that cell in the table)
    • Most of the time, the average guess will be closer to the actual in Round 2 than it was in Round 1
    • Talk to participants about the outcomes and how the results varied from Round 1 to Round 2, along with any interesting insights they may have gained from the exercise

    Estimation Exercise 3.1 Guess the number of jelly beans (Round 1)

    15 minutes

    1. Option 1: Microsoft Forms
      1. Create your own local survey by copying the template using the link below.
      2. Add the local Survey link to the exercise instructions or send the link to the participants.
      3. Give the participants 2-3 minutes to complete their guesses.
      4. Collect the consolidated Survey responses and calculate the results on the next slide.
      5. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst or Workshop Specialist can set up the survey for you.
    2. Option 2: Embedded Excel table
      1. On the results slide, double-click the table to open the embedded Excel worksheet.
      2. Record each participant's guess in the table.
    3. Alternatively, this survey can be done with sticky notes, a pen, paper, and a calculator to determine the outcomes.

    Download Survey Template:

    Info-Tech Wisdom of the Crowd 1 (Jelly Bean Guess

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 3.1 Guess the number of jelly beans (Round 1)

    15 minutes

    1. Guess the total number of jelly beans in the entire container (not just the ones you can see).
    2. Be sure not to share your guess with anyone else.
    3. It doesn't matter how you settle on your guess ("gut feel" is fine, so is being "scientific" about it, as well as everything in between).
    4. Again, please don't share your guess (or even how you settled on your guess) with anyone else (this exercise relies on independent guesses).

    See slide notes for instructions.

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 3.2 Compare the average of your guesses

    15 minutes

    A blank table for you to compare the average of your guesses at the number of Jellybeans in the Jar.

    See slide notes for instructions.

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Guess the number of gumballs

    • Option 1: Microsoft Forms
      • Create your own local survey by copying the template using the link below.
      • Add the local Survey link to the exercise instructions or send the link to the participants.
      • Give the participants 2-3 minutes to complete their guesses.
      • Collect the consolidated Survey responses and calculate the results on the next slide.
      • NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst or Workshop Specialist can set up the survey for you.
    • Option 2: Embedded Excel table
      • On the results slide, double-click the table to open the embedded Excel worksheet.
      • Record each participant's guess in the table.
    • Alternatively, this survey can be done with sticky notes, a pen, paper, and a calculator to determine the outcomes.

    Download Survey Template:

    Info-Tech Wisdom of the Crowd 2 (Gumball Guess)

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • PM's, PO's and SM's
    • Delivery Managers
    • Delivery Teams
    • Business Stakeholders
    • Senior Leaders
    • Other Interested Parties

    Estimation Exercise 3.3 Guess the number of gumballs (Round 2)

    15 minutes

    1. Guess the total number of gumballs visible in the photo shown on the right.
    2. Again, please don't share your guess with anyone.

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • PM's, PO's and SM's
    • Delivery Managers
    • Delivery Teams
    • Business Stakeholders
    • Senior Leaders
    • Other Interested Parties

    Estimation Exercise 3.2 Compare the average of your guesses

    15 minutes

    A blank table for you to compare the average of your guesses at the number of Jellybeans in the Jar.

    See slide notes for instructions.

    Output

    • An appreciation for the power of the wisdom of crowds

    Participants

    • PM's, PO's and SM's
    • Delivery Managers
    • Delivery Teams
    • Business Stakeholders
    • Senior Leaders
    • Other Interested Parties

    Estimation Module

    Improve product backlog item estimation

    Activities

    4.1 Identify key insights and takeaways
    4.2 Perform exit survey and capture results

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your key insights and takeaways.

    Estimation Exercise 4.2
    Identify key insights and takeaways

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the Intro to Agile presentation?
      2. What if any takeaways do participants feel are needed as a result of the presentation?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:

    What key insights have you gained?

    What takeaways have you identified?

    • (e.g. better understanding of Agile mindset, principles, and practices)
    • (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Estimation Exercise 4.2
    Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Agile Modules

    Prioritize Agile support with your top challenges

    Backlog Management

    Scrum Simulation

    Estimation

    Product Owner

    Product Roadmapping

    1: User stories and the art of decomposition

    2: Effective backlog management & refinement

    3: Identify insights and team feedback

    1: Scrum sprint planning and retrospective simulation

    2: Pass the balls – sprint velocity game

    1: Improve product backlog item estimation

    2: Agile estimation fundamentals

    3: Understand the wisdom of crowds

    4: Identify insights and team feedback

    1: Understand product management fundamentals

    2: The critical role of the product owner

    3: Manage effective product backlogs and roadmaps

    4: Identify insights and team feedback

    1: Identify your product roadmapping pains

    2: The six "tools" of product roadmapping

    3: Product roadmapping exercise

    Organizations often struggle with numerous pain points around Agile delivery.
    The Common Agile Challenges Survey results will help you identify and prioritize the organization's biggest (most cited) pain points. Treat these pain points like a backlog and address the biggest ones first.

    Agile modules provide supporting activities:

    Each module provides guidance and supporting activities related to a specific Agile Challenge from your survey. These modules can be arranged to meet each organization's or team's needs while providing cohesive and consistent messaging. For additional supporting research, please visit the Agile / DevOps Resource Center.

    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Product Owner Module

    Establish an effective product owner role

    Activities

    1.1 Identify your product owner pains
    1.2 What is a "product"? Who are your "consumers"?
    1.3 Define your role terminology

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand product management fundamentals.
    • Define your product management roles and terms.

    Product owners ensure we delivery the right changes, for the right people, at the right time.

    The importance of assigning an effective and empowered product owner to your Agile projects cannot be overstated.

    What is a product?

    A tangible solution, tool, or service (physical or digital), which enables the long-term and evolving delivery of value to customers, and stakeholders based on business and user requirements.

    Info-Tech Insight

    A proper definition of a product recognizes three key facts.

    1. A clear recognition that products are long-term endeavors that don't end after the project finishes.
    2. Products are not just 'apps', but can be software or services that drive value.
    3. There is more than one stakeholder group that derives value from the product or service.

    Estimation Exercise 4.2
    Perform an exit survey

    30-60 minutes

    1. As a group, discuss and capture your thoughts on:
      • What specific challenges are you facing with your product owner practices today?
    2. Capture your findings in the table below:

    What are your specific Product Owner challenges?

    • (e.g. We don't have product owners)
    • (e.g. Our product owners have "day jobs" as well, so they don't have enough time to devote to the project)
    • (e.g. Our product owners are unsure about the role and its associated responsibilities)

    Output

    • Your specific product owner challenges

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Product Owner Exercise 1.2 What is a "product"? Who are your "consumers"?

    30-60 minutes

    1. Discussion:
      1. How do you define a product, service, or application?
      2. Who are the consumers that receive value from the product?

    Input

    • Organizational knowledge
    • Internal terms and definitions

    Output

    • Our definition of products and services
    • Our definition of product and service consumers/customers

    Products and services share the same foundation and best practices

    The term "product" is used for consistency but would apply to services as well.

    Product=Service

    "Product" and "Service" are terms that each organization needs to define to fit its culture and customers (internal and external). The most important aspect is consistent use and understanding of:

    • External products
    • Internal products
    • External services
    • Internal services
    • Products as a service (PaaS)
    • Productizing services (SaaS)

    Recognize the different product owner perspectives

    • Business
      • Customer facing, revenue generating
    • Operations
      • Keep the lights on processes
    • Technical
      • IT systems and tools

    "A product owner in its most beneficial form acts like an Entrepreneur, like a 'mini-CEO'. The product owner is someone who really 'owns' the product."

    – – Robbin Schuurman,
    "Tips for Starting Technical Product Managers"

    Info-Tech Best Practice

    Product owners must translate needs and constraints from their perspective into the language of their audience. Kathy Borneman, Digital Product Owner at SunTrust Bank, noted the challenges of finding a common language between lines of business and IT (e.g. what is a unit?).

    Implement Info-Tech's product owner capability model

    An image of Info-Tech’s product owner capability model

    Unfortunately, most product owners operate with an incomplete knowledge of the skills and capabilities needed to perform the role. Common gaps include focusing only on product backlogs, acting as a proxy for product decisions, and ignoring the need for key performance indicators (KPIs) and analytics in both planning and value realization.

    Scale products into families to improve alignment

    Operationally align product delivery to enterprise goals

    A hierarchy showing how to break enterprise goals and strategy down into product families.

    The Info-Tech difference:

    Start by piloting product families to determine which approaches work best for your organization.

    Create a common definition of what a product is and identify products in your inventory.

    Use scaling patterns to build operationally aligned product families.

    Develop a roadmap strategy to align families and products to enterprise goals and priorities.

    Use products and families to evaluate the delivery and organizational design improvements.

    Deliver Digital Products at Scale via Enterprise Product Families

    Select the right models for scaling product management

    • Pyramid
      • Logical hierarchy of products rolling into a single service area.
      • Lower levels of the pyramid focus on more discrete services.
      • Example: Human resources mapping down to supporting applications.
    • Service Grouping
      • Organization of related services into service family.
      • Direct hierarchy does not necessarily exist within the family.
      • Example: End user support and ticketing.
    • Technical Grouping
      • Logical grouping of IT infrastructure, platforms, or applications.
      • Provides full lifecycle management when hierarchies do not exist.
      • Example: Workflow and collaboration tools.
    • Market Alignment
      • Grouping of products by customer segments or market strategy.
      • Aligns product to end users and consumers.
      • Example: Customer banking products and services.
    • Organizational Alignment
      • Used at higher levels of the organization where products are aligned under divisions.
      • Separation of product management from organizational structure no longer distinct.

    Match your product management role definitions to your product family levels

    Product Ownership exists at the different operational tiers or levels in your product hierarchy. This does not imply or require a management relationship.

    Product Portfolio
    Groups of product families within an overall value stream or capability grouping.
    Product Portfolio Manager

    Product Family
    A collection of related products. Products can be grouped along architectural, functional, operational, or experiential patterns.
    Product Family Manager

    Product
    Single product composed of one or more applications and services.
    Product Owner

    Info-Tech Insight

    The primary role conflict occurs when the product owner is a proxy for stakeholders or responsible for the delivery team. The product owner owns the product backlog. The delivery team owns the sprint backlog and delivery.

    Examine the differences between product managers and product owners

    Product management terminology is inconsistent, creating confusion in organizations introducing these roles. Understand the roles, then define terms that work best for you.

    A Table comparing the different roles of product managers to those of product owners.

    Define who manages key milestone

    Key milestones must be proactively managed. If a project manager is not available, those responsibilities need to be managed by the Product Owner or Scrum Master. Start with responsibility mapping to decide which role will be responsible.

    An image of a table with the following column headings: Example Milestones; Project Manager; Product Owner; Scrum Master*

    Product Owner Exercise 1.3 Define your role terminology

    30-60 minutes

    1. Using consistent terms is important for any organizational change and evergreen process. Capture your preferred terms to help align teams and expectations.
    Term

    Definition

    Product Owner

    • Owns and manages the product or service providing continuous delivery of value.
    • Owns the product roadmap and backlog for the product or service.
    • Works with stakeholders, end users, the delivery team, and market research to identify the product features and their estimated return on investment when implemented.
    • Responsible for refining and reprioritizing the product backlog ensuring items are "Ready" for the sprint backlog.
    • Defines KPIs to measure the value and impact of each PBI to help refine the backlog and guide the roadmap.
    • Responsible for refining and reprioritizing the sprint backlog that identifies which features will be delivered in the next sprint based on business importance.
    • Works with the product owner, stakeholders, end users, and SMEs to help define PBIs to ensure they are "Ready" for the Sprint backlog.

    Product Manager

    • Owns and manages a product or service family consisting of multiple products or services.
    • Owns the product family roadmap. Note: Product families do not have a backlog, only products do.
    • Works with stakeholders, end users, product owners, enterprise architecture, and market research to identify the product capabilities needed to accomplish goals.
    • Validates the product PBIs delivered realized the expected value and capability. Feedback is used to refine the product family roadmap and guide product owners.

    Output

    • Product management role definitions

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Product Owner Module

    Establish an effective product owner role

    Activities

    2.1 Identify enablers and blockers

    2.2 (Optional) Dissect this definition of the product owner role

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify cultural enablers and blockers for product owners.
    • Develop a deeper understanding of the product owner role.

    The importance of establishing an effective product owner role

    The critical importance of establishing an effective product owner role (PO) for your Agile projects cannot be overstated.

    Many new-to-Agile organizations do not fully appreciate the critical role played by the PO in Scrum, nor the fundamental changes the organization will need to make in support of the PO role. Both mistakes will reduce an organization's chances of successfully adopting Agile and achieving its promised benefits.

    The PO role is critical to the proper prioritization of requirements and efficient decision-making during the project.

    The PO role helps the organization to avoid "analysis paralysis" challenges often experienced in large command-and-control-style organizations.

    A poorly chosen or disengaged product owner will almost certainly stifle your Agile project.

    Note that for many organizations, "product owner" is not a formally recognized role, which can create HR issues. Some organizational education on Agile may be needed (especially if your organization is unionized).

    Info-Tech Insight

    Failing to establish effective product owners in your organization can be a "species-killing event" for your Agile transformation.

    The three A's of a product owner

    To ensure the effectiveness of a product owner, your organization should select one that meets the three A's:

    Available: Assign a PO that can focus full-time on the project. Make sure your PO can dedicate the time needed to fulfill this critical role.
    Appropriate: It's best for the PO to have strong subject matter expertise (so-called "super users" are often selected to be POs) as well as strong communication, collaboration, facilitation, and arbitration skills. A good PO will understand how to negotiate the best outcomes for the project, considering all project constraints.
    Authoritative: The PO must be empowered by your organization to speak authoritatively about priorities and goals and be able to answer questions from the project team quickly and efficiently. The PO must know when decisions can be made immediately and when they must be made in collaboration with other stakeholders – choosing a PO that is well-known and respected by stakeholders will help to make this more efficient.

    Info-Tech Insight

    It's critical to assign a PO that meets the three A's:

    • Available
    • Appropriate
    • Authoritative

    The three ears of a product owner*

    An effective product owner listens to (and effectively balances) the needs and constraints of three different groups:

    Organizational needs/constraints represent what is most important to the organization overall, and typically revolve around things like cost, schedule, return on investment, time to market, risk mitigation, conforming to policies and regulations, etc.

    Stakeholder needs/constraints represent what is most important to those who will be using the system and typically revolve around the delivery of value, ease of use, better outcomes, making their jobs easier and more efficient, getting what they ask for, etc.

    Delivery Team needs/constraints represent what is most important to those who are tasked with delivering the project and cover a broad range that includes tools, skills, capabilities, technology limitations, capacity limits, adequate testing, architectural considerations, sustainable workload, clear direction and requirements, opportunities to innovate, getting sufficient input and feedback, support for clearing roadblocks, dependencies on other teams, etc.

    Info-Tech Insight

    An effective PO will expertly balance the needs of:

    • The organization
    • Project stakeholders
    • The delivery team

    * For more, see Understanding Scrum: Why do Product Owners Have Three Ears

    A product owner doesn't act alone

    Although the PO plays a unique and central role in the success of an Agile project, it doesn't mean they "act alone."

    The PO is ultimately responsible for managing and maintaining an effective backlog over the project lifecycle, but many people contribute to maintaining this backlog (on large projects, BA's are often the primary contributors to the backlog).

    The PO role also relies heavily on stakeholders (to help define and elaborate user stories, provide input and feedback, answer questions, participate in sprint demos, participate in testing of sprint deliverables, etc.).

    The PO role also relies heavily on the delivery team. Some backlog management and story elaboration is done by delivery team members instead of the PO (think: elaborating user story details, creating acceptance criteria, writing test plans for user stories, etc.).

    The PO both contributes to these efforts and leads/oversees the efforts of others. The exact mix of "doing" and "leading" can be different on a case-by-case basis and is part of establishing the delivery team's norms.

    Given the importance of the role, care must be taken to not overburden the product owner, especially on large projects.

    Info-Tech Insight

    While being ultimately responsible for the product backlog, a PO often relies on others to aid in backlog management and maintenance.

    This is particularly true on large projects.

    The use of a proxy PO

    Sometimes, a proxy product owner is needed.

    It is always best to assign a product owner "from the business," who will bring subject matter expertise and have established relationships with stakeholders.

    When a PO from the business does not have enough time to fulfill the needs of the role completely (e.g. can only be a part-time PO, because they have a day job), assigning a proxy product owner can help to compensate for this.

    The proxy PO acts on behalf of the PO in order to reduce the PO's workload or to otherwise support them.

    Project participants (e.g. delivery team, stakeholders) should treat the PO and proxy PO as roughly equivalent.

    Project managers (PMs) and business analysts (BAs) are often good candidates for the proxy PO role.

    NOTE: It's highly advisable for the PO to attend all/most sprint demos in order to observe progress for themselves, and to identify any misalignment with expectations as early as possible (remember that the PO still has ultimate responsibility for the project outcomes).

    Info-Tech Insight

    Although not ideal, assigning a proxy PO can help to compensate for a PO who doesn't meet all three A's of Product Ownership.

    It is up to the PO and proxy to decide how they will work together (e.g. establish their norms).

    The use of a proxy PO

    The PO and proxy must work together closely and in a highly coordinated way.

    The PO and proxy must:

    • Work closely at the start of the project to agree on the overall approach they will follow, as well as any needs and constraints for the project.
    • Communicate frequently and effectively throughout the project, to ensure progress is being made and to address any challenges.
    • Have a "meeting of the minds" about how the different "parts" of the PO role will be divided between them (including when the proxy must defer to the PO on matters).
    • Focus on ensuring that all the responsibilities of the PO role are fulfilled effectively by the pair (how this is accomplished is up to the two of them to decide).
    • Ensure all project participants clearly understand the POs' and proxies' relative responsibilities to minimize confusion and mistakes.

    The use of multiple POs

    Sometimes, having multiple product owners makes sense.

    It is always best to assign a single product owner to a project. However, under certain circumstances, it can make sense to use multiple POs.

    For example, when implementing a large ERP system with many distinct modules (e.g. Finance, HR) it can be difficult to find a single PO who has sufficient subject matter expertise across all modules.

    When assigning Multiple POs to a project, be sure to identify a "Lead PO" (who is given ultimate responsibility for the entire project) and have the remaining POs act like Proxy POs.

    NOTE: Not surprisingly, it's highly advisable for the Lead PO to attend as many Sprint Demos as possible to observe progress for themselves, and to identify any misalignment with expectations as early as possible (remember that the Lead PO has ultimate responsibility for the project outcomes).

    Info-Tech Best Practice

    Although not ideal, assigning multiple POs to a project sometimes makes sense.

    When needed, be sure to identify a "Lead PO" and have the other PO's act like Proxies.

    Product Owner Exercise 2.1 Identify enablers and blockers

    30-60 minutes

    1. Brainstorm and discuss the key enablers that can help promote and ease your implementation of Product Ownership.
    2. Brainstorm and discuss the key blockers (or risks) that may interrupt or derail your efforts.
    3. Brainstorm mitigation activities for each blocker.
    Enablers Blockers Mitigation
    High business engagement and buy-in Significant time is required to implement and train resources Limit the scope for pilot project to allow time to learn
    Organizational acceptance for change Geographically distributed resources Temporarily collocate all resources and acquire virtual communication technology
    Existing tools can be customized for BRM Difficulty injecting customers in demos Educate customer groups on the importance of attendance and 'what's in it for them'

    Output

    • List of enablers and blockers to establishing product owners

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Establish an effective product owner role

    • The nature of a PO role can be somewhat foreign to many organizations, so candidates for the role will benefit from training along with coaching/mentoring support when starting out.
    • The PO must be able to make decisions quickly around project priorities, goals, and requirements.
    • A PO who is simply a conduit to a slow-moving steering committee will stifle an Agile project.
    • Establish clear boundaries and rules regarding which project decisions can be made directly by the PO and which must be escalated to stakeholders. Lean toward approaches that support the quickest decision-making (e.g. give the PO as much freedom as they need to be effective).
    • An effective PO has a good instinct for what is "good enough for now."
    • The organization can support the PO by focusing attention on goals and accomplishments rather than pushing processes and documentation.
    • Understand the difference between a project sponsor and a PO (the PO role is much more involved in the details, with a higher workload).
    • Agree on and clearly define the roles and responsibilities of PO, PM, dev manager, SM, etc. at the start of the project for clarity and efficiency.

    Characteristics to look for when selecting a product owner

    Here are some "ideal characteristics" for your POs (the more of these that are true for a given PO, the better):

    • Knows how to get things done in your organization
    • Has strong working relationships with project stakeholders (has established trust with them and is well respected by stakeholders as well as others)
    • Comes from the stakeholder community and is invested in the success of the project (ideally, will be an end user of the system)
    • Has proven communication, facilitation, mediation, and negotiation skills
    • Can effectively balance multiple competing priorities and constraints
    • Sees the big picture and strives to achieve the best outcomes possible (grounded in realistic expectations)
    • Works with a sense of urgency and welcomes ongoing feedback and collaboration with stakeholders
    • Understands how to act as an effective "funnel and filter" for stakeholder requests
    • Acts as an informal (but inspirational) leader whom others will follow
    • Has a strong sense of what is "good enough for now"
    • Protects the delivery team from distractions and keeps them focused on goals
    • Thinks strategically and incrementally

    Product Owner Exercise 2.2 (Optional) Dissect this definition of the product owner role

    30-60 minutes

    1. Take a minute or two to review the bullet points below, which describe the product owner's role.
    2. As a group, discuss the "message" for each bullet point in the description, and then identify which aspects would be "easy" and "hard" to achieve in your organization.
      • The product owner is a project team member who has been empowered by both the organization and stakeholders to act on their behalf and to guide the project directly with a single voice (supported by appropriate consultations with the organization and stakeholders).
      • The product owner must be someone with a good understanding of the project deliverable (they are often considered to be a subject matter expert in an area related to the project deliverable) and ideally is both well-known and respected by both the organization and stakeholders.
      • During the project, requirements clarification, prioritization, and scope changes are ultimately decided by the product owner, who must perform the important balancing act required by the project to adequately reflect the needs and constraints of the organization, its stakeholders, and the project team.
      • The product owner role can only be successful in an organization that has established a trusting and supportive culture. Great trust must be placed in the product owner to adequately balance competing needs in a way that leads to good outcomes for the organization. This trust must come with some authority to make important project decisions, and the organization must also support the product owner in addressing risks and roadblocks outside the control of the project team.
      • The product owner is first among equals when it comes to ultimate ownership of success for the project (along with the project delivery team itself). Because of this, any project of any significance will require the full-time effort of the product owner (don't shortchange yourself by under-investing in a willing, able, and available product owner)

    Output

    • Better understanding of the product owner role.

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Product Owner Exercise 2.2 (Optional) Dissect this definition of the product owner role

    Which aspects of the product owner are "easy" in your organization?

    Which aspects of the product owner are "hard" in your organization?

    Product Owner Module

    Establish an effective product owner role

    Activities

    3.1 Build a starting checklist of quality filters

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand the levels in a product backlog and how to create quality filters for PBIs moving through the backlog.
    • Define your product roadmap approach for key audiences.

    Product Owner Step 3: Managing effective product backlogs and roadmaps

    The primary role of the product owner is to manage the backlog effectively.

    When managed properly, the product backlog is a powerful project management tool that directly contributes to project success.

    The product owner's primary responsibility is to ensure this backlog is managed effectively.

    A backlog stores and organizes PBIs at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    • Detailed Appropriately: Product backlog items (PBIs) are broken down and refined as necessary.
    • Emergent: The backlog grows and evolves over time as PBIs are added and removed.
    • Estimated: The effort a PBI requires is estimated at each tier.
    • Prioritized: The PBIs value and priority are determined at each tier.

    (Perforce, 2018)

    An image showing the Ideas; Qualified; Ready; funnel leading to the sprint approach.

    Backlog tiers facilitate product planning steps

    An image of the product planning steps facilitated by Backlog Tiers

    Each activity is a variation of measuring value and estimating effort to validate and prioritize a PBI.

    A PBI meets our definition of done and passes through to the next backlog tier when it meets the appropriate criteria. Quality filters should exist between each tier.

    Backlog Exercise 2.1 Build a starting checklist of quality filters

    60 minutes

    1. Quality filters provide a checklist to ensure each Product Backlog Item (PBI) meets our definition of Done and is ready to move to the next backlog group (status).
    2. Create a checklist of basic descriptors that must be completed between each backlog level.
    3. If you completed this exercise in a different Module, review and update it here.
    4. Use this information to start your product strategy playbook in Deliver on Your Digital Product Vision.

    An image of the backlog tiers, identifying where product backlog and sprint backlog are

    Output

    • List of enablers and blockers to establishing product owners

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Outline the criteria to proceed to the next tier via quality filters

    Expand the concepts of defining "ready" and "done" to include the other stages of a PBIs journey through product planning.

    An image showing the approach you will use to Outline the criteria to proceed to the next tier via quality filters

    Info-Tech Insight: A quality filter ensures quality is met and teams are armed with the right information to work more efficiently and improve throughput.

    Define product value by aligning backlog delivery with roadmap goals

    In each product plan, the backlogs show what you will deliver.

    Roadmaps identify when and in what order you will deliver value, capabilities, and goals.

    Product roadmaps guide delivery and communicate your strategy

    In Deliver on Your Digital Product Vision, we demonstrate how the product roadmap is core to value realization. The product roadmap is your communicated path, and as a product owner, you use it to align teams and changes to your defined goals while aligning your product to enterprise goals and strategy.

    This is an image Adapted from: Pichler, What Is Product Management?

    Adapted from: Pichler, "What Is Product Management?"

    Info-Tech Insight

    The quality of your product backlog – and your ability to realize business value from your delivery pipeline – is directly related to the input, content, and prioritization of items in your product roadmap.

    Product delivery realizes value for your product family

    While planning and analysis are done at the family level, work and delivery are done at the individual product level.

    An example of performing planning and analysis at the family level.

    Leverage the product family roadmap for alignment

    It's more than a set of colorful boxes. It's the map to align everyone to where you are going.

    • Your product family roadmap:
      • Lays out a strategy for your product family.
      • Is a statement of intent for your family of products.
      • Communicates direction for the entire product family and product teams.
      • Directly connects to the organization's goals.
    • However, it is not:
      • Representative of a hard commitment.
      • A simple combination of your current product roadmaps.

    Your ideal roadmap approach is a spectrum, not a choice!

    Match your roadmap and backlog to the needs of the product.

    Tactical vs strategic roadmaps.

    Product Managers do not have to choose between being tactical or strategic.
    – Aha!, 2015

    Multiple roadmap views can communicate differently yet tell the same truth

    Audience

    Business/
    IT Leaders

    Users/Customers

    Delivery Teams

    Roadmap

    View

    Portfolio

    Product Family

    Technology

    Objectives

    To provide a snapshot
    of the portfolio and
    priority products

    To visualize and validate product strategy

    To coordinate broad technology and architecture decisions

    Artifacts

    Line items or sections of the roadmap are made up of individual products, and an artifact represents a disposition at its highest level.

    Artifacts are generally grouped by product teams and consist of strategic goals and the features that realize
    those goals.

    Artifacts are grouped by
    the teams who deliver
    that work and consist of technical capabilities that support the broader delivery of value for the product family.

    Product Owner Exercise 3.1 Build a starting checklist of quality filters

    60 minutes

    1. Views provide roadmap information to different audiences in the format and level of detail that is fit to their purpose.
    2. Consider the three primary audiences for roadmap alignment.
    3. Define the roles or people who the view best fits.
    4. Define the level of detail or artifacts shared in the view for each audience.
    5. Use this information to start your product strategy playbook in Deliver on Your Digital Product Vision.

    Business/
    IT Leaders

    Users/Customers

    Delivery Teams

    Audience:

    Audience:

    Audience:

    Level of Detail/Artifacts:

    Level of Detail/Artifacts:

    Level of Detail/Artifacts:

    Output

    • List of enablers and blockers to establishing product owners

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Connecting your product family roadmaps to product roadmaps

    Your product and product family roadmaps should be connected at an artifact level that is common between both. Typically, this is done with capabilities, but it can be done at a more granular level if an understanding of capabilities isn't available.

    A comparison between product family roadmaps and product roadmaps.

    Use product roadmaps to align cross-team dependencies

    Regardless of how other teams operate, teams need to align to common milestones.

    An image showing how you may Use product roadmaps to align cross-team dependencies

    Product Owner Module

    Establish an effective product owner role

    Activities

    4.1 Identify key insights and takeaways

    4.2 Perform exit survey and capture results

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Identify your key insights and takeaways.

    Product Owner Exercise 4.1
    Identify key insights and takeaways

    30 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the Intro to Agile presentation?
      2. What if any takeaways do participants feel are needed as a result of the presentation?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:
    What key insights have you gained? What takeaways have you identified?
    (e.g. better understanding of Agile mindset, principles, and practices) (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Product Owner Exercise 4.2
    Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Agile Modules

    Prioritize Agile support with your top challenges

    Backlog Management

    Scrum Simulation

    Estimation

    Product Owner

    Product Roadmapping

    1: User stories and the art of decomposition

    2: Effective backlog management & refinement

    3: Identify insights and team feedback

    1: Scrum sprint planning and retrospective simulation

    2: Pass the balls – sprint velocity game

    1: Improve product backlog item estimation

    2: Agile estimation fundamentals

    3: Understand the wisdom of crowds

    4: Identify insights and team feedback

    1: Understand product management fundamentals

    2: The critical role of the product owner

    3: Manage effective product backlogs and roadmaps

    4: Identify insights and team feedback

    1: Identify your product roadmapping pains

    2: The six "tools" of product roadmapping

    3: Product roadmapping exercise

    Organizations often struggle with numerous pain points around Agile delivery.
    The Common Agile Challenges Survey results will help you identify and prioritize the organization's biggest (most cited) pain points. Treat these pain points like a backlog and address the biggest ones first.

    Agile modules provide supporting activities:

    Each module provides guidance and supporting activities related to a specific Agile challenge from your survey. These modules can be arranged to meet each organization's or team's needs while providing cohesive and consistent messaging. For additional supporting research, please visit the Agile / DevOps Resource Center.

    This phase involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Product Roadmapping

    Create effective product roadmaps

    Activities

    Roadmapping 1.1 Identify your product roadmapping pains
    Roadmapping 1.2 The six "tools" of product roadmapping
    Roadmapping 1.3 Product roadmapping exercise

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand product management fundamentals
    • Understand the six "tools" of roadmapping and how to use them

    Roadmapping Exercise 1.1: Tell us what product management means to you and how it differs from a project orientation

    10-15 minutes

    1. Share your current understanding of product management.
    What is product management, and how does it differ from a project orientation?

    Output

    • Your current understanding of product management and its benefits

    Participants

    • PMs, Pos, and SMs
    • Delivery managers
    • Delivery teams
    • Business stakeholders
    • Senior leaders
    • Other interested parties

    Definition of terms

    Project

    "A temporary endeavor undertaken to create a unique product, service, or result. The temporary nature of projects indicates a beginning and an end to the project work or a phase of the project work. Projects can stand alone or be part of a program or portfolio."

    – PMBOK, PMI

    Product

    "A tangible solution, tool, or service (physical or digital) that enables the long-term and evolving delivery of value to customers and stakeholders based on business and user requirements."
    Deliver on Your Digital Product Vision,
    Info-Tech Research Group

    Info-Tech Insight

    Any proper definition of product recognizes that they are long-term endeavors that don't end after the project finishes. Because of this, products need well thought out roadmaps.

    Deliver Digital Products at Scale via Enterprise Product Families

    Match your product management role definitions to your product family levels

    Product ownership exists at the different operational tiers or levels in your product hierarchy. This does not imply or require a management relationship.

    Product Portfolio
    Groups of product families within an overall value stream or capability grouping.
    Product Portfolio Manager

    Product Family
    A collection of related products. Products can be grouped along architectural, functional, operational, or experiential patterns.
    Product Family Manager

    Product
    Single product composed of one or more applications and services.
    Product Owner

    Info-Tech Insight

    The primary role conflict occurs when the product owner is a proxy for stakeholders or responsible for the delivery team. The product owner owns the product backlog. The delivery team owns the sprint backlog and delivery.

    Roadmapping Exercise 1.2 (Optional): Define "product" in your context*

    15-30 minutes

    1. Discuss what "product" means in your organization.
    2. Create a common, enterprise definition for "product."

    For example,

    • An application, platform, or application family.
    • Discrete items that deliver value to a user/customer.

    Capture your organization's definition of product:

    * For more on Product Management see Deliver on Your Digital Product Vision

    Output

    • Your enterprise/ organizational definition of products and services.

    Participants

    • PMs, Pos, and SMs
    • Delivery managers
    • Delivery teams
    • Business stakeholders
    • Senior leaders
    • Other interested parties

    Product Roadmapping

    Create effective product roadmaps

    Activities

    The six "tools" of product roadmapping

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand product management fundamentals
    • Understand the six "tools" of roadmapping and how to use them

    The six "tools" of product roadmapping

    the 6 tools of product roadmapping: Vision; Goals; Strategy; Roadmap; Backlog; Release Plan.

    Product Roadmapping

    Create effective product roadmaps

    Activities

    Roadmapping 3.1 Product roadmapping exercise
    Roadmapping 3.2 Identify key insights and takeaways
    Roadmapping 3.3 Perform an exit survey

    This step involves the following participants:

    • Product owners, product managers, and scrum masters
    • Delivery managers and senior leaders
    • Stakeholders and delivery teams

    Outcomes of this step

    • Understand product management fundamentals
    • Understand the six "tools" of roadmapping and how to use them

    Roadmapping Exercise 1.2 (Optional): Define "product" in your context*

    30 minutes

    1. As a team, read through the exercise back story below:

    The city of Binbetter is a picturesque place that is sadly in decline because local industry jobs are slowly relocating elsewhere. So, the local government has decided to do something to reinvigorate the city. Binbetter City Council has set aside money and a parcel of land they would like to develop into a venue that will attract visitors and generate revenue for the city.

    Your team was hired to develop the site, and you have already spent time with city representatives to create a vision, goals and strategy for building out this venue (captured on the following slides). The city doesn't want to wait until the entire venue is completed before it opens to visitors, and so you have been instructed to build it incrementally in order to bring in much needed revenue as soon as possible.

    Using the vision, goals, and strategy you have created, your team will need to plan out the build (i.e. create a roadmap and release plan for which parts of the venue to build and in which order). You can assume that visitors will come to the venue after your "Release 1", even while the rest is still under construction. Select one member of your team to be designated as the product owner. The entire team will work together to consider options and agree on a roadmap/release plan, but the product owner will be the ultimate decision-maker.

    * Adapted from Rautiainen et al, Toward Agile Product and Portfolio Management, 2015

    Output

    • Practical understanding of how to apply the six tools of product roadmapping.

    Participants

    • PMs, Pos, and SMs
    • Delivery managers
    • Delivery teams
    • Business stakeholders
    • Senior leaders
    • Other interested parties

    Roadmapping Exercise 3.1: Continued

    1. As a team, review vision, goal, and strategy:
      • Is this a "good" vision statement, and if so, why?
      • Does it live up to its definition of being: "notional and inspirational, while also calling out key guidance and constraints"?
      • Does it help you to rule in/out options for the Product?
      • e.g. Would a parking lot fit the vision?
      • What about a bunch of condominiums?
      • What about a theme park?

    Vision, Goals, and Strategy

    Product Vision: Create an architecturally significant venue that will attract both locals and tourists while also generating revenue for the city

    Roadmapping Exercise 3.1: Continued

    1. As a team, review vision, goal, and strategy:

    Vision, Goals, and Strategy

    Product Vision: Create an architecturally significant venue that will attract both locals and tourists while also generating revenue for the city

    An image of a Château-style Hotel (left) and a Gothic-style Cathedral (right)

    Goals: The venue will include a Château-style Hotel, Gothic-style Cathedral, and a Monument dedicated to the city's founder, Ivy Binbetter.

    Strategy: Develop the venue incrementally, focusing on the highest value elements first (prioritizing both usages by visitors and revenue generation).

    Roadmapping Exercise 3.1: Continued

    1. As a team, review the following exercise rules:
    • Your construction team has told you that they can divide the structures into 17 "equal" components (see below)
    • Each component will require about the same amount of time and resources to complete
    • You can ask the team to build these components in any order and temporary roofs can be built for components that are not at the top of a "stack" (e.g. you can build C3 without having to build C4 and C5 at the same time)
    • However, you cannot build the tops of any buildings first (e.g. don't build M3 until M2 and M1 are in place)

    An image of the chateau hotel and the Gothic Cathedral from the previous slide, broken down into 7 parts each

    Roadmapping Exercise 3.1: Continued

    1. As a team, review vision, goal, and strategy:
      • The city has asked you to decide on your "Release 1 MVP" and has limited you to selecting between 4 and 8 components for this MVP (fewer components = earlier opening date).
      • As a team, work together to decide which components will be in your MVP (remember, the PO makes the ultimate decision).
      • Drag your (4-8) selected MVP components over from the right and assemble them below (and explain your reasoning for your MVP selections):

    Release 1 (MVP)

    Vision, Goals, and Strategy

    Product Vision: Create an architecturally significant venue that will attract both locals and tourists while also generating revenue for the city

    Goals: The venue will include a Château-style Hotel, Gothic-style Cathedral, and a Monument dedicated to the city's founder, Ivy Binbetter.

    Strategy: Develop the venue incrementally, focusing on the highest value elements first (prioritizing both usages by visitors and revenue generation).

    An image of the chateau hotel and the Gothic Cathedral from the previous slide, broken down into 7 parts each

    Roadmapping Exercise 3.1: Continued
    (magnified venue)

    An image of the chateau hotel and the Gothic Cathedral from the previous slide, broken down into 7 parts each

    Roadmapping Exercise 3.1: Continued

    1. As a team, decide the rest of your roadmap:
      • The city has asked you to decide on the remainder of your roadmap
      • They have limited you to selecting between 2 and 4 components for each additional release (drag your selected component into each release below):
    Release 2 Release 3 Release 4 Release 5

    Vision, Goals, and Strategy

    Product Vision: Create an architecturally significant venue that will attract both locals and tourists while also generating revenue for the city

    Goals: The venue will include a Château-style Hotel, Gothic-style Cathedral, and a Monument dedicated to the city's founder, Ivy Binbetter.

    Strategy: Develop the venue incrementally, focusing on the highest value elements first (prioritizing both usages by visitors and revenue generation).

    An image of the chateau hotel and the Gothic Cathedral from the previous slide, broken down into 7 parts each

    Roadmapping Exercise 3.1: Continued

    Roadmap, Release Plan and Backlog

    an example roadmap plan; INCREASING: Priority; Requirements detail; Estimate accuracy; Level of commitment.

    Vision, Goals, and Strategy

    Product Vision: Create an architecturally significant venue that will attract both locals and tourists while also generating revenue for the city

    Goals: The venue will include a Château-style Hotel, Gothic-style Cathedral, and a Monument dedicated to the city's founder, Ivy Binbetter.

    Strategy: Develop the venue incrementally, focusing on the highest value elements first (prioritizing both usages by visitors and revenue generation).

    An image of the chateau hotel and the Gothic Cathedral from the previous slide, broken down into 7 parts each

    Roadmapping Exercise 3.2:
    Identify key insights and takeaways

    15 minutes

    1. As a group, discuss and capture your thoughts on:
      1. What key insights have participants gained from the product roadmapping module?
      2. What if any takeaways do participants feel are needed as a result of the module?
      3. What changes need to be made in the organization to support/enhance Agile adoption?
    2. Capture your findings in the table below:
    What key insights have you gained?What takeaways have you identified?
    • (e.g. better understanding of Agile mindset, principles, and practices)
    • (e.g. how you can improve/spread Agile practices in the organization)

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Roadmapping Exercise 3.3
    Perform an exit survey

    30 minutes

    1. Wrap up this section by addressing any remaining questions participants still have.
    2. Create your local exit survey by copying the template using the link below. Then copy and distribute your local survey link.
    3. Collect the consolidated survey results in preparation for your next steps.
    4. NOTE: Using this survey template requires having access to Microsoft Forms. If you cannot access Microsoft Forms, an Info-Tech analyst can send the survey for you. Alternatively, this survey can be done with sticky notes and a pen and paper to calculate the outcomes.

    Download Survey Template:

    Develop Your Agile Approach Exit Survey Template

    Output

    • A better understanding of Agile principles and practices
    • Action items that will help solidify Agile practices in the organization

    Participants

    • Product owners, product managers, and scrum masters
    • Delivery managers
    • Delivery teams
    • Stakeholders
    • Senior leaders

    Appendix

    Additional research to start your journey

    Related Info-Tech Research

    Mentoring for Agile Teams

    • Get practical help and guidance on your Agile transformation journey.

    Implement DevOps Practices That Work

    • Streamline business value delivery through the strategic adoption of DevOps practices.

    Deliver on Your Digital Product Vision

    • Build a product vision your organization can take from strategy through execution.

    Deliver Digital Products at Scale

    • Deliver value at the scale of your organization through defining enterprise product families.

    Bibliography

    "Agile Estimation Practice." DZone.com, 13 May 2013. Web.
    "Announcing DORA 2021 Accelerate State of DevOps Report." Google Cloud Blog. Accessed 8 Nov. 2022.
    "Are Your IT Strategy and Business Strategy Aligned?" 5Q Partners, 8 Jan. 2015. Accessed Oct. 2016.
    A, Karen. "20 Mental Models for Product Managers." Medium, Product Management Insider, 2 Aug. 2018 . Web.
    ADAMS, PAUL. "Product Teams: How to Build & Structure Product Teams for Growth." Inside Intercom, 30 Oct. 2019. Web.
    Agile Alliance. "Product Owner." Agile Alliance. n.d. Web.
    Ambysoft. "2018 IT Project Success Rates Survey Results." Ambysoft. 2018. Web.
    Banfield, Richard, et al. "On-Demand Webinar: Strategies for Scaling Your (Growing) Enterprise Product Team." Pluralsight, 31 Jan. 2018. Web.
    Bloch, Michael, Sven Blumberg, and Jurgen Laartz. "Delivering Large-Scale IT Projects on Time, on Budget, and on Value." McKinsey & Company, October 2012.
    Blueprint. "10 Ways Requirements Can Sabotage Your Projects Right From the Start." Blueprint. 2012. Web.
    Boehm, Barry W. Software Engineering Economics. New Jersey: Prentice Hall, 1981.
    Breddels, Dajo, and Paul Kuijten. "Product Owner Value Game." Agile2015 Conference. 2015. Web.
    Cagan, Martin. "Behind Every Great Product." Silicon Valley Product Group. 2005. Web.
    "Chaos Report 2015." The Standish Group, 2015. Accessed 29 July 2022.
    Cohn, Mike. Succeeding With Agile: Software Development Using Scrum. Addison-Wesley. 2010. Web.
    Connellan, Thomas K. Inside the Magic Kingdom, Bard Press, 1997. Print.
    Dyba, Tore, and Torgeir Dingsøyr. "Empirical Studies of Agile Software Development: A Systematic Review." Elsevier, ScienceDirect. 24 Jan. 2008. Web.
    "How do you define a product?" Scrum.org. 4 Apr 2017, Web
    EDUCAUSE. "Aligning IT Funding Models to the Pace of Technology Change." EDUCAUSE. 14 Dec. 2015. Web.
    Eick, Stephen. "Does Code Decay? Assessing the Evidence from Change Management Data." IEEE Transactions on Software Engineering, vol. 27, no. 1, Jan. 2001, pp. 1-12. Web.
    "Enablers." Scaled Agile. n.d. Web.
    "Epic." Scaled Agile. n.d. Web.
    Eringa, Ron. "Evolution of the Product Owner." RonEringa.com. 12 June 2016. Web.
    Fernandes, Thaisa. "Spotify Squad Framework - Part I." Medium.com. 6 Mar. 2017. Web.
    Fowler, Martin. "Application Boundary." MartinFowler.com. 11 Sept. 2003. Web. 20 Nov. 2017.
    Galen, Robert. "Measuring Technical Product Managership – What Does 'Good' Look Like ...." RGalen Consulting. 5 Aug. 2015. Web.
    Hackshall, Robin. "Product Backlog Refinement." Scrum Alliance. 9 Oct. 2014. Web. Feb. 2019.
    Halisky, Merland, and Luke Lackrone. "The Product Owner's Universe." Agile Alliance, Agile2016. 2016. Web.
    Kamer, Jurriaan. "How to Build Your Own 'Spotify Model'." Medium.com. 9 Feb. 2018. Web.
    Karlsson, Johan. "Backlog Grooming: Must-Know Tips for High-Value Products." Perforce. 18 May 2018. Web. Feb. 2019.
    Lindstrom, Lowell. "7 Skills You Need to Be a Great Product Owner." Scrum Alliance. n.d. Web.
    Lawrence, Richard, and Peter Green. "The Humanizing Work Guide to Splitting User Stories." Humanizing Work, 22 Oct. 2020. Web.
    Leffingwell, Dean. "SAFe 5.0." Scaled Agile Inc. 2021. Web. Feb. 2021.
    Lucero, Mario. "Product Backlog – Deep Model." Agilelucero. 8 Oct. 2014. Web.
    Lukassen, Chris. "The Five Belts Of The Product Owner." Xebia.com. 20 Sept. 2016. Web.
    Management 3.0. "Delegation Poker Product Image." Management 3.0. n.d. Web.
    McCloskey, Heather. "Scaling Product Management: Secrets to Defeating Common Challenges." Scaling Product Management: Secrets to Defeating Common Challenges, ProductPlan, 12 July 2019 . Web.
    McCloskey, Heather. "When and How to Scale Your Product Team." UserVoice Blog, UserVoice, 21 Feb. 2017 . Web.
    Medium.com. "Exploring Key Elements of Spotify's Agile Scaling Model." Medium.com. 23 July 2018. Web.
    Mironov, Rich. "Scaling Up Product Manager/Owner Teams: - Rich Mironov's Product Bytes." Rich Mironov's Product Bytes, Mironov Consulting, 12 Apr. 2014 . Web.
    "Most Agile Transformations Will Fail." Vitality Chicago Inc., 24 Jan. 2019.
    Overeem, Barry. "A Product Owner Self-Assessment." Barry Overeem. 6 Mar. 2017. Web.
    Overeem, Barry. "Retrospective: Using the Team Radar." Barry Overeem. 27 Feb. 2017. Web.
    "PI Planning." Scaled Agile. n.d. Web.
    "PI Planning."SAFe. 2020.
    Pichler, Roman. "How to Scale the Scrum Product Owner." Roman Pichler, 28 June 2016 . Web.
    Pichler, Roman. "Product Management Framework." Pichler Consulting Limited. 2014. Web.
    Pichler, Roman. "Sprint Planning Tips for Technical Product Managers." LinkedIn. 4 Sept. 2018. Web.
    Pichler, Roman. "What Is Product Management?" Pichler Consulting Limited. 26 Nov. 2014. Web.
    Project Management Institute. A Guide to the Project Management Body of Knowledge (PMBOK Guide). 7th ed., Project Management Institute, 2021.
    Radigan, Dan. "Putting the 'Flow' Back in Workflow With WIP Limits." Atlassian. n.d. Web.
    Royce, Dr. Winston W. "Managing the Development of Large Software Systems." Scf.usc.edu. 1970. Web.
    Schuurman, Robbin. "10 Tips for Technical Product Managers on Agile Product Management." Scrum.org. 28 Nov. 2017. Web.
    Schuurman, Robbin. "10 Tips for Technical Product Managers on (Business) Value." Scrum.org. 30 Nov. 2017. Web.
    Schuurman, Robbin. "10 Tips for Technical Product Managers on Product Backlog Management." Scrum.org. 5 Dec. 2017. Web.
    Schuurman, Robbin. "10 Tips for Technical Product Managers on the Product Vision." Scrum.org. 29 Nov. 2017. Web.
    Schuurman, Robbin. "Tips for Starting Technical Product Managers." Scrum.org. 27 Nov. 2017. Web.
    Sharma, Rohit. "Scaling Product Teams the Structured Way." Monetary Musings, Monetary Musings, 28 Nov. 2016 . Web.
    STEINER, ANNE. "Start to Scale Your Product Management: Multiple Teams Working on Single Product." Cprime, Cprime, 6 Aug. 2019 . Web.
    Shirazi, Reza. "Betsy Stockdale of Seilevel: Product Managers Are Not Afraid To Be Wrong." Austin VOP #50. 2 Oct. 2018. Web.
    Standish Group, The. "The Standish Group 2015 Chaos Report." The Standish Group. 2015. Web.
    Theus, Andre. "When Should You Scale the Product Management Team?" When Should You Scale the Product Management Team?, ProductPlan, 7 May 2019 . Web.
    Todaro, Dave. "Splitting Epics and User Stories." Ascendle. n.d. Web. Feb. 2019.
    Tolonen, Arto. "Scaling Product Management in a Single Product Company." Smartly.io - Digital Advertising Made Easy, Effective, and Enjoyable, Smartly.io, 26 Apr. 2018 . Web.
    Ulrich, Catherine. "The 6 Types of Product Managers. Which One Do You Need?" Medium.com. 19 Dec. 2017. Web.
    Vähäniitty, J. et al. "Chapter 7: Agile Product Management" in Towards Agile Product and Portfolio Management. Aalto University Software Process Research Group, 2010.
    VersionOne. "12th Annual State of Agile Report." VersionOne. 9 April 2018. Web.
    Verwijs, Christiaan. "Retrospective: Do The Team Radar." Medium.com. 10 Feb. 2017. Web.
    "Why Agile Fails Because of Corporate Culture - DZone Agile." Dzone.Com. Accessed 31 Aug. 2021.

    page 1 of the appendix
    page 2 of the appendix
    page 3 of the appendix
    page 4 of the appendix

    Cultural advantages of Agile

    Collaboration

    Team members leverage all their experience working towards a common goal.

    Iterations

    Cycles provide opportunities for more product feedback.

    Prioritization

    The most important needs are addressed in the current iteration.

    Continual Improvement

    Self-managing teams continually improve their approach for next iteration.

    A backlog stores and organizes PBIs at various stages of readiness

    A well-formed backlog can be thought of as a DEEP backlog:

    • Detailed Appropriately: Product backlog items (PBIs) are broken down and refined as necessary.
    • Emergent: The backlog grows and evolves over time as PBIs are added and removed.
    • Estimated: The effort a PBI requires is estimated at each tier.
    • Prioritized: The PBIs value and priority are determined at each tier.

    (Perforce, 2018)

    Info-Tech Best Practice

    Don't fully elaborate all of your PBIs at the beginning of the project instead, make sure they are elaborated "just in time." (Keep no more than 2 or 3 sprints worth of user stories in the Ready state.)

    An image showing the Ideas; Qualified; Ready; funnel leading to the sprint aproach.

    Scrum versus Kanban: Key differences

    page 6 of the appendix

    Scrum versus Kanban: When to use each

    Scrum: Delivering related or grouped changes in fixed time intervals.

    • Coordinating the development or release of related items
    • Maturing a product or service
    • Interdependencies between work items

    Kanban: Delivering independent items as soon as each is ready.

    • Work items from ticketing or individual requests
    • Completing independent changes
    • Releasing changes as soon as possible

    Develop an adaptive governance process

    page 7 of the appendix

    Five key principles for building an adaptive governance framework

    Delegate and Empower

    Decision making must be delegated down within the organization, and all resources must be empowered and supported to make effective decisions.

    Define Outcomes

    Outcomes and goals must be clearly articulated and understood across the organization to ensure decisions are in line and stay within reasonable boundaries.

    Make Risk informed decisions

    Integrated risk information must be available with sufficient data to support decision making and design approaches at all levels of the organization.

    Embed / Automate

    Governance standards and activities need to be embedded in processes and practices. Optimal governance reduces its manual footprint while remaining viable. This also allows for more dynamic adaptation.

    Establish standards and behavior

    Standards and policies need to be defined as the foundation for embedding governance practices organizationally. These guardrails will create boundaries to reinforce delegated decision making.

    Maturing governance is a journey

    Organizations should look to progress in their governance stages. Ad-Hoc, and controlled governance tends to be slow, expensive, and a poor fit for modern practices.

    The goal as you progress in your stages is to delegate governance and empower teams to make optimal decisions in real-time, knowing that they are aligned with the understood best interests of the organization.

    Automate governance for optimal velocity, while mitigating risks and driving value.

    This puts your organization in the best position to be adaptive and able to react effectively to volatility and uncertainty.

    page 8 of the appendix

    Business value is a key component to driving better decision making

    Better Decisions

    • Team Engagement
    • Frequent Delivery
    • Stakeholder Input
    • Market Analysis
    • Articulating Business Value
    • Focus on Business Needs

    Facilitation Planning Tool

    • Double-click the embedded Excel workbook to select and plan your exercises and timing.
    • Place or remove the "X" in the "Add to Agenda" column to add it to the workshop agenda and duration estimate.
    • Verify the exercise and step timing estimates from the blueprint provided on the "Detailed Workshop Planner" in columns C-F and adjust based on your facilitation and intended audience.

    an image of the Facilitation Planning Tool

    Appendix:
    SDLC transformation steps

    Waterfall SDLC: Valuable product delivered at the end of an extended project lifecycle, frequently in years

    Page 1 of the SDLC Appendix.

    • Business separated from delivery of technology it needs, only one third of product is actually valuable (Info-Tech, N=40,000).
    • In Waterfall, a team of experts in specific disciplines hand off different aspects of the lifecycle.
    • Document signoffs are required to ensure integration between silos (Business, Dev, and Ops) and individuals.
    • A separate change request process lays over the entire lifecycle to prevent changes from disrupting delivery.
    • Tools are deployed to support a specific role (e.g. BA) and seldom integrated (usually requirements <-> test).

    Wagile/Agifall/WaterScrumFall SDLC: Valuable product delivered in multiple releases

    Page 2 of the SDLC Appendix.

    • Business is more closely integrated by a business product owner accountable for day-to-day delivery of value for users.
    • The team collaborates and develops cross-functional skills as they define, design, build, and test code over time.
    • Signoffs are reduced but documentation is still focused on satisfying project delivery and operations policy requirements.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Tools start to be integrated to streamline delivery (usually requirements and Agile work management tools).

    Agile SDLC: Valuable product delivered iteratively; frequency depends on Ops' capacity

    Page 3 of the SDLC Appendix.

    • Business users are closely integrated through regularly scheduled demos (e.g. every two weeks).
    • Team is fully cross-functional and collaboratesto plan, define, design, build, and test the code supported by specialists.
    • Documentation is focused on future development and operations needs.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Explore automation for application development (e.g. automated regression testing).

    Agile with DevOps SDLC: High frequency iterative delivery of valuable product (e.g. every two weeks)

    Page 4 of the SDLC Appendix.

    • Business users are closely integrated through regularly scheduled demos.
    • Dev and ops teams collaborate to plan, define, design, build, test, and deploy code supported by automation.
    • Documentation is focused on supporting users, future changes, and operational support.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Build, test, deploy is fully automated (service desk is still separated).

    DevOps SDLC: Continuous integration and delivery

    Page 5 of the SDLC Appendix.

    • Business users are closely integrated through regularly scheduled demos.
    • Fully integrated DevOps team collaborates to plan, define, design, build, test, deploy, and maintain code.
    • Documentation Is focused on future development and use adoption.
    • Change is built into the process to allow the team to respond to change dynamically.
    • Fully integrated development and operations toolchain.

    Fully integrated product SDLC: Agile + DevOps + continuous delivery of valuable product on demand

    Page 6 of the SDLC Appendix.

    • Business users are fully integrated with the teams through dedicated business product owner.
    • Cross-functional teams collaborate across the business and technical life of the product.
    • Documentation supports internal and external needs (business, users, Ops).
    • Change is built into the process to allow the team to respond to change dynamically.
    • Fully integrated toolchain (including service desk).

    Data security consultancy

    Data security consultancy

    Based on experience
    Implementable advice
    human-based and people-oriented

    Data security consultancy makes up one of Tymans Group’s areas of expertise as a corporate consultancy firm. We are happy to offer our insights and solutions regarding data security and risk to businesses, both through online and offline channels. Read on and discover how our consultancy company can help you set up practical data security management solutions within your firm.

    How our data security consultancy services can help your company

    Data security management should be an important aspect of your business. As a data security consultancy firm, Tymans Group is happy to assist your small or medium-sized enterprise with setting up clear protocols to keep your data safe. As such, we can advise on various aspects comprising data security management. This ranges from choosing a fit-for-purpose data architecture to introducing IT incident management guidelines. Moreover, we can perform an external IT audit to discover which aspects of your company’s data security are vulnerable and which could be improved upon.

    Security and risk management

    Our security and risk services

    Security strategy

    Security Strategy

    Embed security thinking through aligning your security strategy to business goals and values

    Read more

    Disaster Recovery Planning

    Disaster Recovery Planning

    Create a disaster recovey plan that is right for your company

    Read more

    Risk Management

    Risk Management

    Build your right-sized IT Risk Management Program

    Read more

    Check out all our services

    Discover our practical data security management solutions

    Data security is just one aspect with which our consultancy firm can assist your company. Tymans Group offers its extensive expertise in various corporate management domains, such as quality management and risk management. Our solutions all stem from our vast expertise and have proven their effectiveness. Moreover, when you choose to employ our consultancy firm for your data security management, you benefit from a holistic, people-oriented approach.

    Set up an appointment with our experts

    Do you wish to learn more about our data security management solutions and services for your company? We are happy to analyze any issues you may be facing and offer you a practical solution if you contact us for an appointment. You can book a one-hour online talk or elect for an on-site appointment with our experts. Contact us to set up your appointment now.

    Continue reading

    Enhance PPM Dashboards and Reports

    • Buy Link or Shortcode: {j2store}438|cart{/j2store}
    • member rating overall impact (scale of 10): 9.5/10 Overall Impact
    • member rating average dollars saved: $18,849 Average $ Saved
    • member rating average days saved: 66 Average Days Saved
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • Your organization has introduced project portfolio management (PPM) processes that require new levels of visibility into the project portfolio that were not required before.
    • Key PPM decision makers are requesting new or improved dashboards and reports to help support making difficult decisions.
    • Often PPM dashboards and reports provide too much information and are difficult to navigate, resulting in information overload and end-user disengagement.
    • PPM dashboards and reports are laborious to maintain; ineffective dashboards end up wasting scarce resources, delay decisions, and negatively impact the perceived value of the PMO.

    Our Advice

    Critical Insight

    • Well-designed dashboards and reports help actively engage stakeholders in effective management of the project portfolio by communicating information and providing support to key PPM decision makers. This tends to improve PPM performance, making resource investments into reporting worthwhile.
    • Observations and insights gleaned from behavioral studies and cognitive sciences (largely ignored in PPM literature) can help PMOs design dashboards and reports that avoid information overload and that provide targeted decision support to key PPM decision makers.

    Impact and Result

    • Enhance your PPM dashboards and reports by carrying out a carefully designed enhancement project. Start by clarifying the purpose of PPM dashboards and reports. Establish a focused understanding of PPM decision-support needs, and design dashboards and reports to address these in a targeted way.
    • Conduct a thorough review of all existing dashboards and reports, evaluating the need, effort, usage, and satisfaction of each report to eliminate any unnecessary or ineffective dashboards and design improved dashboards and reports that will address these gaps.
    • Design effective and targeted dashboards and reports to improve the engagement of senior leaders in PPM and help improve PPM performance.

    Enhance PPM Dashboards and Reports Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should enhance your PPM reports and dashboards, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish a PPM dashboard and reporting enhancement project plan

    Identify gaps, establish a list of dashboards and reports to enhance, and set out a roadmap for your dashboard and reporting enhancement project.

    • Enhance PPM Dashboards and Reports – Phase 1: Establish a PPM Dashboard and Reporting Enhancement Project Plan
    • PPM Decision Support Review Workbook
    • PPM Dashboard and Reporting Audit Workbook
    • PPM Dashboard and Reporting Audit Worksheets – Exisiting
    • PPM Dashboard and Reporting Audit Worksheets – Proposed
    • PPM Metrics Menu
    • PPM Dashboard and Report Enhancement Project Charter Template

    2. Design and build enhanced PPM dashboards and reporting

    Gain an understanding of how to design effective dashboards and reports.

    • Enhance PPM Dashboards and Reports – Phase 2: Design and Build New or Improved PPM Dashboards and Reporting
    • PPM Dashboard and Report Requirements Workbook
    • PPM Executive Dashboard Template
    • PPM Dashboard and Report Visuals Template
    • PPM Capacity Dashboard Operating Manual

    3. Implement and maintain effective PPM dashboards and reporting

    Officially close and evaluate the PPM dashboard and reporting enhancement project and transition to an ongoing and sustainable PPM dashboard and reporting program.

    • Enhance PPM Dashboards and Reports – Phase 3: Implement and Maintain Effective PPM Dashboards and Reporting
    • PPM Dashboard and Reporting Program Manual
    [infographic]

    Workshop: Enhance PPM Dashboards and Reports

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish a PPM Dashboard and Reporting Enhancement

    The Purpose

    PPM dashboards and reports will only be effective and valuable if they are designed to meet your organization’s specific needs and priorities.

    Conduct a decision-support review and a thorough dashboard and report audit to identify the gaps your project will address.

    Take advantage of the planning stage to secure sponsor and stakeholder buy-in.

    Key Benefits Achieved

    Current-state assessment of satisfaction with PPM decision-making support.

    Current-state assessment of all existing dashboards and reports: effort, usage, and satisfaction.

    A shortlist of dashboards and reports to improve that is informed by actual needs and priorities.

    A shortlist of dashboards and reports to create that is informed by actual needs and priorities.

    The foundation for a purposeful and focused PPM dashboard and reporting program that is sustainable in the long term.

    Activities

    1.1 Engage in PPM decision-making review.

    1.2 Perform a PPM dashboard and reporting audit and gap analysis.

    1.3 Identify dashboards and/or reports needed.

    1.4 Plan the PPM dashboard and reporting project.

    Outputs

    PPM Decision-Making Review

    PPM Dashboard and Reporting Audit

    Prioritized list of dashboards and reports to be improved and created

    Roadmap for the PPM dashboard and reporting project

    2 Design New or Improved PPM Dashboards and Reporting

    The Purpose

    Once the purpose of each PPM dashboard and report has been identified (based on needs and priorities) it is important to establish what exactly will be required to produce the desired outputs.

    Gathering stakeholder and technical requirements will ensure that the proposed and finalized designs are realistic and sustainable in the long term.

    Key Benefits Achieved

    Dashboard and report designs that are informed by a thorough analysis of stakeholder and technical requirements.

    Dashboard and report designs that are realistically sustainable in the long term.

    Activities

    2.1 Review the best practices and science behind effective dashboards and reporting.

    2.2 Gather stakeholder requirements.

    2.3 Gather technical requirements.

    2.4 Build wireframe options for each dashboard or report.

    2.5 Review options: requirements, feasibility, and usability.

    2.6 Finalize initial designs.

    2.7 Design and record the input, production, and consumption workflows and processes.

    Outputs

    List of stakeholder requirements for dashboards and reports

    Wireframe design options

    Record of the assessment of each wireframe design: requirements, feasibility, and usability

    A set of finalized initial designs for dashboards and reports.

    Process workflows for each initial design

    3 Plan to Roll Out Enhanced PPM Dashboards and Reports

    The Purpose

    Ensure that enhanced dashboards and reports are actually adopted in the long term by carefully planning their roll-out to inputters, producers, and consumers.

    Plan to train all stakeholders, including report consumers, to ensure that the reports generate the decision support and PPM value they were designed to.

    Key Benefits Achieved

    An informed, focused, and scheduled plan for rolling out dashboards and reports and for training the various stakeholders involved.

    Activities

    3.1 Plan for external resourcing (if necessary): vendors, consultants, contractors, etc.

    3.2 Conduct impact analysis: risks and opportunities.

    3.3 Create an implementation and training plan.

    3.4 Determine PPM dashboard and reporting project success metrics.

    Outputs

    External resourcing plan

    Impact analysis and risk mitigation plan

    Record of the PPM dashboard and reporting project success metrics

    Drive Digital Transformation With Platform Strategies

    • Buy Link or Shortcode: {j2store}78|cart{/j2store}
    • member rating overall impact (scale of 10): 8.5/10 Overall Impact
    • member rating average dollars saved: $3,750 Average $ Saved
    • member rating average days saved: 4 Average Days Saved
    • Parent Category Name: IT Strategy
    • Parent Category Link: /it-strategy
    • Enterprise is grappling with the challenges of existing business models and strategies not leading to desired outcomes.
    • Enterprise is struggling to remain competitive.
    • Enterprise wants to understand how to leverage platform strategies and a digital platform.

    Our Advice

    Critical Insight

    To remain competitive enterprises must renew and refresh their business model strategies and design/develop digital platforms – this requires enterprises to:

    • Understand how digital-native enterprises are using platform business models and associated strategies.
    • Understand their core assets and strengths and how these can be leveraged for transformation.
    • Understand the core characteristics and components of a digital platform so that they can design digital platform(s) for their enterprise.
    • Ask if the client’s digital transformation (DX) strategy is aligned with a digital platform enablement strategy.
    • Ask if the enterprise has paid attention to the structure, culture, principles, and practices of platform teams.

    Impact and Result

    Organizations that implement this project will gain benefits in five ways:

    • Awareness and understanding of various platform strategies.
    • Application of specific platform strategies within the context of the enterprise.
    • Awareness of their existing business mode, core assets, value proposition, and strengths.
    • Alignment between DX themes and platform enablement themes so enterprises can develop roadmaps that gauge successful DX.
    • Design of a digital platform, including characteristics, components, and team characteristics, culture, principles, and practices.

    Drive Digital Transformation With Platform Strategies Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should consider the platform business model and a digital platform to remain competitive.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Set goals for your platform business model

    Understand the platform business model and strategies and then set your platform business model goals.

    • Drive Digital Transformation With Platform Strategies – Phase 1: Set Goals for Your Platform Business Model
    • Business Platform Playbook

    2. Configure digital platform

    Define design goals for your digital platform. Align your DX strategy with digital platform capabilities and understand key components of the digital platform.

    • Drive Digital Transformation With Platform Strategies – Phase 2: Configure Your Digital Platform
    • Digital Platform Playbook
    [infographic]

    Workshop: Drive Digital Transformation With Platform Strategies

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Platform Business Model and Strategies

    The Purpose

    Understand existing business model, value proposition, and key assets.

    Understand platform business model and strategies.

    Key Benefits Achieved

    Understanding the current assets helps with knowing what can be leveraged in the new business model/transformation.

    Understanding the platform strategies can help the enterprise renew/refresh their business model.

    Activities

    1.1 Document the current business model along with value proposition and key assets (that provide competitive advantage).

    1.2 Transformation narrative.

    1.3 Platform model canvas.

    1.4 Document the platform strategies in the context of the enterprise.

    Outputs

    Documentation of current business model along with value proposition and key assets (that provide competitive advantage).

    Documentation of the selected platform strategies.

    2 Planning for Platform Business Model

    The Purpose

    Understand transformation approaches.

    Understand various layers of platforms.

    Ask fundamental and evolutionary questions about the platform.

    Key Benefits Achieved

    Understanding of the transformational model so that the enterprise can realize the differences.

    Understanding of the organization’s strengths and weaknesses for a DX.

    Extraction of strategic themes to plan and develop a digital platform roadmap.

    Activities

    2.1 Discuss and document decision about DX approach and next steps.

    2.2 Discuss and document high-level strategic themes for platform business model and associated roadmap.

    Outputs

    Documented decision about DX approach and next steps.

    Documented high-level strategic themes for platform business model and associated roadmap.

    3 Digital Platform Strategy

    The Purpose

    Understand the design goals for the digital platform.

    Understand gaps between the platform’s capabilities and the DX strategy.

    Key Benefits Achieved

    Design goals set for the digital platform that are visible to all stakeholders.

    Gap analysis performed between enterprise’s digital strategy and platform capabilities; this helps understand the current situation and thus informs strategies and roadmaps.

    Activities

    3.1 Discuss and document design goals for digital platform.

    3.2 Discuss DX themes and platform capabilities – document the gaps.

    3.3 Discuss gaps and strategies along with timelines.

    Outputs

    Documented design goals for digital platform.

    Documented DX themes and platform capabilities.

    DX themes and platform capabilities map.

    4 Digital Platform Design: Key Components

    The Purpose

    Understanding of key components of a digital platform, including technology and teams.

    Key Benefits Achieved

    Understanding of the key components of a digital platform and designing the platform.

    Understanding of the team structure, culture, and practices needed for successful platform engineering teams.

    Activities

    4.1 Confirmation and discussion on existing UX/UI and API strategies.

    4.2 Understanding of microservices architecture and filling of microservices canvas.

    4.3 Real-time stream processing data pipeline and tool map.

    4.4 High-level architectural view.

    4.5 Discussion on platform engineering teams, including culture, structure, principles, and practices.

    Outputs

    Filled microservices canvas.

    Documented real-time stream processing data pipeline and tool map.

    Documented high-level architectural view.

    Gain Real Insights with a Social Analytics Program

    • Buy Link or Shortcode: {j2store}561|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Marketing Solutions
    • Parent Category Link: /marketing-solutions
    • Social media is wildly popular with consumers and as a result, many businesses are starting to develop a presence on social media services like Facebook and Twitter. However, many businesses still struggle with understanding how to leverage consumer insights from these services to drive business decisions. They’re intimidated by the sheer volume of social data, and aren’t sure what to do about it.
    • Companies that do have an analytics program are often operating it on an ad-hoc basis rather than making an effort to integrate social insights with existing sourcing of consumer data. In doing this, they’re failing to make holistic decisions and missing out on valuable consumer and competitive insights.

    Our Advice

    Critical Insight

    • Social analytics are indispensable in gaining real-time insights across marketing, sales, and customer service. SMBs can use social analytics to gain valuable consumer insights at a significantly lower expense than traditional forms of market research.
    • The greatest value from social analytics comes when organizations marry social data sources with other forms of customer information, such as point-of-sale data, customer surveys, focus groups, and psychographic profiles.
    • Social analytics must be integrated with your broader BI program for maximum effect. Consider creating a Customer Insights Center of Excellence (CICOE) to serve as a one-stop shop for both traditional and social customer analytics.
    • IT has an invaluable role to play in helping to govern and manage the analytics program. A best-of-breed Social Media Management Platform is the key enabling technology for conducting analytics, and IT must assist with selection, implementation and operation of this solution.
    • Internal social analytics is an emerging field that allows you to gauge the sentiment of your employees, while turbocharging ideation and feedback processes. Social networking analysis is particularly valuable for internal analysis.

    Impact and Result

    • Understand the value of a social analytics program and the various departmental use cases – how social analytics improves decision making and boosts critical KPIs like revenue attainment and customer satisfaction.
    • Determine the different social metrics (such as sentiment and frequency analysis) your business should be tracking and how to turn metrics into deep consumer insights.
    • Follow a step-by-step guide for successfully executing a social analytics program across your organization.
    • Roll out an internal analytics program to gauge the sentiment of your employees, improve engagement, and understand informal influencer networks.

    Gain Real Insights with a Social Analytics Program Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Determine the organization’s use cases

    Decide which functional areas in the organization will benefit the most from using social data, and create use cases accordingly.

    • Storyboard: Gain Real Insights with a Social Analytics Program

    2. Define and interpret metrics

    Identify and evaluate key social analytics metrics and understand the importance of combining multiple metrics to get the most out of the analytics program.

    • Social Analytics Maturity Assessment

    3. Execute the social analytics program

    Leverage a cross-departmental Social Media Steering Committee and evaluate SMMPs and other social analytics tools.

    • Social Analytics Specialist
    • Social Analytics Business Plan

    4. Leverage internal social analytics

    Identify specific uses of internal social analytics: crowd-sourcing ideation, harvesting employee feedback, and rewarding internal brand advocates.

    [infographic]

    Select and Use SDLC Metrics Effectively

    • Buy Link or Shortcode: {j2store}150|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $2,991 Average $ Saved
    • member rating average days saved: 32 Average Days Saved
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Your organization wants to implement (or revamp existing) software delivery metrics to monitor performance as well as achieve its goals.
    • You know that metrics can be a powerful tool for managing team behavior.
    • You also know that all metrics are prone to misuse and mismanagement, which can lead to unintended consequences that will harm your organization.
    • You need an approach for selecting and using effective software development lifecycle (SDLC) metrics that will help your organization to achieve its goals while minimizing the risk of unintended consequences.

    Our Advice

    Critical Insight

    • Metrics are powerful, dangerous, and often mismanaged, particularly when they are tied to reward or punishment. To use SDLC metrics effectively, know the dangers, understand good practices, and then follow Info-Tech‘s TAG (team-oriented, adaptive, and goal-focused) approach to minimize risk and maximize impact.

    Impact and Result

    • Begin by understanding the risks of metrics.
    • Then understand good practices associated with metrics use.
    • Lastly, follow Info-Tech’s TAG approach to select and use SDLC metrics effectively.

    Select and Use SDLC Metrics Effectively Research & Tools

    Start here – read the Executive Brief

    Understand both the dangers and good practices related to metrics, along with Info-Tech’s TAG approach to the selection and use of SDLC metrics.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Understand the dangers of metrics

    Explore the significant risks associated with metrics selection so that you can avoid them.

    • Select and Use SDLC Metrics Effectively – Phase 1: Understand the Risks of Metrics

    2. Know good practices related to metrics

    Learn about good practices related to metrics and how to apply them in your organization, then identify your team’s business-aligned goals to be used in SDLC metric selection.

    • Select and Use SDLC Metrics Effectively – Phase 2: Know Good Practices Related to Metrics
    • SDLC Metrics Evaluation and Selection Tool

    3. Rank and select effective SDLC metrics for your team

    Follow Info-Tech’s TAG approach to selecting effective SDLC metrics for your team, create a communication deck to inform your organization about your selected SDLC metrics, and plan to review and revise these metrics over time.

    • Select and Use SDLC Metrics Effectively – Phase 3: Rank and Select Effective SDLC Metrics for Your Team
    • SDLC Metrics Rollout and Communication Deck
    [infographic]

    Workshop: Select and Use SDLC Metrics Effectively

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand the Dangers of Metrics

    The Purpose

    Learn that metrics are often misused and mismanaged.

    Understand the four risk areas associated with metrics: Productivity loss Gaming behavior Ambivalence Unintended consequences

    Productivity loss

    Gaming behavior

    Ambivalence

    Unintended consequences

    Key Benefits Achieved

    An appreciation of the dangers associated with metrics.

    An understanding of the need to select and manage SDLC metrics carefully to avoid the associated risks.

    Development of critical thinking skills related to metric selection and use.

    Activities

    1.1 Examine the dangers associated with metric use.

    1.2 Share real-life examples of poor metrics and their impact.

    1.3 Practice identifying and mitigating metrics-related risk.

    Outputs

    Establish understanding and appreciation of metrics-related risks.

    Solidify understanding of metrics-related risks and their impact on an organization.

    Develop the skills needed to critically analyze a potential metric and reduce associated risk.

    2 Understand Good Practices Related to Metrics

    The Purpose

    Develop an understanding of good practices related to metric selection and use.

    Introduce Info-Tech’s TAG approach to metric selection and use.

    Identify your team’s business-aligned goals for SDLC metrics.

    Key Benefits Achieved

    Understanding of good practices for metric selection and use.

    Document your team’s prioritized business-aligned goals.

    Activities

    2.1 Examine good practices and introduce Info-Tech’s TAG approach.

    2.2 Identify and prioritize your team’s business-aligned goals.

    Outputs

    Understanding of Info-Tech’s TAG approach.

    Prioritized team goals (aligned to the business) that will inform your SDLC metric selection.

    3 Rank and Select Your SDLC Metrics

    The Purpose

    Apply Info-Tech’s TAG approach to rank and select your team’s SDLC metrics.

    Key Benefits Achieved

    Identification of potential SDLC metrics for use by your team.

    Collaborative scoring/ranking of potential SDLC metrics based on their specific pros and cons.

    Finalize list of SDLC metrics that will support goals and minimize risk while maximizing impact.

    Activities

    3.1 Select your list of potential SDLC metrics.

    3.2 Score each potential metric’s pros and cons against objectives using a five-point scale.

    3.3 Collaboratively select your team’s first set of SDLC metrics.

    Outputs

    A list of potential SDLC metrics to be scored.

    A ranked list of potential SDLC metrics.

    Your team’s first set of goal-aligned SDLC metrics.

    4 Create a Communication and Rollout Plan

    The Purpose

    Develop a rollout plan for your SDLC metrics.

    Develop a communication plan.

    Key Benefits Achieved

    SDLC metrics.

    A plan to review and adjust your SDLC metrics periodically in the future.

    Communication material to be shared with the organization.

    Activities

    4.1 Identify rollout dates and responsible individuals for each SDLC metric.

    4.2 Identify your next SDLC metric review cycle.

    4.3 Create a communication deck.

    Outputs

    SDLC metrics rollout plan

    SDLC metrics review plan

    SDLC metrics communication deck

    Prepare to Successfully Deploy PPM Software

    • Buy Link or Shortcode: {j2store}437|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Portfolio Management
    • Parent Category Link: /portfolio-management
    • PPM suite deployments are complicated and challenging. Vendors and consultants can provide much needed expertise and assistance to organizations deploying new PPM suites.
    • While functional requirements are often defined during the procurement stage (for example, in an RFP), the level of detail during this stage is likely insufficient for actually configuring the solution to your specific PPM needs. Too many organizations fail to further develop these functional requirements between signing their contracts and the official start of their professional implementation engagement.
    • Many organizations fail to organize and record the PPM data they will need to populate the new PPM suite. In almost all cases, customers have the expertise and are in the best position to collect and organize their own data. Leaving this until the vendor or consultant arrives to help with the deployment can result in using your professional services in a suboptimal way.
    • Vendors and consultants want you to prepare for their implementation engagements so that you can make the best use of their expertise and assistance. They want you to deploy a PPM suite that can be sustainably adopted in the long term. All too often, however, they arrive onsite to find customers that are disorganized and underprepared.

    Our Advice

    Critical Insight

    • Preparing for a professional implementation engagement allows you to make the best use of your professional services, as well as helping to ensure that the PPM suite is deployed according to your specific PPM needs.
    • Involving your internal resources in the preparation of data and in fully defining functional requirements for the PPM suite helps to establish stakeholder buy-in early on, helping to build internal ownership of the solution from the beginning. This avoids the solution being perceived as something the vendor/consultant “forced upon us.”
    • Vendors and consultants are happy when organizations are organized and prepared for their professional implementation engagements. Preparation ensures these engagements are positive experiences for everyone involved.

    Impact and Result

    • Ensure that the data necessary to deploy the new PPM suite is recorded and organized.
    • Make your functional requirements detailed enough to ensure that the new PPM suite can be configured/customized during the deployment engagement in a way that best fits the organization’s actual PPM needs.
    • Through carefully preparing data and fully defining functional requirements, you help the solution become sustainably adopted in the long term.

    Prepare to Successfully Deploy PPM Software Research & Tools

    Start here – read the Executive Brief

    Read this Executive Brief to understand why preparing for PPM deployment will ensure that organizations get the most value out of the implementation professional services they purchased and will help drive long-term sustainable adoption of the new PPM suite.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Create a preparation team and plan

    Engage in purposeful and effective PPM deployment planning by clearly defining what to prepare and when exactly it is time to move from planning to execution.

    • Prepare to Successfully Deploy PPM Software – Phase 1: Create a Preparation Team and Plan
    • Prepare to Deploy PPM Suite Project Charter Template
    • PPM Suite Functional Requirements Document Template
    • PPM Suite Deployment Timeline Template (Excel)
    • PPM Suite Deployment Timeline Template (Project)
    • PPM Suite Deployment Communication Plan Template

    2. Prepare project-related requirements and deliverables

    Provide clearer definition to specific project-related functional requirements and collect the appropriate PPM data needed for an effective PPM suite deployment facilitated by vendors/consultants.

    • Prepare to Successfully Deploy PPM Software – Phase 2: Prepare Project-Related Requirements and Deliverables
    • PPM Deployment Data Workbook
    • PPM Deployment Dashboard and Report Requirements Workbook

    3. Prepare PPM resource requirements and deliverables

    Provide clearer definition to specific resource management functional requirements and data and create a communication and training plan.

    • Prepare to Successfully Deploy PPM Software – Phase 3: Prepare PPM Resource Requirements and Deliverables
    • PPM Suite Transition Plan Template
    • PPM Suite Training Plan Template
    • PPM Suite Training Management Tool

    4. Provide preparation materials to the vendor and implementation professionals

    Plan how to engage vendors/consultants by communicating functional requirements to them and evaluating changes to those requirements proposed by them.

    • Prepare to Successfully Deploy PPM Software – Phase 4: Provide Preparation Materials to the Vendor and Implementation Professionals
    [infographic]

    Workshop: Prepare to Successfully Deploy PPM Software

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Plan the Preparation Project

    The Purpose

    Select a preparation team and establish clear assignments and accountabilities.

    Establish clear deliverables, milestones, and metrics to ensure it is clear when the preparation phase is complete.

    Key Benefits Achieved

    Preparation activities will be organized and purposeful, ensuring that you do not threaten deployment success by being underprepared or waste resources by overpreparing.

    Activities

    1.1 Overview: Determine appropriate functional requirements to define and data to record in preparation for the deployment.

    1.2 Create a timeline.

    1.3 Create a charter for the PPM deployment preparation project: record lessons learned, establish metrics, etc.

    Outputs

    PPM Suite Deployment Timeline

    Charter for the PPM Suite Preparation Project Team

    2 Prepare Project-Related Requirements and Deliverables

    The Purpose

    Collect and organize relevant project-related data so that you are ready to populate the new PPM suite when the vendor/consultant begins their professional implementation engagement with you.

    Clearly define project-related functional requirements to aid in the configuration/customization of the tool.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data.

    Avoidance of scrambling to find data at the last minute, risking importing out-of-date or irrelevant information into the new software.

    Clearly defined functional requirements that will ensure the suite is configured in a way that can be adoption in the long term.

    Activities

    2.1 Define project phases and categories.

    2.2 Create a list of all projects in progress.

    2.3 Record functional requirements for project requests, project charters, and business cases.

    2.4 Create a list of all existing project requests.

    2.5 Record the current project intake processes.

    2.6 Define PPM dashboard and reporting requirements.

    Outputs

    Project List (basic)

    Project Request Form Requirements (basic)

    Scoring/Requirements (basic)

    Business Case Requirements (advanced)

    Project Request List (basic)

    Project Intake Workflows (advanced)

    PPM Reporting Requirements (basic)

    3 Prepare PPM Resource Requirements and Deliverables

    The Purpose

    Collect and organize relevant resource-related data.

    Clearly define resource-related functional requirements.

    Create a purposeful transition, communication, and training plan for the deployment period.

    Key Benefits Achieved

    An up-to-date and complete record of all relevant PPM data that allows your vendor/consultant to get right to work at the start of the implementation engagement.

    Improved buy-in and adoption through transition, training, and communication activities that are tailored to the actual needs of your specific organization and users.

    Activities

    3.1 Create a portfolio-wide roster of project resources (and record their competencies and skills, if appropriate).

    3.2 Record resource management processes and workflows.

    3.3 Create a transition plan from existing PPM tools and processes to the new PPM suite.

    3.4 Identify training needs and resources to be leveraged during the deployment.

    3.5 Define training requirements.

    3.6 Create a PPM deployment training plan.

    Outputs

    Resource Roster and Competency Profile (basic)

    User Roles and Permissions (basic)

    Resource Management Workflows (advanced)

    Transition Approach and Plan (basic)

    Data Archiving Requirements (advanced)

    List of Training Modules and Attendees (basic)

    Internal Training Capabilities (advanced)

    Training Milestones and Deadlines (basic)

    4 Provide Preparation Materials to the Vendor and Implementation Professionals

    The Purpose

    Compile the data collected and the functional requirements defined so that they can be provided to the vendor and/or consultant before the implementation engagement.

    Key Benefits Achieved

    Deliverables that record the outputs of your preparation and can be provided to vendors/consultants before the implementation engagement.

    Ensures that the customer is an active and equal partner during the deployment by having the customer prepare their material and initiate communication.

    Vendors and/or consultants have a clear understanding of the customer’s needs and expectations from the beginning.

    Activities

    4.1 Collect, review, and finalize the functional requirements.

    4.2 Compile a functional requirements and data package to provide to the vendor and/or consultants.

    4.3 Discuss how proposed changes to the functional requirements will be reviewed and decided.

    Outputs

    PPM Suite Functional Requirements Documents

    PPM Deployment Data Workbook

    The Resilience Pack

    The Resilience Pack

    All items you need to become resilient.

    Resilience results from a clear set of governance, mindset, attitudes and actions.

    If you have not yet read "What is resilience?" I can recommend it. This pack contains the elements to start your resilience journey.

    Contact us to get started

    With this pack, we give you the right direction to become resilient. Please contact us to discuss the options.
    Tymans Group also offers consulting, as well as an extension to EU DORA compliance. 

    Continue reading

    Implement Risk-Based Vulnerability Management

    • Buy Link or Shortcode: {j2store}296|cart{/j2store}
    • member rating overall impact (scale of 10): 9.2/10 Overall Impact
    • member rating average dollars saved: $122,947 Average $ Saved
    • member rating average days saved: 34 Average Days Saved
    • Parent Category Name: Threat Intelligence & Incident Response
    • Parent Category Link: /threat-intelligence-incident-response
    • Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.
    • Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option itself.

    Our Advice

    Critical Insight

    • Patches are often seen as the only answer to vulnerabilities, but these are not always the most suitable solution.
    • Vulnerability management does not equal patch management. It includes identifying and assessing the risk of the vulnerability, and then selecting a remediation option which goes beyond just patching alone.
    • There is more than one way to tackle the problem. Leverage your existing security controls in order to protect the organization.

    Impact and Result

    • At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.
    • Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.
    • The risk-based approach will allow you prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities, while allowing your standard remediation cycle to address the medium to low vulnerabilities.
    • With your program defined and developed, you now need to configure your vulnerability scanning tool, or acquire one if you don’t already have a tool in place.
    • Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    Implement Risk-Based Vulnerability Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should design and implement a vulnerability management program, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Identify vulnerability sources

    Begin the project by creating a vulnerability management team and determine how vulnerabilities will be identified through scanners, penetration tests, third-party sources, and incidents.

    • Vulnerability Management SOP Template

    2. Triage vulnerabilities and assign priorities

    Determine how vulnerabilities will be triaged and evaluated based on intrinsic qualities and how they may compromise business functions and data sensitivity.

    • Vulnerability Tracking Tool
    • Vulnerability Management Risk Assessment Tool
    • Vulnerability Management Workflow (Visio)
    • Vulnerability Management Workflow (PDF)

    3. Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available. Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    4. Measure and formalize

    Evolve the program continually by developing metrics and formalizing a policy.

    • Vulnerability Management Policy Template
    • Vulnerability Scanning Tool RFP Template
    • Penetration Test RFP Template

    Infographic

    Workshop: Implement Risk-Based Vulnerability Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Vulnerability Sources

    The Purpose

    Establish a common understanding of vulnerability management, and define the roles, scope, and information sources of vulnerability detection.

    Key Benefits Achieved

    Attain visibility on all of the vulnerability information sources, and a common understanding of vulnerability management and its scope.

    Activities

    1.1 Define the scope & boundary of your organization’s security program.

    1.2 Assign responsibility for vulnerability identification and remediation.

    1.3 Develop a monitoring and review process of third-party vulnerability sources.

    1.4 Review incident management and vulnerability management

    Outputs

    Defined scope and boundaries of the IT security program

    Roles and responsibilities defined for member groups

    Process for review of third-party vulnerability sources

    Alignment of vulnerability management program with existing incident management processes

    2 Triage and Prioritize

    The Purpose

    We will examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach and prepare for remediation options.

    Key Benefits Achieved

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Activities

    2.1 Evaluate your identified vulnerabilities.

    2.2 Determine high-level business criticality.

    2.3 Determine your high-level data classifications.

    2.4 Document your defense-in-depth controls.

    2.5 Build a classification scheme to consistently assess impact.

    2.6 Build a classification scheme to consistently assess likelihood.

    Outputs

    Adjusted workflow to reflect your current processes

    List of business operations and their criticality and impact to the business

    Adjusted workflow to reflect your current processes

    List of defense-in-depth controls

    Vulnerability Management Risk Assessment tool formatted to your organization

    Vulnerability Management Risk Assessment tool formatted to your organization

    3 Remediate Vulnerabilities

    The Purpose

    Identifying potential remediation options.

    Developing criteria for each option in regard to when to use and when to avoid.

    Establishing exception procedure for testing and remediation.

    Documenting the implementation of remediation and verification.

    Key Benefits Achieved

    Identifying and selecting the remediation option to be used

    Determining what to do when a patch or update is not available

    Scheduling and executing the remediation activity

    Planning continuous improvement

    Activities

    3.1 Develop risk and remediation action.

    Outputs

    List of remediation options sorted into “when to use” and “when to avoid” lists

    4 Measure and Formalize

    The Purpose

    You will determine what ought to be measured to track the success of your vulnerability management program.

    If you lack a scanning tool this phase will help you determine tool selection.

    Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    Key Benefits Achieved

    Outline of metrics that you can then configure your vulnerability scanning tool to report on.

    Development of an inaugural policy covering vulnerability management.

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Activities

    4.1 Measure your program with metrics, KPIs, and CSFs.

    4.2 Update the vulnerability management policy.

    4.3 Create an RFP for vulnerability scanning tools.

    4.4 Create an RFP for penetration tests.

    Outputs

    List of relevant metrics to track, and the KPIs, CSFs, and business goals for.

    Completed Vulnerability Management Policy

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Completed Request for Proposal (RFP) document that can be distributed to vendor proponents

    Further reading

    Implement Risk-Based Vulnerability Management

    Get off the patching merry-go-round and start mitigating risk!

    Table of Contents

    4 Analyst Perspective

    5 Executive Summary

    6 Common Obstacles

    8 Risk-based approach to vulnerability management

    16 Step 1.1: Vulnerability management defined

    24 Step 1.2: Defining scope and roles

    34 Step 1.3: Cloud considerations for vulnerability management

    33 Step 1.4: Vulnerability detection

    46 Step 2.1: Triage vulnerabilities

    51 Step 2.2: Determine high-level business criticality

    56 Step 2.3: Consider current security posture

    61 Step 2.4: Risk assessment of vulnerabilities

    71 Step 3.1: Assessing remediation options

    Table of Contents

    80 Step 3.2: Scheduling and executing remediation

    85 Step 3.3: Continuous improvement

    89 Step 4.1: Metrics, KPIs, and CSFs

    94 Step 4.2: Vulnerability management policy

    97 Step 4.3: Select & implement a scanning tool

    107 Step 4.4: Penetration testing

    118 Summary of accomplishment

    119 Additional Support

    120 Bibliography

    Analyst Perspective

    Vulnerabilities will always be present. Know the unknowns!

    In this age of discovery, technology changes at such a rapid pace. New things are discovered, both in new technology and in old. The pace of change can often be very confusing as to where to start and what to do.

    The ever-changing nature of technology means that vulnerabilities will always be present. Taking measures to address these completely will consume all your department’s time and resources. That, and your efforts will quickly become stale as new vulnerabilities are uncovered. Besides, what about the systems that simply can’t be patched? The key is to understand the vulnerabilities and the levels of risk they pose to your organization, to prioritize effectively and to look beyond patching.

    A risk-based approach to vulnerability management will ensure you are prioritizing appropriately and protecting the business. Reduce the risk surface!

    Vulnerability management is more than just systems and application patching. It is a full process that includes patching, compensating controls, segmentation, segregation, and heightened diligence in security monitoring.

    Jimmy Tom, Research Advisor – Security, Privacy, Risk, and Compliance, Info-Tech Research Group.Jimmy Tom
    Research Advisor – Security, Privacy, Risk, and Compliance
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Vulnerability scanners, industry alerts, and penetration tests are revealing more and more vulnerabilities, and it is unclear how to manage them.

    Organizations are struggling to prioritize the vulnerabilities for remediation, as there are many factors to consider, including the threat of the vulnerability and the potential remediation option.

    Common Obstacles

    Patches are often seen as the answer to vulnerabilities, but these are not always the most suitable solution.

    Some systems deemed vulnerable simply cannot be patched or easily replaced.

    Companies are unaware of the risk implications that come from leaving the vulnerability open and from the remediation option itself.

    Info-Tech’s Approach

    Design and implement a vulnerability management program that identifies, prioritizes, and remediates vulnerabilities.

    Understand what needs to be considered when implementing remediation options, including patches, configuration changes, and defense-in-depth controls.

    Build a process that is easy to understand and allows vulnerabilities to be remediated proactively, instead of in an ad hoc fashion.

    Info-Tech Insight

    Vulnerability management does not always equal patch management. There is more than one way to tackle the problem, particularly if a system cannot be easily patched or replaced. If a vulnerability cannot be completely remediated, steps to reduce the risk to a tolerable level must be taken.

    Common obstacles

    These barriers make vulnerability management difficult to address for many organizations:
    • The value of vulnerability management is not well articulated in many organizations. As a result, investment in vulnerability scanning technology is often insufficient.
    • Many organizations feel that a “patch everything” approach is the most effective path.
    • Vulnerability management is commonly misunderstood as being a process that only supports patch management.
    • There is often misalignment between SecOps and ITOps in remediation action and priority, affecting the timeliness of remediation.
    CVSS Score Distribution From the National Vulnerability Database: Pie Charts presenting the CVSS Core Distribution for the National Vulnerability Database. The left circle represents 'V3' and the right 'V2', where V3 has an extra option for 'Critical', above 'High', 'Medium', and 'Low', and V2 does not.
    (Source: NIST National Vulnerability Database Dashboard)

    Leverage risk to sort, triage, and prioritize vulnerabilities

    Reduce your risk surface to avoid cost to your business; everything else is table stakes.

    Reduce the critical and high vulnerabilities below the risk threshold and operationalize the remediation of medium/low vulnerabilities by following your effective vulnerability management program cycles.

    Identify vulnerability sources

    An inventory of your scanning tool and vulnerability threat intelligence data sources will help you determine a viable strategy for addressing vulnerabilities. Defining roles and responsibilities ahead of time will ensure you are not left scrambling when dealing with vulnerabilities.

    Triage and prioritize

    Bring the vulnerabilities into context by assessing vulnerabilities based on your security posture and mechanisms and not just what your data sources report. This will allow you to gauge the true urgency of the vulnerabilities based on risk and determine an effective mitigation plan.

    Remediate vulnerabilities

    Address the vulnerabilities based on their level of risk. Patching isn't the only risk mitigation action; some systems simply cannot be patched, but other options are available.

    Reduce the risk down to medium/low levels and engage your regular operational processes to deal with the latter.

    Measure and formalize

    Upon implementation of the program, measure with metrics to ensure that the program is successful. Improve the program with each iteration of vulnerability mitigation to ensure continuous improvement.

    Tactical Insight 1

    All actions to address vulnerabilities should be based on risk and the organization’s established risk tolerance.

    Tactical Insight 2

    Reduce the risk surface down below the risk threshold.

    The industry has shifted to a risk-based approach

    Traditional vulnerability management is no longer viable.

    “For those of us in the vulnerability management space, ensuring that money, resources, and time are strategically spent is both imperative and difficult. Resources are dwindling fast, but the vulnerability problem sure isn’t.” (Kenna Security)

    “Using vulnerability scanners to identify unpatched software is no longer enough. Keeping devices, networks, and digital assets safe takes a much broader, risk-based vulnerability management strategy – one that includes vulnerability assessment and mitigation actions that touch the entire ecosystem.” (Balbix)

    “Unlike legacy vulnerability management, risk-based vulnerability management goes beyond just discovering vulnerabilities. It helps you understand vulnerability risks with threat context and insight into potential business impact.” (Tenable)

    “A common mistake when prioritizing patching is equating a vulnerability’s Common Vulnerability Scoring System (CVSS) score with risk. Although CVSS scores can provide useful insight into the anatomy of a vulnerability and how it might behave if weaponized, they are standardized and thus don’t reflect either of the highly situational variables — namely, weaponization likelihood and potential impact — that factor into the risk the vulnerability poses to an organization.” (SecurityWeek)

    Why a take risk-based approach?

    Vulnerabilities, by the numbers

    60% — In 2019, 60% of breaches were due to unpatched vulnerabilities.

    74% — In the same survey, 74% of survey responses said they cannot take down critical applications and systems to patch them quickly. (Source: SecurityBoulevard, 2019)

    Info-Tech Insight

    Taking a risk-based approach will allow you to focus on mitigating risk, rather than “just patching” your environment.

    The average cost of a breach in 2020 is $3.86 million, and “…the price tag was much less for mature companies and industries and far higher for firms that had lackluster security automation and incident response processes.” (Dark Reading)

    Vulnerability Management

    A risk-based approach

    Reduce the risk surface to avoid cost to your business, everything else is table stakes

    Logo for Info-Tech.
    Logo for #iTRG.

    1

    Identify

    4

    Address

    Mitigate the risk surface by reducing the time across the phases ›Mitigate the risk by implementing:
    • patch systems & apps
    • compensating controls
    • systems and apps hardening
    • systems segregation
    Chart presenting an example of 'Risk Surface' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. The area between the line and your organization's risk tolerance is labelled 'Risk Surface'.

    Objective: reduce risk surface by reducing time to address

    Your organization's risk tolerance threshold

    Identify vulnerability management scanning tools & external threat intel sources (Mitre CVE, US-CERT, vendor alerts, etc.)Vulnerability information feeds:
    • scanning tool
    • external threat intel
    • internal threat intel

    2

    Analyze

    Assign actual risk (impact x urgency) to the organization based on current security posture

    Triage based on risk ›

    Your organization's risk tolerance threshold

    Risk tolerance threshold map with axes 'Impact' and 'Likelihood'. High levels of one and low levels of the other, or medium levels of both, is 'Medium', High level of one and Medium levels of the other is 'High', and High levels of both is 'Critical'.

    3

    Assess

    Plan risk mitigation strategy ›Consider:
    • risk tolerance
    • compensating controls
    • business impact

    Info-Tech’s vulnerability management methodology

    Focus on developing the most efficient processes.

    Vulnerability management isn’t “old school.”

    The vulnerability management market is relatively mature; however, vulnerability management remains a very relevant and challenging topic.

    Security practitioners are inundated with the advice they need to prioritize their vulnerabilities. Every vulnerability scanning vendor will proclaim their ability to prioritize the identified vulnerabilities.

    Third-party prioritization methodology can’t be effectively applied across all organizations. Each organization is too unique with different constraints. No tool or service can account for these variables.

    Equation to find 'Vulnerability Priority'.

    When patching is not possible, other options exist: configuration changes (hardening), defense-in-depth, compensating controls, and even elevated security monitoring are possible options.

    Info-Tech Insight

    Vulnerability management is not only patch management. Patching is only one aspect.

    Blueprint deliverables

    Each step of this blueprint is accompanied by supporting deliverables to help you accomplish your goals:

    Key deliverable:

    Vulnerability Management SOP

    The Standard operating procedure (SOP) will comprise the end-to-end description of the program: roles & responsibilities, data flow, and expected outcomes of the program.

    Sample of the key deliverable, Vulnerability Management SOP.
    Vulnerability Management Policy

    Template for your vulnerability management policy.

    Sample of the Vulnerability Management Policy blueprint.Vulnerability Tracking Tool

    This tool offers a template to track vulnerabilities and how they are remedied.

    Sample of the Vulnerability Tracking Tool blueprint.
    Vulnerability Scanning RFP Template

    Request for proposal template for the selection of a vulnerability scanning tool.

    Sample of the Vulnerability Scanning RFP Template blueprint.Vulnerability Risk Assessment Tool

    Methodology to assess vulnerability risk by determining impact and likelihood.

    Sample of the Vulnerability Risk Assessment Tool blueprint.

    Blueprint benefits

    IT Benefits

    • A standardized, consistent methodology to assess, prioritize, and remediate vulnerabilities.
    • A risk-based approach that aligns with what’s important to the business.
    • A way of dealing with the high volumes of vulnerabilities that your scanning tool is reporting.
    • Identification of “where to start” in terms of vulnerability management.
    • Ability to not lose yourself in the patch madness but rather take a sound approach to scheduling and prioritizing patches and updates.
    • Knowledge of what to do when patching is simply not possible or feasible.

    Business Benefits

    • Alignment with IT in ensuring that business processes are only interrupted when absolutely necessary while maintaining a regular cadence of vulnerability remediation.
    • A consistent program that the business can plan around and predict when interruptions will occur.
    • IT’s new approach being integrated with existing IT operations processes, offering the most efficient yet expedient method of dealing with vulnerabilities.

    Info-Tech’s process can save significant financial resources

    PhaseMeasured Value
    Phase 1: Identify vulnerability sources
      Define the process, scope, roles, vulnerability sources, and current state
      • Consultant at $100 an hour for 16 hours = $1,600
    Phase 2: Triage vulnerabilities and assign urgencies
      Establish triaging and vulnerability evaluation process
      • Consultant at $100 an hour for 16 hours = $1,600
      Determine high-level business criticality and data classifications
      • Consultant at $100 an hour for 40 hours = $4,000
      Assign urgencies to vulnerabilities
      • Consultant at $100 an hour for 8 hours = $800
    Phase 3: Remediate vulnerabilities
      Prepare documentation for the vulnerability process
      • Consultant at $100 an hour for 8 hours = $800
      Establish defense-in-depth modelling
      • Consultant at $100 an hour for 24 hours = $2,400
      Identify remediation options and establish criteria for use
      • Consultant at $100 an hour for 40 hours = $4,000
      Formalize backup and testing procedures, including exceptions
      • Consultant at $100 an hour for 8 hours = $800
      Remediate vulnerabilities and verify
      • Consultant at $100 an hour for 24 hours = $2,400
    Phase 4: Continually improve the vulnerability management process
      Establish a metrics program for vulnerability management
      • Consultant at $100 an hour for 16 hours = $1,600
      Update vulnerability management policy
      • Consultant at $100 an hour for 8 hours = $800
      Develop a vulnerability scanning tool RFP
      • Consultant at $100 an hour for 40 hours = $4,000
      Develop a penetration test RFP
      • Consultant at $100 an hour for 40 hours = $4,000
    Potential financial savings from using Info-Tech resourcesPhase 1 ($1,600) + Phase 2 ($6,400) + Phase 3 ($10,400) + Phase 4 ($10,400) = $28,800

    Guided Implementation

    A Guided Implementation (GI) is a series of calls with an Info-Tech analyst to help implement our best practices in your organization.

    A typical GI is between 8 to 12 calls over the course of 4 to 6 months.

    What does a typical GI on this topic look like?

    Phase 1

    Phase 2

    Phase 3

    Phase 4

    Call #1: Scope requirements, objectives, and your specific challenges.

    Call #2: Discuss current state and vulnerability sources.

    Call #3: Identify triage methods and business criticality.

    Call #4:Review current defense-in-depth and discuss risk assessment.

    Call #5: Discuss remediation options and scheduling.

    Call #6: Review release and change management and continuous improvement.

    Call #7: Identify metrics, KPIs, and CSFs.

    Call #8: Review vulnerability management policy.

    Workshop Overview

    Contact your account representative for more information.
    workshops@infotech.com 1-888-670-8889

    Day 1Day 2Day 3Day 4Day 5
    Activities
    Identify vulnerability sources

    1.1 What is vulnerability management?

    1.2 Define scope and roles

    1.3 Cloud considerations for vulnerability management

    1.4 Vulnerability detection

    Triage and prioritize

    2.1 Triage vulnerabilities

    2.2 Determine high-level business criticality

    2.3 Consider current security posture

    2.4 Risk assessment of vulnerabilities

    Remediate vulnerabilities

    3.1 Assess remediation options

    3.2 Schedule and execute remediation

    3.3 Drive continuous improvement

    Measure and formalize

    4.1 Metrics, KPIs & CSFs

    4.2 Vulnerability Management Policy

    4.3 Select & implement a scanning tool

    4.4 Penetration testing

    Next Steps and Wrap-Up (offsite)

    5.1 Complete in-progress deliverables from previous four days

    5.2 Set up review time for workshop deliverables and to discuss next steps

    Deliverables
    1. Scope and boundary definition of vulnerability management program
    2. Responsibility assignment for vulnerability identification and remediation
    3. Monitoring and review process of third-party vulnerability sources
    4. Incident management and vulnerability convergence
    1. Methodology for evaluating identified vulnerabilities
    2. Identification of high-level business criticality
    3. Defined high-level data classifications
    4. Documented defense-in-depth controls
    5. Risk assessment criteria for impact and likelihood
    1. Documented risk assessment methodology and remediation options
    1. Defined metrics, key performance indicators (KPIs), and critical success factors (CSFs)
    2. Initial draft of vulnerability management policy
    3. Scanning tool selection criteria
    4. Introduction to penetration testing
    1. Completed vulnerability management standard operating procedure
    2. Defined vulnerability management risk assessment criteria
    3. Vulnerability management policy draft

    Implement Risk-Based Vulnerability Management

    Phase 1

    Identify Vulnerability Sources

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Establish a common understanding of vulnerability management, define the roles, scope, and information sources of vulnerability detection.

    This phase involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Step 1.1

    Vulnerability Management Defined

    Activities

    None for this section

    This step will walk you through the following activities:

    Establish a common understanding of vulnerability management and its place in the IT organization.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Foundational knowledge of vulnerability management in your organization.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    What is vulnerability management?

    It’s more than just patching.

    • Vulnerability management is the regular and ongoing practice of scanning an operating environment to uncover vulnerabilities. These vulnerabilities can be outdated applications, unpatched operating systems and software, open ports, obsolete hardware, or any combination of these.
    • The scanning and detection of vulnerabilities is the first step. Planning and executing of remediation is next, along with the approach, prioritized sequence of events, and timing.
    • A vendor-supplied software patch or firmware update is often the easy answer, however, this is not always a viable solution. What if you can’t patch in a timely fashion? What if patching is not possible as it will break the application and bring down operations? What if no patch exists due to the age of the application or operating platform?

    “Most organizations do not have a formal process for vulnerability management.” (Morey Haber, VP of Technology, BeyondTrust, 2016)

    Effective vulnerability management

    It’s not easy, but it’s much harder without a process in place.
    • Effective vulnerability management requires a formal process for organizations to follow; without one, vulnerabilities are dealt with in an ad hoc fashion.
    • Patching isn’t the only solution, but it’s the one that often draws focus.
    • Responsibilities for the different aspects of vulnerability management are often unclear, such as for testing, remediation, and implementation.
    • Identifying new threats without proper vulnerability scanning tools can be a near-impossible task.
    • Determining which vulnerabilities are most urgent can be an inconsistent process, increasing the organizational risk.
    • Measuring the effectiveness of your vulnerability remediation activities can help you better manage resources in SecOps and ITOps. Your staff will be spending the appropriate effort on vulnerabilities that warrant that level of attention.

    You’re not just doing this for yourself. It’s also for your auditors.

    Many compliance and regulatory obligations require organizations to have thorough documentation of their vulnerability management practices.

    Vulnerability management revolves around your asset security services

    Diagram with 'Asset Security Services' at the center. On either side are 'Network Security Services' and 'Identity Security Services', all three of which flow up into 'Security Analytics | Security Incident Response', and all four share a symbiotic flow with 'Management' below and contribute to 'Mega Trend Mapping' above. Management is supported by 'Governance'.Vulnerabilities can be found primarily within your assets but also connect to your information risk management. These must be effectively managed as part of a holistic security program.

    Without management, vulnerabilities left unattended can be easy for attackers to exploit. It becomes difficult to identify the correct remediation option to mitigate against the vulnerabilities.

    Vulnerability management works in tandem with SecOps and ITOps

    Vulnerability Management Process Inputs/Outputs:
    'Vulnerability Management (Process and Tool)' outputs are 'Incident Management', 'Release Management', 'Change Management', 'IT Asset Management', 'Application Security Testing', 'Threat Intelligence', and 'Security Risk Management'; inputs are 'Vulnerability Disclosure', 'Threat Intelligence', and 'Security Risk Management'.

    Arrows denote direction of information feed

    Vulnerability management serves as the input into a number of processes for remediation, including:
    • Incident management, to deal with issues
    • Release management, for patch management
    • Change management, for change control
    • IT asset management, to track version information, e.g. for patching
    • Application security testing, for the verification of vulnerabilities

    A two-way data flow exists between vulnerability management and:

    • Security risk management, for the overall risk posture of the organization
    • Threat intelligence, as vulnerability management reveals only one of several threat vectors

    For additional information please refer to Info-Tech’s research for each area:

    • Vulnerability management can leverage your existing processes to gain an operational element for the program.
    • As you strive to mature each of the processes on their own, vulnerability management will benefit accordingly.
    • Review our research for each of these areas and speak to one of our analysts if you wish to improve any of the listed processes.

    Info-Tech’s Information Security Program Framework

    Vulnerability management is a component of the Infrastructure Security section of Security Management

    Information Security Framework with Level 1 and Level 2 capabilities in two main sections, 'Management' and 'Governance'. Level 2 capabilities are grouped within Level 1 capabilities.For more information, review our Build an Information Security Strategy blueprint, or speak to one of our analysts.

    Info-Tech Insight

    Vulnerability management is but one piece of the information security puzzle. Ensure that you have all the pieces!

    Case Study

    Logo for Cimpress.
    INDUSTRY: Manufacturing
    SOURCE: Cimpress, 2016

    One organization is seeing immediate benefits by formalizing its vulnerability management program.

    Challenge

    Cimpress was dealing with many challenges in regards to vulnerability management. Vulnerability scanning tools were used, but the reports that were generated often gave multiple vulnerabilities that were seen as critical or high and required many resources to help address them. Scanning was done primarily in an attempt to adhere to PCI compliance rather than to effectively enable security. After re-running some scans, Cimpress saw that some vulnerabilities had existed for an extended time period but were deemed acceptable.

    Solution

    The Director of Information Security realized that there was a need to greatly improve this current process. Guidelines and policies were formalized that communicated when scans should occur and what the expectations for remediations should be. Cimpress also built a tiered approach to prioritize vulnerabilities for remediation that is specific to Cimpress instead of relying on scanning tool reports.

    Results

    Cimpress found better management of the vulnerabilities within its system. There was no pushback to the adoption of the policies, and across the worldwide offices, business units have been proactively trying to understand if there are vulnerabilities. Vulnerability management has been expanded to vendors and is taken into consideration when doing any mergers and acquisitions. Cimpress continues to expand its program for vulnerability management to include application development and vulnerabilities within any existing legacy systems.

    Step 1.2

    Defining the scope and roles

    Activities
    • 1.2.1 Define the scope and boundary of your organization’s security program
    • 1.2.2 Assign responsibility for vulnerability identification and remediation

    This step will walk you through the following activities:

    Define and understand the scope and boundary of the security program. For example, does it include OT? Define roles and responsibilities for vulnerability identification and remediation

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand how far vulnerability management extends and what role each person in IT plays in the remediation of vulnerabilities

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Determine the scope of your security program

    This will help you adjust the depth and breadth of your vulnerability management program.
    • Determining the scope will help you decide how much organizational risk the vulnerability management program will oversee.
    • Scope can be defined along four aspects:
      • Data Scope – What data elements in your organization does your security program cover? How is data classified?
      • Physical Scope – What physical scope, such as geographies, does the security program cover?
      • Organizational Scope – How are business units engaged with security initiatives? Does the scope cover all subsidiary organizations?
      • IT Scope – What parts of the organization does IT cover? Does their coverage include operational technology (OT) and industrial control systems (ICS)?
    Stock image of figures standing in connected circles.

    1.2.1 Define the scope and boundary of your organization’s security program

    60 minutes

    Input: List of Data Scope, Physical Scope, Organization Scope, and IT Scope

    Output: Defined scope and boundaries of the IT security program

    Materials: Whiteboard/Flip Charts, Sticky Notes, Markers, Vulnerability Management SOP Template

    Participants: Business stakeholders, IT leaders, Security team members

    1. On a whiteboard, write the headers: Data Scope, Physical Scope, Organizational Scope, and IT Scope.
    2. Give each group member a handful of sticky notes. Ask them to write down as many items as possible for the organization that could fall under one of the four scope buckets.
    3. In a group, discuss the sticky notes and the rationale for including them. Discuss your security-related locations, data, people, and technologies, and define their scope and boundaries.

    The goal is to identify what your vulnerability management program is responsible for and document it.

    Consider the following:

    How is data being categorized and classified? How are business units engaged with security initiatives? How are IT systems connected to each other? How are physical locations functioning in terms of information security management?

    Download the Vulnerability Management SOP Template

    Assets are part of the scope definition

    An inventory of IT assets is necessary if there is to be effective vulnerability management.

    • Organizations need an up-to-date and comprehensive asset inventory for vulnerability management. This is due to multiple reasons:
      • When vulnerabilities are announced, they will need to be compared to an inventory to determine if the organization has any relevant systems or versions.
      • It indicates where all IT assets can be found both physically and logically.
      • Asset inventories typically have owners assigned to the assets and systems whose responsibility it is to carry out remediations for vulnerabilities.
    • Furthermore, asset inventories can provide insight into where data can be found within the organization. This is extremely useful within a formal data classification program, which plays a large factor in vulnerability management.
    If you need assistance building your asset inventory, review Info-Tech’s Implement Hardware Asset Management and Implement Software Asset Management blueprints.

    Info-Tech Insight

    Create a formal IT asset inventory before continuing with the rest of this project. Otherwise, you risk being at the mercy of a weak vulnerability management program.

    Assign responsibility for vulnerability identification and remediation

    Determine who is critical to effectively detecting and managing vulnerabilities.
    • Some of the remediation steps will involve members of IT management to identify the true organizational risk of a vulnerability.
    • Vulnerability remediation comes in different shapes and sizes. In addition to patching, this can include implementing compensating controls, server and application hardening, or the segregating of vulnerable systems.
      • Who carries out each of these activities? Who coordinates the activities and tracks them to ensure completion?
    • The people involved may be members outside of the security team, such as members from IT operations, infrastructure, and applications. The specific roles that each of these groups play should be clearly identified.
    Stock image of many connected profile photos in a cloud network.

    1.2.2 Assign responsibility for vulnerability identification and remediation

    60 minutes

    Input: Sample list of vulnerabilities and requisite actions from each group, High-level organizational chart with area functions

    Output: Defined set of roles and responsibilities for member groups

    Materials: Vulnerability Management SOP Template

    Participants: CIO, CISO, IT Management representatives for each area of IT

    1. Display the table of responsibilities that need to be assigned.
    2. List all the positions within the IT security team.
    3. Map these to the positions that require IT security team members.
    4. List all positions that are part of the IT team.
    5. Map these to the positions that require IT team members.

    If your organization does not have a dedicated IT security team, you can perform this exercise by mapping the relevant IT staff to the different positions shown on the right.

    Download the Vulnerability Management SOP TemplateSample of the Roles and Responsibilities table from the Vulnerability Management SOP Template.

    Step 1.3

    Cloud considerations for vulnerability management

    Activities

    None for this section.

    This step will walk you through the following activities:

    Review cloud considerations for vulnerability management

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Understand the various types of cloud offerings and the implications (and limitations) of vulnerability management in a cloud environment.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Cloud considerations

    Cloud will change your approach to vulnerability management.
    • There will be a heavy dependence on the cloud service provider to ensure that vulnerabilities in their foundational technologies have been addressed.
    • Depending on the level of “as-a-Service,” customers will have varying degrees of control and visibility into the underlying operations.
    • With vendor acquiescence, you can set your tool to scan a given cloud environment, depending on how much visibility you have into their environment based on the service you have purchased.
    • Due to compliance obligations of their customers, there is a growing trend among cloud providers to allow more scanning of cloud environments.
    • In the absence of customer scanning capability, vendors may offer attestation of vulnerability management and remediation.
    Table outlining who has control, between the 'Organization' and the 'Vendor', of different cloud capabilities in different cloud strategies.

    For more information, see Info-Tech Research Group’s Document Your Cloud Strategy blueprint.

    Cloud environment scanning

    Cloud scanning is becoming a more common necessity but still requires special consideration.

    An organization’s cloud environment is just an extension of its own environment. As such, cloud environments need to be scanned for vulnerabilities.

    Private Cloud
    If your organization owns a private cloud, these environments can be tested normally.
    Public Cloud
    Performing vulnerability testing against public, third-party cloud environments is an area experiencing rapid growth and general acceptance, although customer visibility will still be limited.

    In many cases, a customer must rely on the vendor’s assurance that vulnerabilities are being addressed in a sufficient manner.

    Security standards’ compliance requirements are driving the need for cloud suppliers to validate and assure that they are appropriately scanning for and remediating vulnerabilities.

    Infrastructure- or Platform-as-a-Service (IaaS or PaaS) Environments
    • There is a general trend for PaaS and IaaS vendors to allow testing if given due notice.
    • Your contract with the cloud vendor or the vendor’s terms and conditions will outline the permissibility of customer vulnerability scanning. In some cases, a cloud vendor will deny the ability to do vulnerability scanning if they already provide a solution as part of their service.
    • Always ensure that the vendor is aware of your vulnerability scanning activity so that false positives aren’t triggering their security measures as possible denial-of-service (DoS) attacks.
    Software-as-a-Service (SaaS) Environments
    • SaaS offers very limited visibility to the services behind the software that the customer sees. You therefore cannot test for patch levels or vulnerabilities.
    • SaaS customers must rely exclusively on the provider for the regular scanning and remediation of vulnerabilities in the back-end technologies supporting the SaaS application.
    • You can only test the connection points to SaaS environments. This involves trying to figure out what you can see, e.g. looking for encrypted traffic.

    Certain testing (e.g. DoS or load testing) will be very limited by your cloud vendor. Cloud vendors won’t open themselves to testing that would possibly impact their operations.

    Step 1.4

    Vulnerability detection

    Activities
    • 1.4.1 Develop a monitoring and review process of third-party vulnerability sources
    • 1.4.2 Incident management and vulnerability management

    This step will walk you through the following activities:

    Create an inventory of your vulnerability monitoring capability and third-party vulnerability information sources.

    Determine how incident management and vulnerability management interoperate.

    This step involves the following participants:

    • Security operations team
    • IT Security Manager
    • IT Director
    • CISO

    Outcomes of this step

    Catalog of vulnerability information data sources. Understanding of the intersection of incident management and vulnerability management.

    Identify vulnerability sources
    Step 1.1Step 1.2Step 1.3Step 1.4

    Vulnerability detection

    Vulnerabilities can be identified through numerous mediums.

    Info-Tech has determined the following to be the four most common ways to identify vulnerabilities.

    Vulnerability Assessment and Scanning Tools
    • Computer programs that function to identify and assess security vulnerabilities and weaknesses within computers, computer systems, applications, or networks.
    • Using a known vulnerability database, the tool scans targeted hosts or systems to identify flaws and generate reports and recommendations based on the results.
    • There are four main types of tools under this category: network and operating system vulnerability scanners, application scanning and testing tools, web application scanners, and exploitation tools.
    Penetration Tests
    • The act of identifying vulnerabilities on computers, computer systems, applications, or networks followed by testing of the vulnerability to validate the findings.
    • Penetration tests are considered a service that is offered by third-parties in which a variety of products, tools, and methods are used to exploit systems and gain access to data.
    Open Source Monitoring
    • New vulnerabilities are detected daily with each vulnerability’s information being uploaded to an information-sharing platform to enable other organizations to be able to identify the same vulnerability on their systems.
    • Open source platforms are used to alert and distribute information on newly discovered vulnerabilities to security professionals.
    Security Incidents
    • Any time an incident response plan is called into action to mitigate an incident, there should be formal communication with the vulnerability management team.
    • Any IT incident an organization experiences should provide a feed for analysis into your vulnerability management program.

    Automate with a vulnerability scanning tool

    Vulnerabilities are too numerous for manual scanning and detection.
    • Vulnerability management is not only the awareness of the existence of vulnerabilities but that they are actively present in your environment.
    • A vulnerability scanner will usually report dozens, if not hundreds, of vulnerabilities on a regular and recurring basis. Typical IT environments have several dozen, if not hundreds, of servers. We haven’t even considered the amount of network equipment or the hundreds of user workstations in an environment.
    • This tool will give you information of the presence of a vulnerability in your environment and the host on which the vulnerability exists. This includes information on the version of software that contains a vulnerability and whether you are running that version. The tool will also report on the criticality of the vulnerability based on industry criticality ratings.
    • The tools are continually updated by the vendor with the latest definition updates for the latest vulnerabilities out there. This ensures you are always scanning for the greatest number of potential vulnerabilities.
    Automation requires oversight.
    1. Vulnerability scanners bring great automation to the task of scanning and detecting vulnerabilities in high numbers.
    2. Vulnerability scanners, however, do not have your level of intelligence. Any compensating controls, network segregation, or other risk mitigation features that you have in place will not be known by the tool.
    3. Determining the risk and urgency of a vulnerability within the context of your specific environment will still require internal review by you or your SecOps team.

    For guidance on tool selection

    Refer to section 4.3 Selecting and Implement a Scanning Tool in this blueprint.

    Vulnerability scanning tool considerations

    Select a vulnerability scanning tool with the features you need to be effective.
    • Vulnerability scanning tool selection can be an exciting and confusing process. You will need to consider what features you desire in a tool and whether you want the tool to go beyond just scanning and reporting.
    • In addition to vulnerability scanning, some tools will integrate with your IT service management (service desk ticketing system) tool and asset, configuration, and change management modules. This can facilitate the necessary workflow that the remediation process follows once a vulnerability is discovered.
    • A number of vulnerability scanning tool vendors have started offering remediation as part of their software features. This includes the automation and orchestration functionality and configuration and asset management to track its remediation activities.
    • A side benefit of the asset discovery feature in vulnerability scanning tools is that it can help enhance an organization’s asset inventory and license compliance, particularly in cases where end users are able to install software on their workstations.
    Stock photo of a smartphone scanning a barcode.

    For guidance on tool vendors

    Visit SoftwareReviews for information on vulnerability management tools and vendors.

    Vulnerability scanning tool best practices

    How often should scans be performed?

    One-off scans provide snapshots in time. Repeated scans over time provide tracking for how systems are changing and how well patches are being applied and software is being updated.

    The results of a scan (asset inventory, configuration data, and vulnerability data) are basic information needed to understand your security posture. This data needs to be as up to date as possible.

    ANALYST PERSPECTIVE: Organizations should look for continuous scanning

    Continuous scanning is the concept of providing continual scanning of your systems so any asset, configuration, or vulnerability information is up to date. Most vendors will advertise continuous scanning but you need to be skeptical of how this feature is met.

    Continuous Scanning Methods

    Continuous agent scanning

    Real-time scanning that is completed through agent-based scanning. Provides real-time understanding of system changes.

    On-demand scanning

    Cyclical scanning is the method where once you’re done scanning an area, you start it again. This is usually done because doing some scans on some areas of your network take time. How long the scan takes depends on the scan itself. How often you perform a scan depends on how long a scan takes. For example, if a scan takes a day, you perform a daily scan.

    Cloud-based scanning

    Cloud-scanning-as-a-Service can provide hands-free continuous monitoring of your systems. This is usually priced as a subscription model.

    Vulnerability scanning tool best practices

    Where to perform a scan.

    What should be scannedHow to point a scanner
    The general idea is that you want to scan pretty much everything. Here are considerations for three environments:
    Mobile Devices

    You need to scan mobile devices for vulnerabilities, but the problem is these can be hard to scan and often come and go on your network. There are always going to be some devices that aren’t on the network when scanning occurs.

    Several ways to scan mobile devices:

    • Intercept the device when it remotes into your network using a VPN. You catch the device with a remote scan. This can only be done if a VPN is required.
    • An agent-based approach can be used for mobile devices. Locally installed software gives the information needed to evaluate the security posture of a device. Discernibly, concerns around device processing, memory, and network bandwidth come into play. Ease of installation becomes key for agents.
    Virtualization
    • In a virtual environment, you will have servers being dynamically spun up. Ensure your tool is able to scan these new servers automatically.
    • Often, vulnerability scanning tool providers will restrict scanning to preapproved scanners. Look for tools that are preapproved by the VM vendors.
    Cloud Environments
    • You can set your tool to scan a given cloud environment. The main concern here is who owns the cloud. If it is a private cloud, there is little concern.
    • If it is a third-party cloud (AWS, Azure, etc.) you need to confirm with the cloud service provider that scanning of your cloud environment can occur.
    • There is a trend to allow more scanning of cloud environments.
    • You need to tell the scanner an IP address, a group of IP addresses, an asset group, or a combination of those.
    • You can categorize by functional classifications – internet-facing servers, workstations, network devices, etc., or by organizational structure – Finance, HR, Legal, etc.
    • If you have a strong change management system, you can better hone when and where to perform a scan based on actual changes.
    • You can set the number of concurrent outbound TCP connections that are being made. For example, set the tool so it sends out to 10 ports at a time, rather than pinging at 64k ports on a machine, which would flood the NIC.
    • Side Note: Flooding a host with pings from a scanning tool can be done to find out DoS thresholds on a machine. There are no bandwidth concerns for a network DoS, however, because the packets are so small.

    Vulnerability scanning tool best practices

    Communication and measurement

    Pre-Scan Communication With Users

    • It is always important to inform owners and users of systems that a scan will be happening.
    • Although it is unlikely any performance issues will arise, it is important to notify end users of potential impact.
    • Local admins or system owners may have controls in place that stop vulnerability scans and you need to inform the owners so that they can safelist the scanner you will be using.
    Vulnerability Scanning Tool Tracking Metrics
    • Vulnerability score by operating system, application, or organization division.
      • This provides a look at the widely accepted severity of the vulnerability as it relates across the organization’s systems.
    • Most vulnerable applications and application version.
      • This provides insight into how outdated applications are creating risk exposure for an organization.
      • This will also provide metrics on the effectiveness of your patching program.
    • Number of assets scanned within the last number of days.
      • This provides visibility into how often your assets are being scanned and thus protected.
    • Number of unowned devices or unapproved applications.
      • This metric will track how many unowned devices or unapproved applications may be on your network. Unowned devices may be rogue devices or just consultant/contractor devices.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Proactively identify new vulnerabilities as they are announced.

    By monitoring for vulnerabilities as they are announced through industry alerts and open-source mechanisms, it is possible to identify vulnerabilities beyond your scanning tool’s penetration tests.

    Common sources:
    • Vendor websites and mailing lists
      • Vendors are the trusted sources for vulnerability and patch information on their products, particularly with new industry vulnerability disclosure requirements. Vendors are the most familiar with their products, downloads are most likely malware free, and additional information is often included.
      • There are some issues: vendors won’t announce a vulnerability until a patch is created, which creates a potential unknown risk exposure; numerous vendor sites will have to be monitored continually.
    • Third-party websites
      • A non-vendor site providing information on vulnerabilities. They often will cover a specific technology or an industry section, becoming a potential “one-stop shop” for some. They will often provide vulnerability information that is augmented with different remediation recommendations faster than vendors.
      • However, it’s more likely that malicious code could be downloaded and it will often not be comprehensive information on patching.
    • Third-party mailing lists, newsgroups, live paid subscriptions, and live open-source feeds
      • These are alerting and notification services for the detection and dissemination of vulnerability information. They provide information on the latest and most critical vulnerabilities, e.g. US-CERT Cybersecurity Alerts.
    • Vulnerability databases
      • These usually consist of dedicated databases on vulnerabilities. They perform the hard work of identifying and aggregating vulnerability and patch information into a central repository for end-user consumption. The commentary features on these databases provide excellent insight for practitioners, e.g. National Vulnerability Database (NVD).
    Stock photo of a student checking a bulletin board.

    Third-party vulnerability information sources

    IT security forums and mailing lists are another source of vulnerability information.

    Third-party sources for vulnerabilities

    • Open Source Vulnerability Database (OSVDB)
      • An open-source database that is run independently of any vendors.
    • Common Vulnerabilities and Exposures (CVE)
      • Free, international dictionary of publicly known information security vulnerabilities and exposures.
    • National Vulnerability Database (NVD)
      • Through NIST, the NVD is the US government’s repository of vulnerabilities and includes product names, flaws, and any impact metrics.
      • The National Checklist Repository Program (NCRP), also provided by NIST, provides security checklists for configurations of operating systems and applications.
      • The Center for Internet Security, a separate entity unrelated to NIST, provides configuration benchmarks that are often referenced by the NCRP.
    • Open Web Application Security Project (OWASP)
      • OWASP is another free project helping to expose vulnerabilities within software.
    • US-CERT National Cyber Alert System (US-CERT Alerts)
      • Cybersecurity Alerts – Provide timely information about current security issues, vulnerabilities, and exploits.
      • Cybersecurity Tips – Provide advice about common security issues for the general public.
      • Cybersecurity Bulletins – Provide weekly summaries of new vulnerabilities. Patch information is provided when available.
    • US-CERT Vulnerability Notes Database (US-CERT Vulnerability Notes)
      • Database of searchable security vulnerabilities that were deemed not critical enough to be covered under US-CERT Alerts. Note that the NVD covers both US-CERT Alerts and US-CERT Notes.
    • Open Vulnerability Assessment Language (OVAL)
      • Coding language for security professionals to discuss vulnerability checking and configuration issues. Vulnerabilities are identified using tests that are disseminated in OVAL definitions (XML executables that can be used by end users).

    1.4.1 Develop a monitoring and review process for third-party vulnerability sources

    60 minutes

    Input: Third-party resources list

    Output: Process for review of third-party vulnerability sources

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, CISO

    1. Identify what third-party resources are useful and relevant.
    2. Shortlist your third-party sources.
    3. Identify what is the best way to receive information from a third party.
    4. Document the method to receive or check information from the third-party source.
    5. Identify who is responsible for maintaining third-party vulnerability information sources
    6. Capture this information in the Vulnerability Management SOP Template.
    Download the Vulnerability Management SOP TemplateSample of the Third Party Vulnerability Monitoring tables from the Vulnerability Management SOP Template.

    Incidents and vulnerability management

    Incidents can also be a sources of vulnerabilities.

    When any incident occurs, for example:

    • A security incident, such as malware detected on a machine
    • An IT incident, such as an application becomes unresponsive
    • A crisis occurs, like a worker accident

    There can be underlying vulnerabilities that need to be processed.

    Three Types of IT Incidents exist:
    1. Information Security Incident
    2. IT Incident and/or Problem
    3. Crisis

    Note: You need to have developed your various incident response plans to develop information feeds to the vulnerability mitigation process.
    If you are missing an incident response plan, take a look at Info-Tech’s Related Resources.

    Info-Tech Related Resources:
    If you do not have a formalized information security incident management program, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have a formalized problem management process, take a look at Info-Tech’s blueprint Incident and Problem Management.

    If you do not have a formalized IT incident management process, take a look at Info-Tech’s blueprint Develop and Implement a Security Incident Management Program.

    If you do not have formalized crisis management, take a look at Info-Tech’s blueprint Implement Crisis Management Best Practices.

    1.4.2 Incident management and vulnerability management

    60 minutes

    Input: Existing incident response processes, Existing crisis communications plans

    Output: Alignment of vulnerability management program with existing incident management processes

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    1. Inventory what incident response plans the organization has. These include:
      1. Information Security Incident Response Plan
      2. IT Incident Plan
      3. Problem Management Plan
      4. Crisis Management Plan
    2. Identify what part of those plans contains the post-response recap or final analysis.
    3. Formalize a communication process between the incident response plan and the vulnerability mitigation process.

    Note: Most incident processes will cover some sort of root cause analysis and investigation of the incident. If a vulnerability of any kind is detected within this analysis it needs to be reported on and treated as a detected vulnerability, thus warranting the full vulnerability mitigation process.

    Download the Vulnerability Management SOP Template

    Implement Risk-Based Vulnerability Management

    Phase 2

    Triage & prioritize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    Examine the elements that you will use to triage and analyze vulnerabilities, prioritizing using a risk-based approach, and prepare for remediation options.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Step 2.1

    Triage vulnerabilities

    Activities
    • 2.1.1 Evaluate your identified vulnerabilities

    This step will walk you through the following activities:

    Review your vulnerability information sources and determine a methodology that will be used to consistently evaluate vulnerabilities as your scanning tool alerts you to them.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    A consistent, documented process for the evaluation of vulnerabilities in your environment.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Triaging vulnerabilities

    Use Info-Tech’s methodology to allocate urgencies to your vulnerabilities to assign the appropriate resources to each one.

    When evaluating numerous vulnerabilities, use the following three factors to help determine the urgency of vulnerabilities:

    • The intrinsic qualities of the vulnerability
    • The business criticality of the affected asset
    • The sensitivity of the data stored on the affected asset

    Intrinsic qualities of the vulnerability — Vulnerabilities need to be examined for the inherent risk they pose specifically to the organization, which includes if an exploit has been identified or if the industry views this as a serious and likely threat.

    Business criticality of the affected asset — Assets with vulnerabilities need to be assessed for their criticality to the business. Vulnerabilities on systems that are critical to business operations or customer interactions are usually top of mind.

    Sensitivity of the data of the affected asset — Beyond just the criticality of the business, there must be consideration of the sensitivity of the data that may be compromised or modified as a result of any vulnerabilities.

    Info-Tech Insight

    This methodology allows you to determine urgency of vulnerabilities, but your remediation approach needs to be risk-based, within the context of your organization.

    Triage your vulnerabilities, filter out the noise

    Triaging enables your vulnerability management program to focus on what it should focus on.

    Use the Info-Tech Vulnerability Mitigation Process Template to define how to triage vulnerabilities as they first appear.

    Triaging is an important step in vulnerability management, whether you are facing ten to tens of thousands of vulnerability notifications.
    Many scanning tools already provide the capability to compare known vulnerabilities against existing assets through integration with the asset inventory.

    There are two major use cases for this process:
    1. For organizations that have identified vulnerabilities but do not know their own systems well enough. This can be due to a lack of a formal asset inventory.
    2. For proactive organizations that are regularly staying up to date with industry announcements regarding vulnerabilities. Once an alert has been made publicly, this process can assist in confirming if the vulnerability is relevant to the organization.
    The Info-Tech methodology for initial triaging of vulnerabilities:
    Flowchart of the Info-Tech methodology for initial triaging of vulnerabilities, beginning with 'Vulnerability has been identified' and ending with either 'Vulnerability has been triaged' or 'No action needed'.

    Even if neither of these use cases apply to your organization, triaging still addresses the issues of false positives. Triaging provides a quick way to determine if vulnerabilities are relevant.

    After eliminating the noise, evaluate your vulnerabilities to determine urgency

    Consider the intrinsic risk to the organization.

    Is there an associated, verified exploit?
    • For a vulnerability to become a true threat to the organization, it must be exploited to cause damage. In today’s threat landscape, exploit kits are sold online that allow individuals with low technical knowledge to exploit a vulnerability.
    • Not all vulnerabilities have an associated exploit, but this does not mean that these vulnerabilities can be left alone. In many cases, it is just a matter of time before an exploit is created.
    • Another point to consider is that while exploits can exist theoretically, they may not be verified. Vulnerabilities always pose some level of risk, but if there are no known verified exploits, there is less risk attached.
    Is there a CVSS base score of 7.0 or higher?
    • Common Vulnerability Scoring System (CVSS) is an open-source industry scoring method to assess the potential severity of vulnerabilities.
    • CVSS takes into account: attack vector, complexity, privileges required, user interaction, scope, confidentiality impact, integrity impact, and availability impact.
    • Vulnerabilities that have a score of 4.0 or lower are classified as low vulnerabilities, while scores between 4.0 and 6.9 are put in the medium category. Scores of 7 or higher are in the high and critical categories. As we will review in the Risk Assessment section, you will want to immediately deal with high and critical vulnerabilities.
    Is there potential for significant lateral movement?
    • Even though a vulnerability may appear to be part of an inconsequential asset, it is important to consider whether it can be leveraged to gain access to other areas of the network or system by an attacker.
    • Another consideration should be whether the vulnerability can be exploited by remote or local access. Remote exploits pose a greater risk as this can mean that attackers can perform an exploit from any location. Local exploits carry less risk, although the risk of insider threats should be considered here as well.

    2.1.1 Evaluate your identified vulnerabilities

    60 minutes

    Input: Visio workflow of Info-Tech’s vulnerability management process

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, SecOps team members, ITOps team members, including tiers 1, 2, and 3, CISO, CIO

    Using the criteria from the previous slide, Info-Tech has created a methodology to evaluate your vulnerabilities by examining their intrinsic qualities.

    The methodology categorizes the vulnerabilities into high, medium, and low risk importance categorizations, before assigning final urgency scores in the later steps.

    1. Review the evaluation process in the Vulnerability Management Workflow library.
    2. Determine if this process makes sense for the organization; otherwise, change the flow to include any other considerations of process flows.
    3. As this process is used to evaluate vulnerabilities, document vulnerabilities to an importance category. This can be done in the Vulnerability Tracking Tool or using a similar internal vulnerability tracking document, if one exists.

    Download the Vulnerability Management SOP Template

    Step 2.2

    Determine high-level business criticality

    Activities
    • 2.2.1 Determine high-level business criticality
    • 2.2.2 Determine your high-level data classifications

    This step will walk you through the following activities:

    Determining high-level business criticality and data classifications will help ensure that IT security is aligned with what is critical to the business. This will be very important when decisions are made around vulnerability risk and the urgency of remediation action.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    Understanding and consistency in how business criticality and business data is assessed by IT in the vulnerability management process.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Understanding business criticality is key to determining vulnerability urgency

    Prioritize operations that are truly critical to the operation of the business, and understand how they would be impacted by an exploited vulnerability.

    Use the questions below to help assess which operations are critical for the business to continue functioning.

    For example, email is often thought of as a business-critical operation when this is not always the case. It is important to the business, but as regular operations can continue for some time without it, it would not be considered extremely business critical.

    Questions to askDescription
    Is there a hard-dollar impact from downtime?This refers to when revenue or profits are directly impacted by a business disruption. For example, when an online ordering system is compromised and shut down, it impacts sales, and therefore, revenue.
    Is there an impact on goodwill/ customer trust?If downtime means delays in service delivery or otherwise impacts goodwill, there is an intangible impact on revenue that may make the associated systems mission critical.
    Is regulatory compliance a factor?Depending on the circumstances of the vulnerabilities, it can be a violation of regulatory compliance and would cause significant fines.
    Is there a health or safety risk?Some operations are critical to health and safety. For example, medical organizations have operations that are necessary to ensure that individuals’ health and safety are maintained. An exploited vulnerability that prevents these operations can directly impact the lives of these individuals.
    Don’t start from scratch – your disaster recovery plan (DRP) may have a business impact analysis (BIA) that can provide insight into which applications and operations are considered business critical.

    Analyst Perspective

    When assessing the criticality of business operations, most core business applications may be deemed business critical over the long term.

    Consider instead what the impact is over the first 24 or 48 hours of downtime.

    2.2.1 Determine high-level business criticality

    120 minutes; less time if a Disaster recovery plan business impact analysis exists

    Input: List of business operations, Insight into business operations impacts to the business

    Output: List of business operations and their criticality and impact to the business

    Materials: Vulnerability Management SOP Template

    Participants: Participants from the business, IT Security Manager, CISO, CIO

    1. List your core business operations at a high level.
    2. Use a High, Medium, or Low ranking to prioritize the business operations based on mission-critical criteria and the impact of the vulnerability.
    3. When using the process flow, consider if the vulnerability directly affects any of these business operations and move through the process flow based on the corresponding High, Medium, or Low ranking.
    Example prioritization of business operations for a manufacturing company:Questions to ask:
    1. Is there a hard-dollar impact from downtime?
    2. Is there impact on goodwill or customer trust?
    3. Is regulatory compliance a factor?
    4. Is there a health or safety risk?

    Download the Vulnerability Management SOP Template

    Determine vulnerability urgency by its data classification

    Consider how to classify your data based on if the Confidentiality, Integrity, or Availability (CIA) is compromised.

    To properly classify your data, consider how the confidentiality, integrity, and availability of that data would be affected if it were to be exploited by a vulnerability. Review the table below for an explanation for each objective.
    Confidentiality

    Preserving authorized restrictions on information access and disclosure, including means for protecting personal privacy and proprietary information.

    Integrity

    Guarding against improper information modification or destruction, and ensuring information non-repudiation and authenticity.

    Availability

    Ensuring timely and reliable access to and use of information.

    Each piece of data should be ranked as High, medium, or low across confidentiality, integrity, and availability based on adverse effect.Arrow pointing right.Low — Limited adverse effect

    Moderate — Serious adverse effect

    High — Severe or catastrophic adverse effect

    If you wish to build a whole data classification methodology, refer to our Discover and Classify Your Data blueprint.

    How to determine data classification when CIA differs:

    The overall ranking of the data will be impacted by the highest objective’s ranking.

    For example, if confidentiality and availability are low, but integrity is high, the overall impact is high.

    This process was developed in part by Federal Information Processing Standards Publication 199.

    2.2.2 Determine your high-level data classifications

    120 minutes, less time if data classification already exists

    Input: Knowledge of data use and sensitivity

    Output: Adjusted workflow to reflect your current processes, Vulnerability Tracking Tool

    Materials: Whiteboard, Whiteboard markers, Vulnerability Management SOP Template

    Participants: IT Security Manager, CISO, CIO

    If your organization has formal data classification in place, it should be leveraged to determine the high, medium, and low rankings necessary for the process flows. However, if there is no formal data classification in place, the process below can be followed:

    1. List common assets or applications that are prone to vulnerabilities.
    2. Consider the data that is on these devices and provide a high (severe or catastrophic adverse effect), medium (serious adverse effect), or low (limited adverse effect) ranking based on confidentiality, availability, and integrity.
      1. Use the table on the previous slide to assist in providing the ranking.
      2. Remember that it is the highest ranking that dictates the overall ranking of the data.
    3. Document which data belongs in each of the categories to provide contextual evidence.

    Download the Vulnerability Management SOP Template

    This process should be part of your larger data classification program. If you need assistance in building this out, review the Info-Tech research, Discover and Classify Your Data.

    Step 2.3

    Consider current security posture

    Activities
    • 2.3.1 Document your defense-in-depth controls

    This step will walk you through the following activities:

    Your defense-in-depth controls are the existing layers of security technology that protects your environment. These are relevant when considering the urgency and risk of vulnerabilities in your environment, as they will mitigate some of the risk.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Understanding and documentation of your current defense-in-depth controls.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Review your current security posture

    What you have today matters.
    • In most cases, your vulnerability scanning tool alone will not have the context of your security posture in the results of its scans. This can skew the true urgency of detected vulnerabilities in your environment.
    • What you have in place today is what comprises your organization’s overall security posture. This bears high relevance to the determination of the risk that a vulnerability poses to your environment.
    • Elements such as enterprise architecture and defense in depth mechanisms should be factored into determining the risk of a vulnerability and what kind of immediacy is warranted to address it.
    • Details of your current security posture will also contribute to the assessment and selection of remediation options.
    Stock image of toy soldiers split into two colours, facing eachother down.

    Enterprise architecture considerations

    What does your network look like?
    • Most organizations have a network topology that has been put in place with operational needs in mind. These includes specific vLANs or subnets, broadcast domains, or other methods of traffic segregation.
    • The firewall and network ACLs (access control lists) will manage traffic and the routes that data packets follow to traverse a network.
    • Organizations may physically separate data network types, for example, a network for IT services and one for operational technology (OT)(OT is often known as ICS (industrial control systems) or SCADA (supervisory control and data acquisition)) or other types of production technology.
    • The deployment of distribution and access switches across an enterprise can also be a factor, where a flatter network will have fewer network devices within the topology.
    • In a directory services environment such as Windows Active Directory, servers and applications can be segregated by domains and trust relationships, organizational units, and security groups.
    What’s the relevance to vulnerability management?

    For a vulnerability to be exploited, a malicious actor must find a way to access the vulnerable system to make use of the vulnerability in question.

    Any enterprise architecture characteristics that you have in place may lessen the probability of a successful vulnerability exploit.

    This may potentially “buy time” for SecOps to address and remediate the vulnerability.

    Defense-in-depth

    Defense-in-depth provides extra layers of protection to the organization.

    • Defense-in-depth refers to the coordination of security controls to add layers of security to the organization.
      • This means that even if attackers are able to get past one control or layer, they are hindered by additional security.
    • Defense-in-depth is distinct from the previous section on enterprise architecture as these are security controls put in place with the purpose of being lines of defense within your security posture.
    • This can be extremely useful in managing vulnerabilities; thus, it is important to establish the existing defense-in-depth controls. By establishing the base model for your defense-in-depth, it will allow you to leverage these controls to manage vulnerabilities.
    • Controls are typically distributed across endpoints, network infrastructure, servers, and physical security.

    Note: Defense-in-depth controls do not entirely mitigate vulnerability risk. They provide a way in which the vulnerability cannot be exploited, but it continues to exist on the application. This must be kept in mind as the controls or applications themselves change, as it can re-open the vulnerability and cause potential problems.

    Examples of defense-in-depth controls can consist of any of the following:
    • Antivirus software
    • Authentication security
    • Multi-factor authentication
    • Firewalls
    • Demilitarized zones (DMZ)
    • Sandboxing
    • Network zoning
    • Application whitelisting
    • Access control lists
    • Intrusion detection & prevention systems
    • Airgapping
    • User security awareness training

    2.3.1 Document your defense-in-depth controls

    2 hours, less time if a security services catalog exists

    Input: List of technologies within your environment, List of IT security controls that are in place

    Output: List of defense-in-depth controls

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, Infrastructure Manager, IT Director, CISO

    1. Document the existing defense-in-depth controls within your system.
    2. Review the initial list that has been provided and see if these are controls that currently exist.
    3. Indicate any other controls that are being used by the organization. This may already exist if you have a security services catalog.
    4. Indicate who the owners of the different controls are.
    5. Track the information in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Sample table of security controls within a Defense-in-depth model with column headers 'Defense-in-depth control', 'Description', 'Workflow', and 'Control Owner'.

    Step 2.4

    Risk assessment of vulnerabilities

    Activities
    • 2.4.1 Build a classification scheme to consistently assess impact
    • 2.4.2 Build a classification scheme to consistently assess likelihood

    This step will walk you through the following activities:

    Assessing risk will be the cornerstone of how you evaluate vulnerabilities and what priority you place on remediation. This is actual risk to the organization and not simply what the tool reports without the context of your defense-in-depth controls.

    This step involves the following participants:

    • IT Security Manager
    • IT Operations Management
    • CISO
    • CIO

    Outcomes of this step

    A risk matrix tailored to your organization, based on impact and likelihood. This will provide a consistent, unambiguous way to assess risk across the vulnerability types that is reported by your scanning tool.

    Triage & prioritize
    Step 2.1Step 2.2Step 2.3Step 2.4

    Vulnerabilities and risk

    Vulnerabilities must be addressed to mitigate risk to the business.
    • Vulnerabilities are a concern because they are potential threats to the business. Vulnerabilities that are not addressed can turn from potential threats into actual threats; it is only a matter of time and opportunity.
    • Your organization will already be familiar with risk management, as every decision carries a business risk component. There may even be a senior manager assigned as corporate risk officer to manage organizational risk.
    • The organization likely has a risk tolerance level that defines the organization’s risk appetite. This may be measured in dollars, non-productivity time, or other units of inefficiency.
    • The risk of a vulnerability can be calculated using impact and likelihood. Impact is the effect that the vulnerability will have if it is exploited by a malicious actor. Likelihood is the degree to which a vulnerability exploit can possibly occur.
    Stock image of a cartoon character in a tie hanging on the needle of a 'RISK' meter as it sits at 'LOW'.

    Info-Tech Insight

    Risk to the organization is business language that everyone can understand. This is particularly true when the risk is to productivity or to the company’s bottom line.

    A risk-based approach to vulnerability management

    CVSS scores are just the starting point!

    Vulnerabilities are constant.
    • There will always be vulnerabilities in the environment, many of which won’t be reported as they are currently unknown.
    • Don’t focus on trying to resolve all vulnerabilities in your environment. You are neither resourced for it nor can the business tolerate the downtime needed to remediate every single vulnerability.
      • The constant follow of new vulnerabilities will quickly render your efforts useless and it will become a game of “whack-a-mole.”
    • Being able to prioritize which vulnerabilities require appropriate levels of response is crucial to ensuring that an organization stays ahead of the continual flow.
    • Your vulnerability scanning tool will report the severity of a vulnerability, often using an industry Common Vulnerability Scoring System (CVSS) system ranging from 0 to 10. It will then scan your environment for the presence of the vulnerability and report accordingly.
      • Your vulnerability scanning tool will not be aware of any mitigation components in your environment, such as compensating controls, network segregation, server/application hardening, or any other measures that can reduce the risk. That is why determining actual risk is a crucial step.

    Stock image of a whack-a-mole game.

    Info-Tech Insight

    Vulnerability scanning is a valuable function, but it does not tell the full picture. You must determine how urgent a vulnerability truly is, based on your specific environment.

    Prioritize remediation by levels of risk

    Address critical and high risk with high immediacy.

    • Addressing the critical and high-risk vulnerabilities with urgency will ensure that you are addressing a more manageable number of vulnerabilities.
    • An optimized vulnerability management process will address the medium and low risk vulnerabilities within the regular cycle.
    • This may be very similar to what you do today in an ad hoc fashion:
      • Zero-day vulnerabilities tend to warrant a stop in operations and are dealt with immediately (or as soon as a vendor has a fix).
      • The standard remediation process (patching/updating, change of configuration, etc.) happens within a regular controlled time cycle.
    • Formalizing this process will ensure that appropriate attention is given to vulnerabilities that warrant it and that the remaining vulnerabilities are dealt with as a regular, recurring activity.

    Mitigate the risk surface by reducing the time across the phases

    Chart titled 'Mitigate the risk surface by reducing the time across the phases' with the axes 'Risk Level' and 'Time' with lines created by individual risks. The highlighted line begins in 'Critical' and eventually drops to low. A note on the line reads 'Objective: Reduce risk surface by reducing time to address'. The area between the line and your organization's risk tolerance is labelled 'Risk Surface, to be addressed with high priority'. A bracket around Risk levels 'High' and 'Critical' reads 'Priority focus zone (risk surface)'. Risk lines within levels 'Low' and 'Medium' read 'Follow standard vulnerability management cycles'.

    Risk matrix

    Risk = Impact x Likelihood
    • Info-Tech’s Vulnerability Management Risk Assessment Tool provides a method of calculating the risk of a vulnerability. The risk rating is assigned using the impact of the risk and the likelihood or probability that the event may occur.
    • The tool puts the vulnerability into your organization’s context: How many people will be affected? What service types are vulnerable and how does that impact the business? Is there an anticipated update from the vendor of the system being affected?
    • Urgency of remediation should be based on the business consequences if the vulnerability were to be exploited, relative to the business’ risk tolerance.

    Info-Tech Insight

    Risk determination should be done within the context of your current environment and not simply based on what your vulnerability tool is reporting.

    A risk matrix is useful in calculating a risk rating for vulnerabilities. Risk matrix with axes 'Impact' and 'Time' and individual vulnerabilities mapped onto it via their risk rating. The example 'Organizational Risk Tolerance Threshold' line runs diagonally through the 'Medium' squares.

    2.4.1 Build a classification scheme to consistently assess impact

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Impact. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', 'Network vulnerability', and 'Vendor patch release'.

    2.4.2 Build a classification scheme to consistently assess likelihood

    60 minutes

    Input: Knowledge of IT environment, Knowledge of business impact for each IT component or service

    Output: Vulnerability Management Risk Assessment Tool formatted to your organization

    Materials: Vulnerability Management Risk Assessment Tool

    Participants: Functional Area Managers, IT Security Manager, CISO

    Risk always has a negative impact, but the size of the impact can vary considerably in terms of cost, number of people or sites affected, and the severity of the impact. Impact questions tend to be more objective and quantifiable than likelihood questions.

    1. Define a set of questions to measure risk impact or edit existing questions in the tool.
    2. For each question, assign a weight that should be placed on that factor.
    3. Define criteria for each question that would categorize the risk. The drop-down box content can be modified in the hidden Labels tab.

    Note that you are looking to baseline vulnerability types, rather than categorizing every single vulnerability that your scanning tool reports. The volume of vulnerabilities will be high, but vulnerabilities can be categorized into types on a regular basis.

    Download the Vulnerability Management Risk Assessment Tool

    Screenshot of table from Info-Tech's Vulnerability Management Risk Assessment Tool for assessing Likelihood. Column headers are 'Weight', 'Question', 'OS vulnerability', 'Application vulnerability', and 'Network vulnerability'.

    Prioritize based on risk

    Select the best remediation option to minimize risk.

    Through the combination of the identified risk and remediation steps in this phase, the prioritization for vulnerabilities will become clear. Vulnerabilities will be assigned a priority once their intrinsic qualities and threat potential to business function and data have been identified.

    • Remediation options will be identified for the higher urgency vulnerabilities.
    • Options will be assessed for whether they are appropriate.
    • They will be further tested to determine if they can be used adequately prior to full implementation.
    • Based on the assessments, the remediation will be implemented or another option will be considered.
    Prioritization
    1. Assignment of risk
    2. Identification of remediation options
    3. Assessment of options
    4. Implementation

    Remediation plays an incredibly important role in the entire program. It plays a large part in wider risk management when you must consider the risk of the vulnerability, the risk of the remediation option, and the risk associated with the overall process.

    Implement Risk-Based Vulnerability Management

    Phase 3

    Remediate vulnerabilities

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • Identifying potential remediation options.
    • Developing criteria for each option with regards to when to use and when to avoid.
    • Establishing exception procedure for testing and remediation.
    • Documenting the implementation of remediations and verification.

    This phase involves the following participants:

    • CISO, or equivalent
    • Security Manager/Analyst
    • Network, Administrator, System, Database Manager
    • Other members of the vulnerability management team
    • Risk managers for the risk-related steps

    Determining how to remediate

    Patching is only one option.

    This phase will allow organizations to build out the specific processes for remediating vulnerabilities. The overall process will be the same but what will be critical is the identification of the correct material. This includes building the processes around:
    • Identifying and selecting the remediation option to be used.
    • Determining what to do when a patch or update is not available.
    • Scheduling and executing the remediation activity.
    • Continuous improvement.

    Each remediation option carries a different level of risk that the organization needs to consider and accept by building out this program.

    It is necessary to be prepared to do this in real time. Careful documentation is needed when dealing with vulnerabilities. Use the Vulnerability Tracking Tool to assist with documentation in real time. This is separate from using the process template but can assist in the documentation of vulnerabilities.

    Step 3.1

    Assessing remediation options

    Activities
    • 3.1.1 Develop risk and remediation action

    This step will walk you through the following activities:

    With the risk assessment from the previous activity, we can now examine remediation options and make a decision. This activity will guide us through that.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    List of remediation options and criteria on when to consider each.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Identify remediation options

    There are four options when it comes to vulnerability remediation.

    Patches and Updates

    Patches are software or pieces of code that are meant to close vulnerabilities or provide fixes to any bugs within existing software. These are typically provided by the vendor to ensure that any deployed software is properly protected after vulnerabilities have been detected.

    Configuration Changes

    Configuration changes involve administrators making significant changes to the system or network to remediate against the vulnerability. This can include disabling the vulnerable application or specific element and can even extend to removing the application altogether.

    Remediation

    Compensating Controls

    By leveraging security controls, such as your IDS/IPS, firewalls, or access control, organizations can have an added layer of protection against vulnerabilities beyond the typical patches and configuration changes. This can be used as a measure while waiting to implement another option (if one exists) to reduce the risk of the vulnerability in the short or long term.

    Risk Acceptance

    Whenever a vulnerability is not remediated, either indefinitely or for a short period of time, the organization is accepting the associated risk. Segregation of the vulnerable system can occur in this instance. This can occur in cases where a system or application cannot be updated without detrimental effect to the business.

    Patches and updates

    Patches are often the easiest and most common method of remediation.

    Patches are usually the most desirable remediation solution when it comes to vulnerability management. They are typically provided by the vendor of the vulnerable application or system and are meant to eliminate the existing vulnerability.

    When to use

    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching for the affected systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.

    When to avoid

    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches, which is often the case for critical systems.
    When to consider other remediation options
    • For critical systems, it can be difficult to implement a patch as they often require the system to be rebooted or go through some downtime. There must be consideration towards whether there is a change window approaching if a patch is to be implemented on a business-critical system.
      • If there is no opportunity to implement the patch, or no approaching change window, it is wise to leverage another remediation option.
    • When patches are not currently available from the vendor or they are in production, other remediation options are needed.
    • Other remediation options can be used in tandem with the patch. For example, if a patch is being deferred until the change window, it would be wise to use alternate remediation options to close the vulnerability.

    Compensating controls

    Compensating controls can decrease the risk of vulnerabilities that cannot be (immediately) remediated.

    • Compensating controls are measures put in place when direct remediation measures are impractical or non-existent.
    • Similar to the payment card industry’s PCI DSS 1.0 provision of compensating controls, these are meant to meet the intent or rigor of the original requirement; unlike PCI DSS, these measures are to mitigate risk rather than meet compliance.
    • The compensating control should be viewed as only a temporary measure for dealing with a vulnerability, although circumstances may dictate a degree of permanence in the application of the compensating control.
    • Examples where compensating controls may be needed are:
      • The software vendor is developing an update or patch to address a vulnerability.
      • Through your testing process, a patch will adversely affect the performance or operation of the target system and be detrimental to the business.
      • A critical application will only run on a legacy operating system, the latter of which is no longer supported by the vendor.
      • A legacy application is no longer being supported but is critical to your operations. A replacement, if one exists, will take time to implement.
    Examples of compensating controls
    • Segregating a vulnerable server or application on the network, physically or logically.
    • Hardening the operating system or application.
    • Restricting user logins to the system or application.
    • Implementing access controls on the network route to the system.
    • Instituting application whitelisting.

    Configuration changes

    Configuration changes involve making changes directly to the application or system in which there is a vulnerability. This can vary from disabling or removing the vulnerable element or, in the case of applications built in-house, changing the coding of the application itself. These are commonly used in network vulnerabilities such as open ports.

    When to use

    • A patch is not available.
    • The vulnerable element can be significantly changed, or even disabled, without significantly disrupting the business.
    • The application is built in-house, as the vulnerability must be closed internally.
    • There is adequate testing to ensure that the configuration change does not affect the business.
    • A configuration change in your network or system can affect numerous endpoints or systems, reducing endpoint patching or use of defense-in-depth controls.

    When to avoid

    • When a suitable patch is available.
    • When the vulnerability is on a business-critical element with no nearby change window or it cannot be disabled.
    • When there is no opportunity in which to perform testing to ensure that there are no unintended consequences.
    When to consider other remediation options
    • Configuration changes require careful documentation as changes are occurring to the system and applications. If there is a need to perform a back-out process and return to the original configuration, this can be extremely difficult without clear documentation of what occurred.
    • If business systems are too critical or important to the regular business function to perform any changes, it is necessary to consider other options.

    Info-Tech Insight

    Remember your existing processes: configuration changes may need to be approved and orchestrated through your organization’s configuration and change management processes.

    Case Study

    Remediation options do not have to be used separately. Use the Shellshock 2014 case as an example.

    INDUSTRY: All
    SOURCE: Public Domain
    Challenge

    Bashdoor, more commonly known as Shellshock, was announced on September 24, 2014.

    This bug involved the Bash shell, which normally executes user commands, but this vulnerability meant that malicious attackers could exploit it.

    This was rated a 10/10 by CVSS – the highest possible score.

    Within hours of the announcement, hackers began to exploit this vulnerability across many organizations.

    Solution

    Organizations had to react quickly and multiple remediation options were identified:

    • Configuration changes – Companies were recommended to use other shells instead of the Bash shell.
    • Defense-in-depth controls – Using HTTP server logs, it could be possible to identify if the vulnerability had been exploited.
    • Patches – Many vendors released patches to close this vulnerability including Debian, Ubuntu, and Red Hat.
    Results

    Companies began to protect themselves against these vulnerabilities.

    While many organizations installed patches as quickly as possible, some also wished to test the patch and leveraged defense-in-depth controls in the interim.

    However, even today, many still have the Shellshock vulnerability and exploits continue to occur.

    Accept the risk and do nothing

    By choosing not to remediate vulnerabilities, you must accept the associated risk. This should be your very last option.

    Every time that a vulnerability is not remediated, it continues to pose a risk to the organization. While it may seem that every vulnerability needs to be remediated, this is simply not possible due to limited resources. Further, it can take away resources from other security initiatives as opposed to low-priority vulnerabilities that are extremely unlikely to be exploited.

    Common criteria for vulnerabilities that are not remediated:
    • Affected systems are of extremely low criticality.
    • Affected systems are deemed too critical to take offline to perform adequate remediation.
    • Low urgency is assigned to those vulnerabilities.
    • Cost and time required for the remediation are too high.
    • No adequate solutions exist – the vendor has not released a patch, there are weak defense-in-depth controls, and it is not possible to perform a configuration change.

    Risk acceptance is not uncommon…

    • With an ever-increasing number of vulnerabilities, organizations are struggling to keep up and often, intentionally or unintentionally, accept the risk associated.
    • In the end, non-remediation means full acceptance of the risk and any consequences.

    Enterprise risk management
    Arrow pointing up.
    Risk acceptance of vulnerabilities

    While these are common criteria, they must be aligned to the enterprise risk management framework and approved by management.

    Don’t forget the variables that were assessed in Phase 2. This includes the risk from potential lateral movement or if there is an existing exploit.

    Risk considerations

    When determining if risk acceptance is appropriate, consider the cost of not mitigating vulnerabilities.

    Don’t accept the risk because it seems easy. Consider the financial impact of leaving vulnerabilities open.

    With risk acceptance, it is important to review the financial impact of a security incident resulting from that vulnerability. There is always the possibility of exploitation for vulnerabilities. A simple metric taken from NIST SP800-40 to use for this is:

    Cost not to mitigate = W * T * R

    Where (W) is the number of work stations, (T) is the time spent fixing systems or lost in productivity, and (R) is the hourly rate of the time spent.

    As an example provided by NIST SP800-40 Version 2.0, Creating a Patch and Vulnerability Management Program:

    “For an organization where there are 1,000 computers to be fixed, each taking an average of 8 hours of down time (4 hours for one worker to rebuild a system, plus 4 hours the computer owner is without a computer to do work) at a rate of $70/hour for wages and benefits:

    1,000 computers * 8 hours * $70/hour = $560,000”

    Info-Tech Insight

    Always consider the financial impact that can occur from an exploited vulnerability that was not remediated.

    3.1.1 Develop risk and remediation action

    90 minutes

    Input: List of remediation options

    Output: List of remediation options sorted into “when to use” and “when to avoid” lists

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT Infrastructure Manager, IT Operations Manager, Corporate Risk Officer, CISO

    It is important to define and document your organization-specific criteria for when a remediation option is appropriate and inappropriate.

    1. List each remediation option on a flip chart and create two headings: “When to use” and “When to avoid.”
    2. Each person will list “when to use” criteria on a green sticky note and “when to avoid” criteria on a red one for each option; these will be placed on the appropriate flip chart.
    3. Discuss as a group which criteria are appropriate and which should be removed.
    4. Move on to the next remediation option when completed.
      • Ensure to include when there are remediation options that will be connected. For example, the risk may be accepted until the next available change window, or a defense-in-depth control is used before a patch can be fully installed.
    5. Once the criteria has been established, document this in the Vulnerability Management SOP Template.
    When to use:
    • When adequate testing can be performed on the patch to be implemented.
    • When there is a change window approaching, especially for critical systems.
    • When there is standardization across the IT assets to allow for easier installation of patches.
    When to avoid:
    • When the patch cannot be adequately tested.
    • When a patch has been tested, but it has caused an unfavorable consequence such as a system or application failure.
    • When there is no near change window in which to install the patches.
    (Example from the Vulnerability Management SOP Template for Patches.)

    Download the Vulnerability Management SOP Template

    Step 3.2

    Scheduling and executing remediation

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although there are no specific activities for this section, it will walk you through your existing processes configuration and change management to ensure that you are leveraging those activities in your vulnerability remediation actions.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    Gained understanding of how IT operations processes configuration and change management can be leveraged for the vulnerability remediation process. Don’t reinvent the wheel!

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Implementing the remediation

    Vulnerability management converges with your IT operations functions.
    • Once a remediation strategy has been formulated, you can leverage your release and change management processes to orchestrate the testing, version tracking, scheduling, approval, and implementation activities.
    • Each of these processes should exist in your environment in some form. Leveraging these will engage the IT operations team to carry out their tasks in the remediation process.
    • There can be a partial or full handoff to these processes, however, the owner of the vulnerability management program is responsible for verifying the application of the remediation measure and that the overall risk has been reduced.
    • Although full blueprints exist that cover each of these processes in great detail, the following slides provide an overview of each of these IT operations processes and how they intersect with vulnerability management.
    Stock image of a person on a laptop overlaid by an icon with gears indicating settings.

    Release Management

    Control the quality of deployments and releases of software updates.

    • The release management process exists to ensure that new software releases (such as patches and updates) are properly tested and documented with version control prior to their implementation into the production environment.
    • The process should map out the logistics of the deployment process to ensure that it is consistent and controlled.
    • Testing is an important part of release management and the urgency of a vulnerability remediation operation can expedite this process to ensure minimal delays. Once testing has been completed successfully, the update is then “promoted” to production-ready status and submitted into the change management process.
    • Often a separate release team may not exist, however, release management still occurs.

    For guidance on implementing or improving your release management process, refer to Info-Tech’s Stabilize Release and Deployment Management blueprint or speak to one of our experts.

    Info-Tech Insight

    Many organizations don’t have a separate release team. Rather, whomever is doing the deployment will submit a change request and the testing details are vetted through the organization’s change management process.

    For guidance on the change management process review our Optimize Change Management blueprint.

    Change Management

    Leverage change control, interruption management, approval, and scheduling.
    • Change management likely exists in some shape or form in your organization. There is usually someone or a committee, such as a change advisory board (CAB), that gives approval for a change.
    • Leveraging the change management process will ensure that your vulnerability remediation has undergone the proper review and approval before implementation. There will usually be business sign-off as part of a change management approval process.
    • Communication will also be integrated in the change management process, so the change manager will ensure that appropriate, timely communications are sent to the proper key stakeholders.
    • The change management process will link to release management and configuration management processes if they exist.

    For further guidance on implementing or improving your change management process, refer to Info-Tech’s Optimize Change Management blueprint or speak to one of our experts.

    “With no controls in place, IT gets the blame for embarrassing outages. Too much control, and IT is seen as a roadblock to innovation.” (VP IT, Federal Credit Union)

    Post-implementation activities

    Vulnerability remediation isn’t a “set it and forget it” activity.
    • Once vulnerability remediation has occurred, it is imperative that the results are reported back to the vulnerability management program manager. This ensures that the loop is closed and the tracking of the remediation activity is done properly.
      • Organizations that are subject to audit by external entities will understand the importance of such documentation.
    • The results of post-implementation review from the change management process will be of great interest, particularly if there was any deviation from the planned activities.
    • Although change execution will usually undergo some form of testing during the maintenance window, there is always the possibility that something has broken as a result of the software update. Be quick to respond to these types of incidents!
      • One example of an issue that is near impossible to test during a maintenance window is one that manifests only when the system or software comes under load. This is what makes for busy Monday mornings after a weekend change window.
    A scan with your vulnerability management software after remediation can be a way to verify that the overall risk has been reduced, if remediation was done by way of patching/updates.

    Info-Tech Insight

    After every change completion, whether due to vulnerability remediation or not, it is a good idea to ensure that your infrastructure team increases its monitoring diligence and that your service desk is ready for any sudden influx of end-user calls.

    Step 3.3

    Continuous improvement

    Activities

    None for this section.

    This step will walk you through the following activities:

    Although this section has no activities, it will review the process by which you may continually improve vulnerability management.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • ITOps team members, including tiers 1, 2, and 3
    • CISO
    • CIO

    Outcomes of this step

    An understanding of the importance of ongoing improvements to the vulnerability management program.

    Remediate vulnerabilities
    Step 3.1Step 3.2Step 3.3

    Drive continuous improvement

    • Also known as “Continual Improvement” within the ITIL best practice framework.
    • Your vulnerability management program will not be perfect on first launch. In fact, due to the ever-changing nature of vulnerabilities and the technology designed to detect and combat vulnerabilities, the processes within your vulnerability management program will need to be tweaked from time to time.
    • Continuous improvement is a sustained, proactive approach to process improvement. The practice allows for all process participants to observe and suggest incremental improvements that can help improve the overall process.
    • In many cases, continuous improvement can be triggered by changes in the environment. This makes perfect sense for vulnerability management process improvement as a change in the environment will require vulnerability scanning to ensure that such changes have not introduced new vulnerabilities into the environment, increasing your risk surface.
    • One key method to tracking continuous improvement is through the effective use of metrics, covered in Section 4.1 of this blueprint.
    “The success rate for continual improvement efforts is less than 60 percent. A major – if not the biggest – factor affecting the deployment of long-term continual improvement initiatives today is the fundamental change taking place in the way companies manage and execute work.” (Industry analyst at a consulting firm, 2014)

    Continuous Improvement

    Continuously re-evaluate the vulnerability management process.

    As your systems and assets change, your vulnerability management program may need updates in two ways.

    When new assets and systems are introduced:

    • When new systems and assets are introduced, it is important for organizations to recognize how these can affect vulnerability management.
    • It will be necessary to identify the business criticality of the new assets and systems and the sensitivity of the data that can be found on them.
    • Without doing so, these will be considered rogue systems or assets – there is no clear process for assigning urgencies.
    • This will only cause problems as actions may be taken that are not aligned with the organization’s risk management framework.

    Effective systems and asset management are needed to track this. Review Info-Tech’s Implement Systems Management to Improve Availability and Visibility blueprint for more help.

    Document any changes to the vulnerability management program in the Vulnerability Management SOP Template.

    When defense-in-depth capabilities are modified:

    • As you build an effective security program, more controls will be added that can be used to protect the organization.
    • These should be documented and evaluated based on ability to mitigate against vulnerabilities.
    • The defense-in-depth model that was previously established should be updated to include the new capabilities that can be used.
    • Defense-in-depth models are continually evolving as the security landscape evolves, and organizations must be ready for this.

    To assist in building a defense-in-depth model, review Build an Information Security Strategy.

    Implement Risk-Based Vulnerability Management

    Phase 4

    Measure and formalize

    Phase 1

    1.1 What is vulnerability management?
    1.2 Define scope and roles
    1.3 Cloud considerations for vulnerability management
    1.4 Vulnerability detection

    Phase 2

    2.1 Triage vulnerabilities
    2.2 Determine high-level business criticality
    2.3 Consider current security posture
    2.4 Risk assessment of vulnerabilities

    Phase 3

    3.1 Assessing remediation options
    3.2 Scheduling and executing remediation
    3.3 Continuous improvement

    Phase 4

    4.1 Metrics, KPIs & CSFs
    4.2 Vulnerability management policy
    4.3 Select and implement a scanning tool
    4.4 Penetration testing

    This phase will walk you through the following activities:

    • You will determine what ought to be measured to track the success of your vulnerability management program.
    • If you lack a scanning tool this phase will help you determine tool selection.
    • Lastly, penetration testing is a good next step to consider once you have your vulnerability management program well underway.

    This phase involves the following participants:

    • IT Security Manager
    • SecOps team members
    • Procurement representatives
    • CISO
    • CIO

    Step 4.1

    Metrics, Key Performance Indicators (KPIs), and Critical Success Factors (CSFs)

    Activities
    • 4.1.1 Measure your program with metrics, KPIs, and CSFs

    This step will walk you through the following activities:

    After a review of the differences between raw metrics, key performance indicators (KPI), and critical success factors (CSF), compile a list of what metrics you will be tracking, why, and the business goals for each.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    Outline of metrics you can configure your vulnerability scanning tool to report on.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    You can’t manage what you can’t measure

    Metrics provides visibility.

    • Management consultant Peter Drucker introduced the concept of metrics tied to key performance indicators (KPIs), and the concept holds true: without metrics, you lack the visibility to manage or improve a process.
    • Metrics aren’t just a collection of statistics, they have to be meaningful, they have to tell the story, and most importantly, they have to answer the “so what?” question. What is the significance of a metric – do they illustrate a trend or an anomaly? What actions should be carried out when a metric hits a certain threshold?
    • It would be prudent to track several metrics that can be combined to tell the full story. For example, tracking the number of critical vulnerabilities alone does not give a sense of the overall risk to the organization, nor does it offer any information on how quickly they have been remediated or what amount of effort was invested.
    Stock image of measuring tape.

    Metrics, KPIs, and CSFs

    Tracking the right information and making the information relevant.
    • There is often confusion between raw metrics, key performance indicators, and critical success factors.
    • Raw metrics are what is trackable from your systems and processes as a set of measurements without any context. Raw metrics in themselves are useful in telling the story of “what are we doing?”
    • KPIs are the specific metric or combination of metrics that help you track or gauge performance. KPIs tell the story of “how are we doing?” or “how well are we doing?”
    • CSFs are the specific KPIs that track the activities that are absolutely critical to accomplish for the business or business unit to be successful.
    The activity tracker on your wrist is a wealth of metrics, KPIs, and CSFs.

    If you wear an activity tracker, you are likely already familiar with the differences between metrics, key performance indicators, and critical success factors:

    • The raw metrics are your heart rate, step count, hours of sleep, caloric intake, etc.
    • KPIs are the individual goals that you have set: maintain a heart rate within the appropriate range for your age/activity level, achieve a step count goal per day, get x hours of sleep per night, consume a calorie range of y per day, etc.
    • CSFs are your overall goal: increase your cardiovascular capacity, lose weight, feel more energetic, etc.

    Your security systems can be similarly measured and tracked – transfer this skill!

    Tracking relevant information

    Tell the story in the numbers.

    Below are a number of suggested metrics to track, and why.

    Business Goal

    Critical Success Factor

    Key Performance Indicator

    Metric to track

    Minimize overall risk exposureReduction of overall risk due to vulnerabilitiesDecrease in vulnerabilitiesTrack the number of vulnerabilities year after year.
    Appropriate allocation of time and resourcesProper prioritization of vulnerability mitigation activitiesDecrease of critical and high vulnerabilitiesTrack the number of high-urgency vulnerabilities.
    Consistent timely remediation of threats to the businessMinimize risk when vulnerabilities are detectedRemediate vulnerabilities more quicklyMean time to detect: track the average time between the identification to remediation.
    Track effectiveness of scanning toolMinimize the ratio, indicating that the tool sees everythingRatio between known assets and what the scanner tracksScanner coverage compared to known assets in the organization.
    Having effective tools to track and addressAccuracy of the scanning toolDifference or ratio between reported vulnerabilities and verified onesNumber of critical or high vulnerabilities verified, between the scanning tool’s criticality rating and actual criticality.
    Reduction of exceptions to ensure minimal exposureVisibility into persistent vulnerabilities and risk mitigation measuresNumber of exceptions grantedNumber of vulnerabilities in which little or no remediation action was taken.

    4.1.1 Measure your program with metrics, KPIs, and CSFs

    60 minutes

    Input: List of metrics current being measured by the vulnerability management tool

    Output: List of relevant metrics to track, and the KPIs, CSFs, and business goals related to the metric

    Materials: Whiteboard/flip charts, Vulnerability Management SOP Template

    Participants: IT Security Manager, IT operations management, CISO

    Metrics can offer a way to view how the organization is dealing with vulnerabilities and if there is improvement.

    1. Determine the high-level vulnerability management goals for the organization.
    2. Even with a formal process in place, the organization should be considering ways it can improve.
    3. Determine metrics that can help quantify those goals and how they can be measured.
    4. Metrics should always be easy to measure. If it’s a complex process to find the information required, it means that it is not a metric that should be used.
    5. Document your list of metrics in the Vulnerability Management SOP Template.

    Download the Vulnerability Management SOP Template

    Step 4.2

    Vulnerability Management Policy

    Activities
    • 4.2.1 Update the vulnerability management program policy

    This step will walk you through the following activities:

    If you have a vulnerability management policy, this activity may help augment it. Otherwise, if you don’t have one, this would be a great starting point.

    This step involves the following participants:

    • IT Security Manager
    • CISO
    • CIO
    • Human resources representative

    Outcomes of this step

    An inaugural policy covering vulnerability management

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability Management Program Policy

    Policies provide governance and enforcement of processes.
    • Policies offer formal guidance on the “rules” of a program, describing its purpose, scope, detailed program description, and consequences of non-compliance. Often they will have a employee sign-off acknowledging understanding.
    • In many organizations, policies are endorsed by senior executives, which gives the policy its “teeth” across the company. The human resources department will always have input due to the implications of the non-compliance aspect.
    • Policies are written to ensure an outcome of consistent expected behavior and are often written to protect the company from liability.
    • Policies should be easy to understand and unambiguous, reflect the current state, and be enforceable. Enforceability can come in the form of audit, technology, or any other means of determining compliance and enforcing behavior.
    Stock image of a judge's gavel.

    4.2.1 Update the vulnerability management policy

    60 minutes

    Input: Vulnerability Management SOP, HR guidance on policy creation and approval

    Output: Completed Vulnerability Management Policy

    Materials: Vulnerability Management SOP, Vulnerability Management Policy Template

    Participants: IT Security Manager, IT operations management, CISO, Human resources representative

    After having built your entire process in this project, formalize it into a vulnerability management policy. This will set the standards and expectations for vulnerability management in the organization, while the process will be around the specific actions that need to be taken around vulnerability management.

    This is separate and distinct from the Vulnerability Management SOP Template, which is a process and procedure document.
    1. Review Info-Tech’s Vulnerability Management Policy and customize it to your organization’s specifications.
    2. Use your Vulnerability Management SOP as a resource when specifying some of the details within the policy.
    Sample of Info-Tech's Vulnerability Management Policy Template

    Download the Vulnerability Management Policy Template

    Step 4.3

    Select and implement a scanning tool

    Activities
    • 4.3.1 Create an RFP for vulnerability scanning tools

    This step will walk you through the following activities:

    If you need to select a new vulnerability scanning tool, or replace your existing one, this activity will help set up a request for proposal (RFP).

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO

    Outcomes of this step

    The provisions needed for you to create and deploy an RFP for a vulnerability management tool.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Vulnerability management and penetration testing

    Similar in nature, yet provide different security functions.

    Vulnerability Scanning Tools

    Scanning tools focus on the network and operating systems. These tools look for items such as missing patches or open ports. They won’t detect specific application vulnerabilities.

    Exploitation Tools

    These tools will look to exploit a detected vulnerability to validate it.

    Penetration Tests

    A penetration test simulates the actions of an external or internal cyber attacker that aims to breach the information security of the organization. (Formal definition of penetration test)

    ‹————— What’s the difference again? —————›
    Vulnerability scanning tools are just one type of tool.When you add an exploitation tool to the mix, you move down the spectrum.Penetration tests will use scanning tools, exploitation tools, and people.

    What is the value of each?

    • For vulnerability scans, the person performing the scan provides the value – value comes from the organization itself.
    • For exploitation tools on their own, the value comes from the tool itself being used in a safe environment.
    • For penetration tests, the tester is providing the value. They are the value add.

    What’s the implication for me?

    Info-Tech Recommends:
    • A combination of vulnerability scanning and penetration testing. This will improve your security posture through systematic risk reduction and improve your security program through the testing of prevention, detection, and response capabilities with unique recommendations being generated.
    • Start with as much vulnerability scanning as possible to identify gaps to fix and then move onto a penetration test to do a more robust and validated assessment.
    • For penetration tests, start with a transparent box test first, then move to an opaque box. Ideally, this is done with different third parties.

    Vulnerability scanning software

    All organizations can benefit from having one.

    Scanning tools will benefit areas beyond just vulnerability management

    • Network security: It improves the accuracy and granularity of your network security technologies such as WAFs, NGFWs, IDPS, and SIEM.
    • Asset management: Vulnerability scanning can identify new or unknown assets and provide current status information on assets.
    • System management: Information from a vulnerability scan supports baselining activities and determination of high-value and high-risk assets.

    Vulnerability Detection Use Case

    Most organizations use scanners to identify and assess system vulnerabilities and prioritize efforts.

    Compliance Use Case

    Others will use scanners just for compliance, auditing, or larger GRC reasons.

    Asset Discovery Use Case

    Many organizations will use scanners to perform active host and application identification.

    Scanning Tool Market Trends

    Vulnerability scanning tools have expanded value from conventional checking for vulnerabilities to supporting configuration checking, asset discovery, inventory management, patch management, SSL certificate validation, and malware detection.

    Expect to see network and system vulnerability scanners develop larger vulnerability management functions and develop exploitation tool functionality. This will become a table stakes option enabling organizations to provide higher levels of validation of detected vulnerabilities. Some tools already possess these capabilities:

    • Core Impact is an exploitation tool with vulnerability scanning aspects.
    • Metasploit is an exploitation tool with some new vulnerability scanning aspects.
    • Nessus is mainly a vulnerability scanning tool but has some exploitation aspects.

    Device proliferation (BYOD, IoT, etc.) is increasing the need for stronger vulnerability management and scanners. This is driving the need for numerous device types and platform support and the development of baseline and configuration norms to support system management.

    Increased regulatory or compliance controls are also stipulating the need for vulnerability scanning, especially by a trusted third party.

    Organizations are outsourcing security functions or moving to cloud-based deployment options for any security technology they can. Expect to see massive growth of vulnerability scanning as a service.

    Vulnerability scanning market

    There are several technology types or functional differentiators that divide the market up.

    Vulnerability Exploitation Tools

    • These will actually test defences and better emulate real life than just scanning. These tools include packet manipulation tools (such as hping) and password cracking tools (such as John the Ripper or Cain and Abel).
    • These tools will provide much more granular information on your network, operations systems, and applications.
    • The main limitation of these tools is how to use them. If you do not have development or test environments that mimic your real production environments to run the exploit tools, these tools may not be appropriate. It may work if you can find some downtime on production systems, but only in very specific and careful instances.
    • Lower maturity security programs usually just do network and application vulnerability scanning. Higher maturity programs will also use penetration testing, application testing, and vulnerability exploitation tools.
    • Network vulnerability scanning tools should always be used. Once you identify any servers or ports running web applications, then you run a web application vulnerability scanner.
    • Exploitation tools and application testing tools are used in more specific use cases that are often related to more-demanding security programs.

    Scanning Tool Market Trends

    • These are considered baseline tools and are near commoditization.
    • Vulnerability scanning tools are not granular enough to detect application-level vulnerabilities (thus the need for application scanners and testing tools) and they don’t validate the exploitability of the vulnerability (thus the need for exploit tools).

    Web Application Scanning Tools

    These tools perform dynamic application security testing (DAST) and static application security testing (SAST).

    Application Scanning and Testing Tools

    • These perform a detailed scan against an application to detect any problematic or malicious code and try to break the application using known vulnerabilities.
    • These tools will identify if something is vulnerable to an exploit but won’t actually run the exploit.
    • These tools are evaluated based on their ability to detect application-specific issues and validate them.

    Vulnerability scanning tool features

    Evaluate vulnerability scanning tools on specific features or functions that are the best differentiators.

    Differentiator

    Description

    Deployment OptionsDo you want a traditional on-premises, cloud-based, or managed service?
    Vulnerability Database CoverageScanners use a library of known vulnerabilities to test for. Evaluate based on the amount of exploits/vulnerabilities the tool can scan for.
    Scanning MethodEvaluate if you want agent-based, authenticated active, unauthenticated active, passive, or some combination of those scanning methods.
    IntegrationWhat is the breadth of other security and non-security technologies the tool can integrate with?
    RemediationHow detailed are the recommended remediation actions? The more granular, the better.

    Differentiator

    Description

    PrioritizationDoes the tool evaluate vulnerabilities based on commonly accepted methods or through a custom-designed prioritization methodology?
    Platform SupportWhat is the breadth of environment, application, and device support in the tool? Consider your need for virtual support, cloud support, device support, and application-specific support. Also consider how often new scanning modules are supported (e.g. how quickly Windows 10 was supported).
    PricingAs with many security controls that have been around for a long time and are commonly used, pricing becomes a main consideration, especially when there are so many open-source options available.

    Common areas people mistake as tool differentiators:

    • Accuracy – Scanning tools are evaluated more on efficiency than effectiveness. Evaluate on the ability to detect, remediate, and manage vulnerabilities rather than real vulnerability detection and the number of false positives. To reduce false positives, you need to use exploitation tools.
    • Performance – Scanning tools have such a small footprint in an environment and the actual scanning itself is such a small impact that evaluation on performance doesn’t matter.

    For more information on vulnerability scanning tools and how they rate, review the Vulnerability Management category on SoftwareReviews.

    Vulnerability scanning deployment options

    Understand the different deployment options to identify which is best for your security program.

    Option

    Description

    Pros

    Cons

    Use Cases

    On-PremisesEither an on-premises appliance or an on-premises virtualized machine that performs external and internal scanning.
    • Small resource need, so limited network impact.
    • Strong internal scanning.
    • Easier integration with other technologies.
    • Network footprint and resource usage.
    • Maintenance and support costs.
    • Most common deployment option.
    • Appropriate if you have cloud concerns or strong internal network scanning, or if you require strong integration with other systems.
    CloudEither hosted on a public cloud infrastructure or hosted by a third party and offered “as a service.”
    • Small network footprint.
    • On-demand scanning as needed.
    • Optimal external scanning capabilities.
    • Can only do edge-related scanning unless authenticated or agent based.
    • No internal network scanning with passive or unauthenticated active scanning methods.
    • Very limited network resources.
    • Compliance obligations that dictate external vulnerability scanning.
    ManagedA third party is contracted to manage and maintain your vulnerability scanner so you can dedicate resources elsewhere.
    • Expert management of environment scanning, optimizing tool usage.
    • Most scanning work time is report customization and tuning and remediation efforts; thus, managed doesn’t provide sizable resource alleviation.
    • Third party has and owns the vulnerability information.
    • Limited staff resources or expertise to maintain and manage scanner.

    Vulnerability scanning methods

    Understand the different scanning methods to identify which tool best supports your needs.

    Method

    Description

    Pros

    Cons

    Use Cases

    Agent-Based ScanningLocally installed software gives the information needed to evaluate the security posture of a device.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Device processing, memory, and network bandwidth impact.
    • Asset without an agent is not scanned.
    • Need for continuous scanning.
    • Organization has strong asset management
    Authenticated Active ScanningTool uses authenticated credentials to log in to a device or application to perform scanning.
    • Provides information that can’t be discovered remotely such as installed applications that aren’t running at a given time.
    • Best accuracy for vulnerability detection across a network.
    • Aggregation and centralization of authenticated credentials creates a major risk.
    • All use cases.
    Unauthenticated Active ScanningScanning of devices without any authentication.
    • Emulates realistic scan by an attacker.
    • Provides limited scope of scanning.
    • Some compliance use cases.
    • Perform after either agent or authenticated scanning.
    Passive ScanningScanning of network traffic.
    • Lowest resource impact.
    • Not enough information can be provided for true prioritization and remediation.
    • Augmenting scanning technique to agent or authenticated scanning.

    IP Management and IPv6

    IP management and the ability to manage IPv6 is a new area for scanning tool evaluation.

    Scanning on IPv4

    Scanning tools create databases of systems and devices with IP addresses.
    Info-Tech Recommends:

    • It is easier to do discovery by directing the scanner at a set IP address or range of IP addresses; thus, it’s useful to organize your database by IPs.
    • Do discovery by phases: Start with internet-facing systems. Your perimeter usually is well-defined by IP addresses and system owners and is most open to attack.
    • Stipulate a list of your known IP addresses through the DHCP registration and perform a scan on that.
    • Depending on your IP address space, another option is to scan your entire IP address space.

    Current Problem With IP Addresses

    IP addresses are becoming no longer manageable or even owned by organizations. They are often provided by ISPs or other third parties.

    Even if it is your range, chances are you don't do static IP ranges today.

    Info-Tech Recommends:

    • Agent-based scanning or MAC address-based scanning
    • Use your DHCP for scanning

    Scanning on IPv6

    First, you need to know if your organization is moving to IPv6. IPv6 is not strategically routed yet for most organizations.

    If you are moving to IPv6, Info-Tech recommends the following:

    • Because you cannot point a scanner at an IPv6 IP range, any scanning tool needs to have a strategy around how to handle IPv6 and properly scan based on IP ranges.
    • You need to know IPv4 to IPv6 translations.
    • Evaluate vulnerability scanning tools on whether any IPv6 features are on par with IPv4 features.

    If you are already on IPv6, Info-Tech recommends the following:

    • If you are on an IPv6 native network, it is nearly impossible to scan the network. You have to always scan your known addresses from your DHCP.

    4.3.1 Create an RFP for vulnerability scanning tools

    2 hours

    Input: List of key feature requirements for the new tool, List of intersect points with current software, Network topology and layout of servers and applications

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Vulnerability Scanning Tool RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use a request for proposal (RFP) template to convey your desired scanning tool requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your scanning tool RFP, based on people, process, and technology requirements.
    2. Consider items such as the desired capabilities and the scope of the scanning.
    3. Conduct interviews with relevant stakeholders to determine the exact requirements needed.
    4. Use Info-Tech’s Vulnerability Scanning Tool RFP Template. It lists many requirements but can be customized to your organization’s specific needs.

    Download the Vulnerability Scanning Tool RFP Template

    4.3.1 Create an RFP for vulnerability scanning tools (continued)

    Things to Consider:
    • Ensure there is adequate resource dedication to support and maintenance for vulnerability scanning.
    • Consider if you will benefit from an RFP. If there is a more appropriate option for your need and your organization, consider that instead.
    • If you don’t know the product you want, then perform an RFI.
    • In the RFP, you need to express your driving needs for the tool so the vendor can best understand your use case.
    • Identify who should participate in the RFP creation and evaluation. Make sure they have time available and it does not conflict with other items.
    • Determine if you want to send it to a select few or if you want to send it to a lot of vendors.
    • Determine a response date so you can know who is soliciting your business.
    • You need to have a process to handle questions from vendors.
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Vulnerability Scanning Tool RFP Template

    Step 4.4

    Penetration testing

    Activities
    • 4.1.1 Create an RFP for penetration tests

    This step will walk you through the following activities:

    We will review penetration testing, its distinction from vulnerability management, and why you may want to engage a penetration testing service.

    We provide a request for proposal (RFP) template that we can review if this is an area of interest.

    This step involves the following participants:

    • IT Security Manager
    • SecOps team members
    • CISO
    • CIO

    Outcomes of this step

    An understanding of penetration testing, and guidance on how to get started if there is interest to do so.

    Measure and formalize
    Step 4.1Step 4.2Step 4.3Step 4.4

    Penetration testing

    Penetration tests are critical parts of any strong security program.

    Penetration testing will emulate the methods an attacker would use in the real world to circumvent your security controls and gain access to systems and data.

    Penetration testing is much more than just running a scanner or other automated tools and then generating a report. Penetration testing performs critical exploit validation to create certainty around your vulnerability.

    The primary objective of a penetration test is to identify and validate security weaknesses in an organization’s security systems.

    Reasons to Test:

    • Assess current security control effectiveness
    • Develop an action plan of items
    • Build a business case for a better security program
    • Increased security budget through vulnerability validation
    • Third-party, unbiased validation
    • Adhere to compliance or regulatory requirements
    • Raise security awareness
    • Demonstrate how an attacker can escalate privileges
    • Effective way to test incident response

    Regulatory Considerations:

    • There is a lot of regulatory wording saying that organizations can’t get a system that is managed, integrated, and supported by one vendor and then have it tested by the same vendor.
    • There is the need for separate third-party testing.
    • Penetration testing is required for PCI, cloud providers, and federal entities.

    How and where is the value being generated?

    Penetration testing is a service provided by trained and tested professionals with years of experience. The person behind the test is the most important part of the test. The person is able to emulate a real-life attacker better than any computer. It is just a vulnerability scan if you use tools or executables alone.

    “A penetration test is an audit with validation.” (Joel Shapiro, Vice President Sales, Digital Boundary Group)

    Start by considering the spectrum of penetration tests

    Network Penetration Tests

    Conventional testing of network defences.

    Testing vectors include:

    • Perimeter infrastructure
    • Wireless, WEP/WPA cracking
    • Cloud penetration testing
    • Telephony systems or VoIP
    Types of tests:
    • Denial-of-service testing
    • Out-of-band attacks
    • War dialing
    • Wireless network testing/war driving
    • Spoofing
    • Trojan attacks
    • Brute force attacks
    • Watering hole attacks
    • Honeypots
    • Cloud-penetration testing
    Application Penetration Tests

    Core business functions are now being provided through web applications, either to external customers or to internal end users.

    Types: Web apps, non-web apps, mobile apps

    Application penetration and security testing encompasses:

    • Code review – analyzing the application code for sensitive information of vulnerabilities in the code.
    • Authorization testing – testing systems responsible for user session management to see if unauthorized access can be permitted.
    • Authentication process for user testing.
    • Functionality testing – test the application functionality itself.
    • Website pen testing – active analysis of weaknesses or vulnerabilities.
    • Encryption testing – testing things like randomness or key strength.
    • User-session integrity testing.
    Human-Centric Testing
    • Penetration testing is developing a people aspect as opposed to just being technology focused.
    • End users and their susceptibility to social engineering attacks (spear phishing, phone calls, physical site testing, etc.) is now a common area to test.
    • Social engineering penetration testing is not only about identifying your human vulnerabilities, but also about proactively training your end users. As well as discovering and fixing potential vulnerabilities, social engineering penetration testing will help to raise security awareness within an organization.

    Info-Tech Insight

    Your pen test should use multiple methods. Demonstrating weakness in one area is good but easy to identify. When you blend techniques, you get better success at breaching and it becomes more life-like. Think about prevention, detection, and response testing to provide full insight into your security defenses.

    Penetration testing types

    Evaluate four variables to determine which type of penetration test is most appropriate for your organization.

    Evaluate these dimensions to determine relevant penetration testing.

    Network, Application, or Human

    Evaluate your need to perform different types of penetration testing.

    Some level of network and application testing is most likely appropriate.

    The more common decision point is to consider to what degree your organization requires human-centric penetration testing.

    External or Internal

    External: Attacking an organization’s perimeter and internet-facing systems. For these, you generally provide some level of information to the tester. The test will begin with publicly available information gathering followed by some kind of network scanning or probing against externally visible servers or devices (DNS server, email server, web server, firewall, etc.)

    Internal: Carried out within the organization’s network. This emulates an attack originating from an internal point (disgruntled employee, authorized user, etc.). The idea is to see what could happen if the perimeter is breached.

    Transparent, Semi-Transparent, or Opaque Box

    Opaque Box: The penetration tester is not provided any information. This emulates a real-life attack. Test team uses publicly available information (corporate website, DNS, USENET, etc.) to start the test. These tests are more time consuming and expensive. They often result in exploitation of the easiest vulnerability.
    Use cases: emulating a real-life attack; testing detection and response capabilities; limited network segmentation.

    Transparent Box: Tester is provided full disclosure of information. The tester will have access to everything they need: building floor plans, data flow designs, network topology, etc. This represents what a credentialed and knowledgeable insider would do.
    Use cases: full assessment of security controls; testing of attacker traversal capabilities.

    Aggressiveness of the Test

    Not Aggressive: Very slow and careful penetration testing. Usually spread out in terms of packets being sent and number of calls to individuals. It attempts to not set off any alarm bells.

    Aggressive: A full DoS attack or something similar. These would be DoS attacks that take down systems or full SQL injection attacks all at once versus small injections over time. Testing options cover anything including physical tests, network tests, social engineering, and data extraction and exfiltration. This is more costly and time consuming.

    Assessing Aggressiveness: How aggressive the test should be is based on the threats you are concerned with. Assess who you are concerned with: random individuals on the internet, state-sponsored attacks, criminals, hacktivists, etc. Who you are concerned with will determine the appropriate aggressiveness of the test.

    Penetration testing scope

    Establish the scope of your penetration test before engaging vendors.

    Determining the scope of what is being tested is the most important part of a penetration test. Organizations need to be as specific as possible so the vendor can actually respond or ask questions.

    Organizations need to define boundaries, objectives, and key success factors.

    For scope:
    • If you go too narrow, the realism of the test suffers.
    • If you go too broad, it is more costly and there’s a possible increase in false positives.
    • Balance scope vs. budget.
    Boundaries to scope before a test:
    • IP addresses
    • URLs
    • Applications
    • Who is in scope for social engineering
    • Physical access from roof to dumpsters defined
    • Scope prioritized for high-value assets
    Objectives and key success factors to scope:
    • When is the test complete? Is it at the point of validated exploitation?
    • Are you looking for as many holes as possible, or are you looking for how many ways each hole can be exploited?

    What would be out of scope?

    • Are there systems, IP addresses, or other things you want out of scope? These are things you don’t explicitly want any penetration tester to touch.
    • Are there third-party connections to your environment that you don’t want to be tested? These are instances such as cloud providers, supply chain connections, and various services.
    • Are there things that would be awkward to test? For example, determine if you include high-level people in a social engineering test. Do you conduct social engineering for the CEO? If you get their credentials, it could be an awkward moment.

    Ways to break up a penetration test:

    • Location – This is the most common way to break up a penetration test.
    • Division – Self-contained business units are often done as separate tests so you can see how each unit does.
    • IT systems – For example, you put certain security controls in a firewall and want to test its effectiveness.
    • Applications – For example, you are launching a new website or a new portal and you want to test it.

    Penetration testing appropriateness

    Determine your penetration testing appropriateness.

    Usual instances to conduct a penetration test:
    • Setting up a new physical office. Penetration testing will not only test security capabilities but also resource availability and map out network flows.
    • New infrastructure hardware implemented. All new infrastructure needs to be tested.
    • Changes or upgrades to existing infrastructure. Need for testing varies depending on the size of the change.
    • New application deployment. Need to test before being pushed to production environments.
    • Changes or upgrades to existing applications. When fundamental functional changes occur, perform testing:
      • Before upgrades or patching
      • After upgrades or patching
    • Periodic testing. It is a best practice to periodically test your security control effectiveness. Consider at least an annual test.

    Specific timing considerations: Testing should be completed during non-production times of day. Testing should be completed after a backup has been performed.

    Assess your threats to determine your appropriate test type:

    Penetration testing is about what threats you are concerned about. Understand your risk profile, risk tolerance level, and specific threats to see how relevant penetration tests are.

    • Are external attackers concerning to you? Are you distressed about how an attacker can use brute force to enter your network? If so, focus on ingress points, such as FWs, routers, and DMZ.
    • Is social engineering a concern for you (i.e. phone-based or email-based)? Then you are concerned about a credentialed hacker.
    • Is it an insider threat, a disgruntled employee, etc.? This also includes an internal system that is under command and control (C&C).

    ANALYST PERSPECTIVE: Do a test only after you take a first pass.
    If you have not done some level of vulnerability assessment on your own (performing a scan, checking third-party sources, etc.) don’t waste your money on a penetration test. Only perform a penetration test after you have done a first pass and identified and remediated all the low-hanging fruit.

    4.4.1 Create an RFP for penetration tests

    2 hours

    Input: List of criteria and scope for the penetration test, Systems and application information if white box

    Output: Completed RFP document that can be distributed to vendor proponents

    Materials: Whiteboard/flip charts, Penetration Test RFP Template

    Participants: IT Security Manager, IT operations managers, CISO, Procurement department representative

    Use an RFP template to convey your desired penetration test requirements to vendors and outline the proposal and procurement steps set by your organization.

    1. Determine what kind of requirements will be needed for your penetration test RFP based on people, process, and technology requirements.
      • Consider items such as your technology environment and the scope of the penetration tests.
    2. Conduct an interview with relevant stakeholders to determine the exact requirements needed.
    3. Use Info-Tech’s Penetration Test RFP Template, which lists many requirements but can be customized to your organization’s specific needs.

    Download the Penetration Test RFP Template

    4.4.1 Create an RFP for penetration tests (continued)

    Steps of a penetration test:
    1. Determine scope
    2. Gather targeted intelligence
    3. Review exploit attempts, such as access and escalation
    4. Test the collection of sensitive data
    5. Run reporting
    Info-Tech RFP Table of Contents:
    1. Statement of Work
    2. General Information
    3. Proposal Preparation Instructions
    4. Scope of Work, Specifications, and Requirements
    5. Vendor Qualifications and References
    6. Budget and Estimated Pricing
    7. Vendor Certification

    Download the Penetration Test RFP Template

    Penetration testing considerations – service providers

    Consider what type of penetration testing service provider is best for your organization

    Professional Service Providers

    Professional Services Firms. These firms will often provide a myriad of professional services across auditing, financial, and consulting services. If they offer security-related consulting services, they will most likely offer some level of penetration testing.

    Security Service Firms. These are dedicated security consulting or advisory firms that will offer a wide spectrum of security-related services. Penetration testing may be one aspect of larger security assessments and strategy development services.

    Dedicated Penetration Testing Firms. These are service providers that will often offer the full gamut of penetration testing services.

    Integrators

    Managed Security Service Providers. These providers will offer penetration testing. For example, Dell SecureWorks offers numerous services including penetration testing. For organizations like this, you need to be skeptical of ulterior motives. For example, expect recommendations around outsourcing from Dell SecureWorks.

    Regional or Small Integrators. These are service providers that provide security services of some kind. For example, they would help in the implementation of a firewall and offer penetration testing services as well.

    Info-Tech Recommends:

    • Always be conscientious of who is conducting the testing and what else they offer. Even if you get another party to test rather than your technology provider, they will try to obtain you as a client. Remember that for larger technology vendors, security testing is a small revenue stream for them and it’s a way to find technology clients. They may offer penetration testing for free to obtain other business.
    • Most of the penetration testers were systems administrators (for network testing) or application developers (for application testing) at some point before becoming penetration testers. Remember this when evaluating providers and evaluating remediation recommendations.
    • Evaluate what kind of open-source tools, commercial tools, and proprietary tools are being used. In general, you don’t want to rely on an open-source scanner. For open source, they will have more outdated vulnerability databases, system identification can also be limited compared to commercial, and reporting is often lacking.
    • Above all else, ensure your testers are legally capable, experienced, and abide by non-disclosure agreements.

    Penetration testing best practices – communications

    Communication With Service Provider

    • During testing there should be designated points of contact between the service provider and the client.
    • There needs to be secure channels for communication of information between the tester and the client both during the test and for any results.
    • Results should always be explained to the client by the tester, regardless of the content or audience.
    • There should be a formal debrief with the results report.
    Immediate reporting of issues
    • Before any testing commences, immediate reporting conditions need to be defined. These are instances when you would want immediate notification of something occurring.
    • Stipulate certain systems or data types that if broken into or compromised, you would want to be notified right away.
    • Example:
      • If you are conducting social engineering, require notification for all account credentials that are compromised. Once credentials are compromised, it destroys all accountability for those credentials and the actions associated with those credentials by any user.
      • Require immediate reporting of specific high-critical systems that are compromised or if access is even found.
      • Require immediate reporting when regulated data is discovered or compromised in any way.

    Communication With Internal Staff

    Do you tell your internal staff that this is happening?

    This is sometimes called a “double blind test” when you don’t let your IT team know of the test occurring.

    Pros to notifying:
    • This tests the organization’s security monitoring, incident detection, and response capabilities.
    • Letting the team know they are going to see some activity will make sure they don’t get too worried about it.
    • There may be systems you can’t jeopardize but still need to test so notification beforehand is essential (e.g. you wouldn’t allow ERP testing with notification).
    Cons:
    • It does not give you a real-life example of how you respond if something happens.
    • Potential element of disrespect to IT people.

    Penetration testing best practices – results and remediation

    What to expect from penetration test results report:

    A final results report will state all findings including what was done by the testers, what vulnerabilities or exploitations were detected, how they were compromised, the related risk, and related remediation recommendations.

    Expect four major sections:
    • Introduction. An overview of the penetration test methodology including rating methodology of vulnerabilities.
    • Executive Summary. A management-level description of the test, often including a summary of any recommendations.
    • Technical Review. An overview of each item that was looked at and touched. This area breaks down what was done, how it was done, what was found, and any related remediation recommendations. Expect graphs and visuals in this section.
    • Detailed Findings. An in-depth breakdown of all testing methods used and results. Each vulnerability will be explained regarding how it was detected, what the risk is, and what the remediation recommendation is.
    Two areas that will vary by service provider:

    Prioritization

    • Most providers will boast their unique prioritization methodology.
    • A high, medium, and low rating scale based on some combination of variables (e.g. ease of exploitation, breadth of hole, information accessed resulting in further exploitation).
    • The prioritization won’t take into account asset value or criticality.
    • Keep in mind the penetration test is not an input into ultimate vulnerability prioritization, but it can help determine your urgency.

    Remediation

    • Remediation recommendations will vary across providers.
    • Generally, fairly generic recommendations are provided (e.g. remove your old telnet and input up-to-date SSH).
    • Most of the time, it is along the lines of “we found a hole; close the hole.”

    Summary of Accomplishment

    Problem Solved

    At the conclusion of this blueprint, you will have created a full vulnerability management program that will allow you to take a risk-based approach to vulnerability remediation.

    Assessing a vulnerability’s risk will enable you to properly determine the true urgency of a vulnerability within the context of your organization; this ensures you are not just blindly following what the tool is reporting.

    The risk-based approach will allow you to prioritize your discovered vulnerabilities and take immediate action on critical and high vulnerabilities while allowing your standard remediation cycle to address the medium to low vulnerabilities.

    With your program defined and developed, you now need to configure your vulnerability scanning tool or acquire one if you don’t already have a tool in place.

    Lastly, while vulnerability management will help address your systems and applications, how do you know if you are secure from external malicious actors? Penetration testing will offer visibility, allowing you to plug those holes and attain an environment with a smaller risk surface.

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    Additional Support

    If you would like additional support, have our analysts guide you through other phases as part of an Info-Tech workshop.

    Photo of Jimmy Tom.

    Contact your account representative for more information.

    workshops@infotech.com 1-888-670-8889

    To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.

    Info-Tech analysts will join you and your team at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    Sample of the Implement Vulnerability Management storyboard.
    Review of the Implement Vulnerability Management storyboard
    Sample of the Vulnerability Mitigation SOP template.
    Build your vulnerability management SOP

    Contributors

    Contributors from 2016 version of this project:

    • Morey Haber, Vice President of Technology, BeyondTrust
    • Richard Barretto, Manager, Information Privacy and Security, Cimpress
    • Joel Shapiro, Vice President Sales, Digital Boundary Group

    Contributors from current version of this project:

    • 2 anonymous contributors from the manufacturing sector
    • 1 anonymous contributor from a US government agency
    • 2 anonymous contributors from the financial sector
    • 1 anonymous contributor from the medical technology industry
    • 2 anonymous contributors from higher education
    • 1 anonymous contributor from a Canadian government agency
    • 7 anonymous others; information gathered from advisory calls

    Bibliography

    Arya. “COVID-19 Impact: Vulnerability Management Solution Market | Strategic Industry Evolutionary Analysis Focus on Leading Key Players and Revenue Growth Analysis by Forecast To 2028 – FireMon, Digital Shadows, AlienVault.” Bulletin Line, 6 Aug. 2020. Accessed 6 Aug. 2020.

    Campagna, Rich. “The Lean, Mean Vulnerability Management Machine.” Security Boulevard, 31 Mar. 2020. Accessed 15 Aug. 2020.

    Constantin, Lucian. “What are vulnerability scanners and how do they work?” CSO Online, 10 Apr. 2020. Accessed 1 Sept. 2020.

    “CVE security vulnerabilities published in 2019.” CVE Details. Accessed 22 Sept. 2020.

    Garden, Paul, et al. “2019 Year End Report – Vulnerability QuickView.” Risk Based Security, 2020. Accessed 22 Sept. 2020.

    Keary, Eoin. “2019 Vulnerability Statistics Report.” Edgescan, Feb. 2019. Accessed 22 Sept. 2020.

    Lefkowitz, Josh. ““Risk-Based Vulnerability Management is a Must for Security & Compliance.” SecurityWeek, 1 July 2019. Accessed 1 Nov. 2020.

    Mell, Peter, Tiffany Bergeron, and David Henning. “Creating a Patch and Vulnerability Management Program.” Creating a Patch and Vulnerability Management Program. NIST, Nov. 2005. Web.

    “National Vulnerability Database.” NIST. Accessed 18 Oct. 2020.

    “OpenVAS – Open Vulnerability Assessment Scanner.” OpenVAS. Accessed 14 Sept. 2020.

    “OVAL.” OVAL. Accessed 21 Oct. 2020.

    Paganini, Pierluigi. “Exploiting and Verifying Shellshock: CVE-2014-6271.” INFOSEC, 27 Sept. 2014. Web.

    Pritha. “Top 10 Metrics for your Vulnerability Management Program.” CISO Platform, 28 Nov. 2019. Accessed 25 Oct. 2020.

    “Risk-Based Vulnerability Management: Understanding Vulnerability Risk With Threat Context And Business Impact.” Tenable. Accessed 21 Oct. 2020.

    Stone, Mark. “Shellshock In-Depth: Why This Old Vulnerability Won’t Go Away.” SecurityIntelligence, 6 Aug. 2020. Web.

    “The Role of Threat Intelligence in Vulnerability Management.” NOPSEC, 18 Sept. 2014. Accessed 18 Aug. 2020.

    “Top 15 Paid and Free Vulnerability Scanner Tools in 2020.” DNSstuff, 6 Jan. 2020. Accessed 15 Sept. 2020.

    Truta, Filip. “60% of Breaches in 2019 Involved Unpatched Vulnerabilities.” Security Boulevard, 31 Oct. 2019. Accessed 2 Nov. 2020.

    “Vulnerability Management Program.” Core Security. Accessed 15 Sept. 2020.

    “What is Risk-Based Vulnerability Management?” Balbix. Accessed 15 Sept. 2020.

    White, Monica. “The Cost Savings of Effective Vulnerability Management (Part 1).” Kenna Security, 23 April 2020. Accessed 20 Sept. 2020.

    Wilczek, Marc. “Average Cost of a Data Breach in 2020: $3.86M.” Dark Reading, 24 Aug. 2020. Accessed 5 Nov 2020.

    M&A Runbook for Infrastructure and Operations

    • Buy Link or Shortcode: {j2store}60|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Strategy and Organizational Design
    • Parent Category Link: /strategy-and-organizational-design
    • I&O is often the last to be informed of an impending M&A deal.
    • The business doesn’t understand the necessary requirements or timeline for integration.
    • It’s hard to prioritize when you’re buried under a mountain of work.
    • Documentation may be lacking or nonexistent, and members of the target organization may be uncooperative.

    Our Advice

    Critical Insight

    • Manage expectations. The business often expects integration in days or weeks, not months or years. You need to set them straight.
    • Open your checkbook and prepare to hire. Integration will require a temporary increase in resources.
    • Tackle organizational and cultural change. People are harder to integrate than technology. Culture change is the hardest part, and the integration plan should address it.

    Impact and Result

    • Tailor your approach based on the business objectives of the merger or acquisition.
    • Separate the must-haves from the nice-to-haves.
    • Ensure adequate personnel and budget.
    • Plan for the integration into normal operations.

    M&A Runbook for Infrastructure and Operations Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out how to partner with the business to conquer the challenges in your next merger or acquisition.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish goals

    Partner with the business to determine goals and establish high-level scope.

    • M&A Runbook for Infrastructure and Operations – Phase 1: Establish Goals
    • I&O M&A Project Napkin

    2. Conduct discovery

    Find out what the target organization’s I&O looks like.

    • M&A Runbook for Infrastructure and Operations – Phase 2: Conduct Discovery
    • I&O M&A Discovery Letter Template
    • I&O M&A Discovery Template
    • I&O M&A Workbook
    • I&O M&A Risk Assessment Tool

    3. Plan short-term integration

    Build a plan to achieve a day 1 MVP.

    • M&A Runbook for Infrastructure and Operations – Phase 3: Plan Short-Term Integration
    • I&O M&A Short-Term Integration Capacity Assessment Tool

    4. Map long-term integration

    Chart a roadmap for long-term integration.

    • M&A Runbook for Infrastructure and Operations – Phase 4: Map Long-Term Integration
    • I&O M&A Long-Term Integration Portfolio Planning Tool
    [infographic]

    Workshop: M&A Runbook for Infrastructure and Operations

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 High-Level Scope

    The Purpose

    Establish goals and conduct discovery.

    Key Benefits Achieved

    Alignment with business goals

    Documentation of target organization’s current state

    Activities

    0.1 Consult with stakeholders.

    0.2 Establish M&A business goals.

    0.3 Conduct target discovery.

    0.4 Document own environment.

    0.5 Clarify goals.

    Outputs

    Stakeholder communication plan

    M&A business goals

    I&O M&A Discovery Template

    Current state of organization

    2 Target Assessment

    The Purpose

    Assess risk and value of target organization.

    Key Benefits Achieved

    Accurate scope of I&O integration

    Risk mitigation plans

    Value realization strategies

    Activities

    1.1 Scope I&O M&A project.

    1.2 Assess risks.

    1.3 Assess value.

    Outputs

    I&O M&A Project Napkin

    Risk assessment

    Value assessment

    3 Day 1 Integration Project Plan

    The Purpose

    Establish day 1 integration project plan.

    Key Benefits Achieved

    Smoother day 1 integration

    Activities

    2.1 Determine Day 1 minimum viable operating model post M&A.

    2.2 Identify gaps.

    2.3 Build day 1 project plan.

    2.4 Estimate required resources.

    Outputs

    Day 1 project plan

    4 Long-Term Project Plan

    The Purpose

    Draw long-term integration roadmap.

    Key Benefits Achieved

    Improved alignment with M&A goals

    Greater realization of the deal’s value

    Activities

    3.1 Set long-term future state goals.

    3.2 Create a long-term project plan.

    3.3 Consult with business stakeholders on the long-term plan.

    Outputs

    Long-term integration project plan

    5 Change Management and Continual Improvement

    The Purpose

    Prepare for organization and culture change.

    Refine M&A I&O integration process.

    Key Benefits Achieved

    Smoother change management

    Improved M&A integration process

    Activities

    4.1 Complete a change management plan.

    4.2 Conduct a process post-mortem.

    Outputs

    Change management plan

    Process improvements action items

    Implement Infrastructure Shared Services

    • Buy Link or Shortcode: {j2store}456|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Operations Management
    • Parent Category Link: /i-and-o-process-management
    • Organizations have service duplications for unique needs. These duplications increase business expenditure.
    • Lack of collaboration between business units to share their services increases business cost and reduces business units’ faith to implement shared services.
    • Transitioning infrastructure to shared services is challenging for many organizations. It requires an accurate planning and efficient communication between participating business units.

    Our Advice

    Critical Insight

    • Identify your current process, tool, and people capabilities before implementing shared services. Understand the financial compensations prior to implementation and assess if your organization is ready for transitioning to shared services model.
    • Do not implement shared services when the nature of the services differs greatly between business units.

    Impact and Result

    • Understand benefits of shared services for the business and determine whether transitioning to shared services would benefit the organization.
    • Identify the best implementation plan based on goals, needs, and services.
    • Build a shared-services process to manage the plan and ensure its success.

    Implement Infrastructure Shared Services Research & Tools

    Start here – Read the Executive Brief

    Read our concise Executive Brief to find out why you should implement shared services, review Info-Tech’s methodology, and understand the ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Conduct gap analysis

    Identify benefits of shared services to your organization and define implementation challenges.

    • Implement Infrastructure Shared Services – Phase 1: Conduct Gap Analysis
    • Shared Services Implementation Executive Presentation
    • Shared Services Implementation Business Case Template
    • Shared Services Implementation Assessment Tool

    2. Choose the right path

    Identify your process and staff capabilities and discover which services will be transitioned to shared services plan. It will also help you to figure out the best model to choose.

    • Implement Infrastructure Shared Services – Phase 2: Choose the Right Path
    • Sample Enterprise Services

    3. Plan the transition

    Discuss an actionable plan to implement shared services to track the project. Walk through a communication plan to document the goals, progress, and expectations with customer stakeholders.

    • Implement Infrastructure Shared Services – Phase 3: Plan the Transition
    • Shared Services Implementation Roadmap Tool
    • Shared Services Implementation Customer Communication Plan
    [infographic]

    Workshop: Implement Infrastructure Shared Services

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Identify Challenges

    The Purpose

    Establish the need for change.

    Key Benefits Achieved

    Set a clear understanding about benefits of shared services to your organization.

    Activities

    1.1 Identify your organization’s main drivers for using a shared services model.

    1.2 Define if it is beneficial to implement shared services.

    Outputs

    Shared services mission

    Shared services goals

    2 Assess Your Capabilities

    The Purpose

    Become aware of challenges to implement shared services and your capabilities for such transition.

    Key Benefits Achieved

    Discover the primary challenges for transitioning to shared services, eliminate resistance factors, and identify your business potentials for implementation.

    Activities

    2.1 Identify your organization’s resistance to implement shared services.

    2.2 Assess process and people capabilities.

    Outputs

    Shared Services Business Case

    Shared Services Assessment

    3 Define the Model

    The Purpose

    Determine the shared services model.

    Key Benefits Achieved

    Identify the core services to be shared and the best model that fits your organization.

    Activities

    3.1 Define core services that will be moved to shared services.

    3.2 Assess different models of shared services and pick the one that satisfies your goals and needs.

    Outputs

    List of services to be transferred to shared services

    Shared services model

    4 Implement and Communicate

    The Purpose

    Define and communicate the tasks to be delivered.

    Key Benefits Achieved

    Confidently approach key stakeholders to make the project a reality.

    Activities

    4.1 Define the roadmap for implementing shared services.

    4.2 Make a plan to communicate changes.

    Outputs

    List of initiatives to reach the target state, strategy risks, and their timelines

    Draft of a communication plan

    Lead Strategic Decision Making With Service Portfolio Management

    • Buy Link or Shortcode: {j2store}397|cart{/j2store}
    • member rating overall impact (scale of 10): 9.0/10 Overall Impact
    • member rating average dollars saved: After each Info-Tech experience, we ask our members to quantify the real-time savings, monetary impact, and project improvements our research helped them achieve.
    • member rating average days saved: Read what our members are saying
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • There are no standardized processes for the intake of new ideas and no consistent view of the drivers needed to assess the value of these ideas.
    • IT is spending money on low-value services and doesn’t have the ability to understand and track value in order to prioritize IT investment.
    • CIOs are not trusted to drive innovation.

    Our Advice

    Critical Insight

    • The service portfolio empowers IT to be a catalyst in business strategy, change, and growth.
    • IT must drive value-based investment by understanding value of all services in the portfolio.
    • Organizations must assess the value of their services throughout their lifecycle to optimize business outcomes and IT spend.

    Impact and Result

    • Optimize IT investments by prioritizing services that provide more value to the business, ensuring that you do not waste money on low-value or out-of-date IT services.
    • Ensure that services are directly linked to business objectives, goals, and needs, keeping IT embedded in the strategic vision of the organization.
    • Enable the business to understand the impact of IT capabilities on business strategy.
    • Ensure that IT maintains a strategic and tactical view of the services and their value.
    • Drive agility and innovation by having a streamlined view of your business value context and a consistent intake of ideas.
    • Provide strategic leadership and create new revenue by understanding the relative value of new ideas vs. existing services.

    Lead Strategic Decision Making With Service Portfolio Management Research & Tools

    Start here – read the Executive Brief

    Service portfolio management enables organizations to become strategic value creators by establishing a dynamic view of service value. Understand the driving forces behind the need to manage services through their lifecycles.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Establish the service portfolio

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 1: Establish the Service Portfolio
    • Service Portfolio Worksheet

    2. Develop a value assessment framework

    Use the value assessment tool to assess services based on the organization’s context of value.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 2: Develop a Value Assessment Framework
    • Value Assessment Tool
    • Value Assessment Example Tool

    3. Manage intake and assessment of initiatives

    Create a centralized intake process to manage all new service ideas.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 3: Manage Intake and Assessment of Initiatives
    • Service Intake Form

    4. Assess active services

    Continuously validate the value of the existing service and determine the future of service based on the value and usage of the service.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 4: Assess Active Services

    5. Manage and communicate the service portfolio

    Communicate and implement the service portfolio within the organization, and create a mechanism to seek out continuous improvement opportunities.

    • Lead Strategic Decision Making With Service Portfolio Management – Phase 5: Manage and Communicate the Service Portfolio
    [infographic]

    Workshop: Lead Strategic Decision Making With Service Portfolio Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Establish the Service Portfolio

    The Purpose

    Establish and understand the service portfolio process by setting up the Service Portfolio Worksheet.

    Understand at a high level the steps involved in managing the service portfolio.

    Key Benefits Achieved

    Adapt the Service Portfolio Worksheet to organizational needs and create a plan to begin documenting services in the worksheet.

    Activities

    1.1 Review the Service Portfolio Worksheet.

    1.2 Adapt the Service Portfolio Worksheet.

    Outputs

    Knowledge about the use of the Service Portfolio Worksheet.

    Adapt the worksheet to reflect organizational needs and structure.

    2 Develop a Value Assessment Framework

    The Purpose

    Understand the need for a value assessment framework.

    Key Benefits Achieved

    Identify the organizational context of value through a holistic look at business objectives.

    Leverage Info-Tech’s Value Assessment Tool to validate and determine service value.

    Activities

    2.1 Understand value from business context.

    2.2 Determine the governing body.

    2.3 Assess culture and organizational structure.

    2.4 Complete the value assessment.

    2.5 Discuss value assessment score.

    Outputs

    Alignment on value context.

    Clear roles and responsibilities established.

    Ensure there is a supportive organizational structure and culture in place.

    Understand how to complete the value assessment and obtain a value score for selected services.

    Understand how to interpret the service value score.

    3 Manage Intake and Assessment of Initiatives

    The Purpose

    Create a centralized intake process to manage all new service ideas.

    Key Benefits Achieved

    Encourage collaboration and innovation through a transparent, formal, and centralized service intake process.

    Activities

    3.1 Review or design the service intake process.

    3.2 Review the Service Intake Form.

    3.3 Design a process to assess and transfer service ideas.

    3.4 Design a process to transfer completed services to the service catalog.

    Outputs

    Create a centralized process for service intake.

    Complete the Service Intake Form for a specific initiative.

    Have a process designed to transfer approved projects to the PMO.

    Have a process designed for transferring of completed services to the service catalog.

    4 Assess Active Services

    The Purpose

    Continuously validate the value of existing services.

    Key Benefits Achieved

    Ensure services are still providing the expected outcome.

    Clear next steps for services based on value.

    Activities

    4.1 Discuss/review management of active services.

    4.2 Complete value assessment for an active service.

    4.3 Determine service value and usage.

    4.4 Determine the next step for the service.

    4.5 Document the decision regarding the service outcome.

    Outputs

    Understand how active services must be assessed throughout their lifecycles.

    Understand how to assess an existing service.

    Place the service on the 2x2 matrix based on value and usage.

    Understand the appropriate next steps for services based on value.

    Formally document the steps for each of the IRMR options.

    5 Manage and Communicate Your Service Portfolio

    The Purpose

    Communicate and implement the service portfolio within the organization.

    Key Benefits Achieved

    Obtain buy-ins for the process.

    Create a mechanism to identify changes within the organization and to seek out continuous improvement opportunities for the service portfolio management process and procedures.

    Activities

    5.1 Create a communication plan for service portfolio and value assessment.

    5.2 Create a communication plan for service intake.

    5.3 Create a procedure to continuously validate the process.

    Outputs

    Document the target audience, the message, and how the message should be communicated.

    Document techniques to encourage participation and promote participation from the organization.

    Document the formal review process, including cycle, roles, and responsibilities.

    Adopt Generative AI in Solution Delivery

    • Buy Link or Shortcode: {j2store}146|cart{/j2store}
    • member rating overall impact (scale of 10): N/A
    • member rating average dollars saved: N/A
    • member rating average days saved: N/A
    • Parent Category Name: Development
    • Parent Category Link: /development
    • Delivery teams are under continuous pressure to deliver high value and quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:
      • Attracting and retaining talent
      • Maximizing the return on technology
      • Confidently shifting to digital
      • Addressing competing priorities
      • Fostering a collaborative culture
      • Creating high-throughput teams
    • Gen AI offers a unique opportunity to address many of these challenges.

    Our Advice

    Critical Insight

    • Your stakeholders' understanding of Gen AI, its value, and its application can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your SDLC is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Impact and Result

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire SDLC by enabling Gen AI in key tasks and activities. Propose the SDLC as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice to achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Adopt Generative AI in Solution Delivery Research & Tools

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Adopt Generative AI in Solution Delivery Storyboard – A step-by-step guide that helps you assess whether Gen AI is right for your solution delivery practices.

    Gain an understanding of the potential opportunities that Gen AI can provide your solution delivery practices and answer the question "What should I do next?"

    • Adopt Generative AI in Solution Delivery Storyboard

    2. Gen AI Solution Delivery Readiness Assessment Tool – A tool to help you understand if your solution delivery practice is ready for Gen AI.

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether or not the team is ready to adopt Gen AI practices.

    • Gen AI Solution Delivery Readiness Assessment Tool
    [infographic]

    Further reading

    Adopt Generative AI in Solution Delivery

    Drive solution quality and team productivity with the right generative AI capabilities.

    Analyst Perspective

    Build the case for Gen AI with the right opportunities.

    Generative AI (Gen AI) presents unique opportunities to address many solution delivery challenges. Code generation can increase productivity, synthetic data generation can produce usable test data, and scanning tools can identify issues before they occur. To be successful, teams must be prepared to embrace the changes that Gen AI brings. Stakeholders must also give teams the opportunity to optimize their own processes and gauge the fit of Gen AI.

    Start small with the intent to learn. The right pilot initiative helps you learn the new technology and how it benefits your team without the headache of complex setups and lengthy training and onboarding. Look at your existing solution delivery tools to see what Gen AI capabilities are available and prioritize the use cases where Gen AI can be used out of the box.

    This is a picture of Andrew Kum-Seun

    Andrew Kum-Seun
    Research Director,
    Application Delivery and Management
    Info-Tech Research Group

    Executive Summary

    Your Challenge

    Delivery teams are under continuous pressure to deliver high-value, high-quality solutions with limited capacity in complex business and technical environments. Common challenges experienced by these teams include:

    • Attracting and retaining talent
    • Maximizing the return on technology
    • Confidently shifting to digital
    • Addressing competing priorities
    • Fostering a collaborative culture
    • Creating high-throughput teams

    Generative AI (Gen AI) offers a unique opportunity to address many of these challenges.

    Common Obstacles

    • Your stakeholders' understanding of what is Gen AI, its value and its application, can be driven by hype and misinterpretation. This confusion can lead to unrealistic expectations and set the wrong precedent for the role Gen AI is intended to play.
    • Your solution delivery process is not well documented and is often executed inconsistently. An immature practice will not yield the benefits stakeholders expect.
    • The Gen AI marketplace is very broad and diverse. Selecting the appropriate tools and partners is confusing and overwhelming.
    • There is a skills gap for what is needed to configure, adopt, and operate Gen AI.

    Info-Tech's Approach

    • Ground your Gen AI expectations. Set realistic and achievable goals centered on driving business value and efficiency across the entire solution delivery process by enabling Gen AI in key tasks and activities. Propose this process as the ideal pilot for Gen AI.
    • Select the right Gen AI opportunities. Discuss how proven Gen AI capabilities can be applied to your solution delivery practice and achieve the outcomes and priorities stakeholders expect. Lessons learned sow the foundation for future Gen AI scaling.
    • Assess your Gen AI readiness in your solution delivery teams. Clarify the roles, processes, and tools needed for the implementation, use, and maintenance of Gen AI.

    Info-Tech Insight

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Insight Summary

    Overarching Info-Tech Insight

    Position Gen AI is a tooling opportunity to enhance the productivity and depth of your solution delivery practice. However, current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery. Assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Understand and optimize first, automate with Gen AI later.
    Gen AI magnifies solution delivery inefficiencies and constraints. Adopt a user-centric perspective to understand your solution delivery teams' interactions with solution delivery tools and technologies to better replicate how they complete their tasks and overcome challenges.

    Enable before buy. Buy before build.
    Your solution delivery vendors see AI as a strategic priority in their product and service offering. Look into your existing toolset and see if you already have the capabilities. Otherwise, prioritize using off-the-shelf solutions with pre-trained Gen AI capabilities and templates.

    Innovate but don't experiment.
    Do not reinvent the wheel and lower your risk of success. Stick to the proven use cases to understand the value and fit of Gen AI tools and how your teams can transform the way they work. Use your lessons learned to discover scaling opportunities.

    Blueprint benefits

    IT benefits

    Business benefits

    • Select the Gen AI tools and capabilities that meet both the solution delivery practice and team goals, such as:
    • Improved team productivity and throughput.
    • Increased solution quality and value.
    • Greater team satisfaction.
    • Motivate stakeholder buy-in for the investment in solution delivery practice improvements.
    • Validate the fit and opportunities with Gen AI for future adoption in other IT departments.
    • Increase IT satisfaction by improving the throughput and speed of solution delivery.
    • Reduce the delivery and operational costs of enterprise products and services.
    • Use a pilot to demonstrate the fit and value of Gen AI capabilities and supporting practices across business and IT units.

    What is Gen AI?

    An image showing where Gen AI sits within the artificial intelligence.  It consists of four concentric circles.  They are labeled from outer-to-inner circle in the following order: Artificial Intelligence; Machine Learning; Deep Learning; Gen AI

    Generative AI (Gen AI)
    A form of ML whereby, in response to prompts, a Gen AI platform can generate new output based on the data it has been trained on. Depending on its foundational model, a Gen AI platform will provide different modalities and use case applications.

    Machine Learning (ML)
    The AI system is instructed to search for patterns in a data set and then make predictions based on that set. In this way, the system learns to provide accurate content over time. This requires a supervised intervention if the data is inaccurate. Deep learning is self-supervised and does not require intervention.

    Artificial Intelligence (AI)
    A field of computer science that focuses on building systems to imitate human behavior. Not all AI systems have learning behavior; many systems (such as customer service chatbots) operate on preset rules.

    Info-Tech Insight

    Many vendors have jumped on Gen AI as the latest marketing buzzword. When vendors claim to offer Gen AI functionality, pin down what exactly is generative about it. The solution must be able to induce new outputs from inputted data via self-supervision – not trained to produce certain outputs based on certain inputs.

    Augment your solution delivery teams with Gen AI

    Position Gen AI as a tooling opportunity to enhance the productivity and depth of your solution delivery practice. Current Gen AI tools are unable to address the various technical and human complexities that commonly occur in solution delivery; assess the fit of Gen AI by augmenting low-risk, out-of-the-box tools in key areas of your solution delivery process and teams.

    Solution Delivery Team

    Humans

    Gen AI Bots

    Product owner and decision maker
    Is accountable for the promised delivery of value to the organization.

    Business analyst and architect
    Articulates the requirements and aligns the team to the business and technical needs.

    Integrator and builder
    Implements the required solution.

    Collaborator
    Consults and supports the delivery.

    Administrator
    Performs common administrative tasks to ensure smooth running of the delivery toolchain and end-solutions.

    Designer and content creator
    Provides design and content support for common scenarios and approaches.

    Paired developer and tester
    Acts as a foil for existing developer or tester to ensure high quality output.

    System monitor and support
    Monitors and recommends remediation steps for operational issues that occur.

    Research deliverable

    This research is accompanied by a supporting deliverable to help you accomplish your goals.

    Gen AI Solution Delivery Readiness Assessment Tool

    Assess the readiness of your solution delivery team for Gen AI. This tool will ask several questions relating to your people, process, and technology, and recommend whether the team is ready to adopt Gen AI practices.

    This is a series of three screenshots from the Gen AI Solution Delivery Readiness Assessment Tool

    Step 1.1

    Set the context

    Activities

    1.1.1 Understand the challenges of your solution delivery teams.

    1.1.2 Outline the value you expect to gain from Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • SWOT Analysis to help articulate the challenges facing your teams.
    • A Gen AI Canvas that will articulate the value you expect to gain.

    IT struggles to deliver solutions effectively

    • Lack of skills and resources
      Forty-six percent of respondents stated that it was very or somewhat difficult to attract, hire, and retain developers (GitLab, 2023; N=5,010).
    • Delayed software delivery
      Code development (37%), monitoring/observability (30%), deploying to non-production environments (30%), and testing (28%) were the top areas where software delivery teams or organizations encountered the most delays (GitLab, 2023, N=5,010).
    • Low solution quality and satisfaction
      Only 64% of applications were identified as effective by end users. Effective applications are identified as at least highly important and have high feature and usability satisfaction (Application Portfolio Assessment, August 2021 to July 2022; N=315).
    • Burnt out teams
      While workplace flexibility comes with many benefits, longer work hours jeopardize wellbeing. Sixty-two percent of organizations reported increased working hours, while 80% reported an increase in flexibility ("2022 HR Trends Report," McLean & Company, 2022; N=394) .

    Creating high-throughput teams is an organizational priority.

    CXOs ranked "optimize IT service delivery" as the second highest priority. "Achieve IT business" was ranked first.

    (CEO-CIO Alignment Diagnostics, August 2021 to July 2022; n=568)

    1.1.1 Understand the challenges of your solution delivery teams

    1-3 hours

    1. Complete a SWOT analysis of your solution delivery team to discover areas where Gen AI can be applied.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Strengths

    Internal characteristics that are favorable as they relate to solution delivery

    Weaknesses

    Internal characteristics that are unfavorable or need improvement

    Opportunities

    External characteristics that you may use to your advantage

    Threats

    External characteristics that may be potential sources of failure or risk

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • SWOT analysis of current state of solution delivery practice

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Gen AI can help solve your solution delivery challenges

    Why is software delivery an ideal pilot candidate for Gen AI?

    • Many software delivery practices are repeatable and standardized.
    • Software delivery roles that are using and implementing Gen AI are technically savvy.
    • Automation is a staple in many commonly used tools.
    • Change will likely not impact business operations.

    Improved productivity

    Gen AI jumpstarts the most laborious and mundane parts of software delivery. Delivery teams saved 22 hours (avg) per software use case when using AI in 2022, compared to last year when AI was not used ("Generative AI Speeds Up Software Development," PRNewswire, 2023).

    Fungible resources

    Teams are transferrable across different frameworks, platforms, and products. Gen AI provides the structure and guidance needed to work across a wider range of projects ("Game changer: The startling power generative AI is bringing to software development," KPMG, 2023).

    Improved solution quality

    Solution delivery artifacts (e.g. code) are automatically scanned to quickly identify bugs and defects based on recent activities and trends and validate against current system performance and capacity.

    Business empowerment

    AI enhances the application functionalities workers can build with low- and no-code platforms. In fact, "AI high performers are 1.6 times more likely than other organizations to engage non-technical employees in creating AI applications" ("The state of AI in 2022 — and a half decade in review." McKinsey, 2022, N=1,492).

    However, various fears, uncertainties, and doubts challenge Gen AI adoption

    Black Box

    Little transparency is provided on the tool's rationale behind content creation, decision making, and the use and storage of training data, creating risks for legal, security, intellectual property, and other areas.

    Role Replacement

    Some workers have job security concerns despite Gen AI being bound to their rule-based logic framework, the quality of their training data, and patterns of consistent behavior.

    Skills Gaps

    Teams need to gain expertise in AI/ML techniques, training data preparation, and continuous tooling improvements to support effective Gen AI adoption across the delivery practice and ensure reliable operations.

    Data Inaccuracy

    Significant good quality data is needed to build trust in the applicability and reliability of Gen AI recommendations and outputs. Teams must be able to combine Gen AI insights with human judgment to generate the right outcome.

    Slow Delivery of AI Solution

    Timelines are sensitive to organizational maturity, experience with Gen AI, and investments in good data management practices. 65% of organizations said it took more than three months to deploy an enterprise-ready AIOps solution (OpsRamp, 2022).

    Define the value you want Gen AI to deliver

    Well-optimized Gen AI instills stakeholder confidence in ongoing business value delivery and ensures stakeholder buy-in, provided proper expectations are set and met. However, business value is not interpreted or prioritized the same across the organization. Come to a common business value definition to drive change in the right direction by balancing the needs of the individual, team, and organization.

    Business value cannot always be represented by revenue or reduced expenses. Dissecting value by the benefit type and the value source's orientation allows you to see the many ways in which Gen AI brings value to the organization.

    Financial benefits vs. intrinsic needs

    • Financial benefits refers to the degree to which the value source can be measured through monetary metrics, such as revenue generation and cost saving.
    • Intrinsic needs refers to how a product, service, or business capability enhanced with Gen AI meets functional, user experience, and existential needs.

    Inward vs. outward orientation

    • Inward refers to value sources that are internally impacted by Gen AI and improve your employees' and teams' effectiveness in performing their responsibilities.
    • Outward refers to value sources that come from your interaction with external stakeholders and customers and were improved from using Gen AI.

    See our Build a Value Measurement Framework blueprint for more information about business value definition.

    An image of the Business Value Matrix for Gen AI

    Measure success with the right metrics

    Establishing and monitoring metrics are powerful ways to drive behavior and strategic changes in your organization. Determine the right measures that demonstrate the value of your Gen AI implementation by aligning them with your Gen AI objectives, business value drivers, and non-functional requirements.

    Select metrics with different views

    1. Solution delivery practice effectiveness
      The ability of your practice to deliver, support, and operate solutions with Gen AI
      Examples: Solution quality and throughput, delivery and operational costs, number of defects and issues, and system quality
    2. Solution quality and value
      The outcome of your solutions delivered with Gen AI tools
      Examples: Time and money saved, utilization of products and services, speed of process execution, number of errors, and compliance with standards
    3. Gen AI journey goals and milestones
      Your organization's position in your Gen AI journey
      Examples: Maturity score, scope of Gen AI adoption, comfort and
      confidence with Gen AI capabilities, and complexity of Gen AI use cases

    Leverage Info-Tech's Diagnostics

    IT Management & Governance

    • Improvement to application development quality and throughput effectiveness
    • Increased importance of application delivery and maintenance capabilities across the IT organization
    • Delegation of delivery accountability across more IT roles

    CIO Business Vision

    • Improvements to IT satisfaction and value from delivered solutions
    • Changes to the value and importance of IT core services enabled with Gen AI
    • The state of business and IT relationships
    • Capability to deliver and support Gen AI effectively

    1.1.2 Outline the value you expect to gain from Gen AI

    1-3 hours

    1. Complete the following fields to build your Gen AI canvas:
      1. Problem that Gen AI is intending to solve
      2. List of stakeholders
      3. Desired business and IT outcomes
      4. In-scope solution delivery teams, systems, and capabilities.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI Canvas

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    1.1.2 Example

    Example of an outline of the value you expect to gain from Gen AI

    Problem statements

    • Manual testing procedures hinder pace and quality of delivery.
    • Inaccurate requirement documentation leads to constant redesigning.

    Business and IT outcomes

    • Improve code quality and performance.
    • Expedite solution delivery cycle.
    • Improve collaboration between teams and reduce friction.

    List of stakeholders

    • Testing team
    • Application director
    • CIO
    • Design team
    • Project manager
    • Business analysts

    In-scope solution delivery teams, system, and capabilities

    • Web
    • Development
    • App development
    • Testing
    • Quality assurance
    • Business analysts
    • UI/UX design

    Align your objectives to the broader AI strategy

    Why is an organizational AI strategy important for Gen AI?

    • All Gen AI tactics and capabilities are designed, delivered, and managed to support a consistent interpretation of the broader AI vision and goals.
    • An organizational strategy gives clear understanding of the sprawl, criticality, and risks of Gen AI solutions and applications to other IT capabilities dependent on AI.
    • Gen AI initiatives are planned, prioritized, and coordinated alongside other software delivery practice optimizations and technology modernization initiatives.
    • Resources, skills, and capacities are strategically allocated to meet the needs of Gen AI considering other commitments in the software delivery optimization backlog and roadmap.
    • Gen AI expectations and practices uphold the persona, values, and principles of the software delivery team.

    What is an AI strategy?

    An AI strategy details the direction, activities, and tactics to deliver on the promise of your AI portfolio. It often includes:

    • AI vision and goals
    • Application, automation, and process portfolio involved or impacted by AI
    • Values and principles
    • Health of your AI portfolio
    • Risks and constraints
    • Strategic roadmap

    Step 1.2

    Evaluate opportunities for Gen AI

    Activities

    1.2.1 Align Gen AI opportunities with teams and capabilities.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • Understand the Gen AI opportunities for your solution delivery practice.

    Learn how Gen AI is employed in solution delivery

    Gen AI opportunity Common Gen AI tools and vendors Teams than can benefit How can teams leverage this? Case study
    Synthetic data generation
    • Testing
    • Data Analysts
    • Privacy and Security
    • Create test datasets
    • Replace sensitive personal data

    How Unity Leverages Synthetic Data

    Code generation
    • Development
    • Testing
    • Code Templates & Boilerplate
    • Code Refactoring

    How CI&T accelerated development by 11%

    Defect forecasting and debugging
    • Project Manager & Quality Assurance
    • Development
    • Testing
    • Identify root cause
    • Static and dynamic code analysis
    • Debugging assistance

    Altran Uses Microsoft Code Defect AI Solution

    Requirements documentation and elicitation
    • Business Analysts
    • Development
    • Document functional requirements
    • Writing test cases

    Google collaborates with Replit to reduce time to bring new products to market by 30%

    UI design and prototyping
    • UI/UX Design
    • Development
    • Deployment
    • Rapid prototyping
    • Design assistance

    How Spotify is Upleveling Their Entire Design Team

    Other common AI opportunities solutions include test case generation, code translation, use case creation, document generation, and automated testing.

    Opportunity 1: Synthetic data generation

    Create artificial data that mimics the structure of real-life data.

    What are the expected benefits?

    • Availability of test data: Creation of large volumes of data compatible for testing multiple systems within the organization.
    • Improved privacy: Substituting real data with artificial leads to reduced data leaks.
    • Quicker data provisioning: Automated generation of workable datasets aligned to company policies.

    What are the notable risks and challenges?

    • Generalization and misrepresentations: Data models used in synthetic data generation may not be an accurate representation of production data because of potentially conflicting definitions, omission of dependencies, and multiple sources of truth.
    • Lack of accurate representation: It is difficult for synthetic data to fully capture real-world data nuances.
    • Legal complexities: Data to build and train the Gen AI tool does not comply with data residency and management standards and regulations.

    How should teams prepare for synthetic data generation?

    It can be used:

    • To train machine learning models when there is not enough real data, or the existing data does not meet specific needs.
    • To improve quality of test by using data that closely resembles production without the risk of leveraging sensitive and private information.

    "We can simply say that the total addressable market of synthetic data and the total addressable market of data will converge,"
    Ofir Zuk, CEO, Datagen (Forbes, 2022)

    Opportunity 2: Code generation

    Learn patterns and automatically generate code.

    What are the expected benefits?

    • Increased productivity: It allows developers to generate more code quickly.
    • Improved code consistency: Code is generated using a standardized model and lessons learnt from successful projects.
    • Rapid prototyping: Expedite development of a working prototype to be verified and validated.

    What are the notable risks and challenges?

    • Limited contextual understanding: AI may lack domain-specific knowledge or understanding of requirements.
    • Dependency: Overreliance on AI generated codes can affect developers' creativity.
    • Quality concerns: Generated code is untested and its alignment to coding and quality standards is unclear.

    How should teams prepare for code generation?

    It can be used to:

    • Build solutions without the technical expertise of traditional development.
    • Discover different solutions to address coding challenges.
    • Kickstart new development projects with prebuilt code.

    According to a survey conducted by Microsoft's GitHub, a staggering 92% of programmers were reported as using AI tools in their workflow (GitHub, 2023).

    Opportunity 3: Defect forecasting & debugging

    Predict and proactively address defects before they occur.

    What are the expected benefits?

    • Reduced maintenance cost: Find defects earlier in the delivery process, when it's cheaper to fix them.
    • Increased efficiency: Testing efforts can remain focused on critical and complex areas of solution.
    • Reduced risk: Find critical defects before the product is deployed to production.

    What are the notable risks and challenges?

    • False positives and negatives: Incorrect interpretation and scope of defect due to inadequate training of the Gen AI model.
    • Inadequate training: Training data does not reflect the complexity of the solutions code.
    • Not incorporating feedback: Gen AI models are not retrained in concert with solution changes.

    How should teams prepare for defect forecasting and debugging?

    It can be used to:

    • Perform static and dynamic code analysis to find vulnerabilities in the solution source code.
    • Forecast potential issues of a solution based on previous projects and industry trends.
    • Find root cause and suggest solutions to address found defects.

    Using AI technologies, developers can reduce the time taken to debug and test code by up to 70%, allowing them to finish projects faster and with greater accuracy (Aloa, 2023).

    Opportunity 4: Requirements documentation & elicitation

    Capturing, documenting, and analyzing function and nonfunctional requirements.

    What are the expected benefits?

    • Improve quality of requirements: Obtain different perspectives and contexts for the problem at hand and help identify ambiguities and misinterpretation of risks and stakeholder expectation.
    • Increased savings: Fewer resources are consumed in requirements elicitation activities.
    • Increased delivery confidence: Provide sufficient information for the solution delivery team to confidently estimate and commit to the delivery of the requirement.

    What are the notable risks and challenges?

    • Conflicting bias: Gen AI models may interpret the problem differently than how the stakeholders perceive it.
    • Organization-specific interpretation: Inability of the Gen AI models to accommodate unique interpretation of terminologies, standards, trends and scenarios.
    • Validation and review: Interpreting extracted insights requires human validation.

    How should teams prepare for requirements documentation & elicitation?

    It can be used to:

    • Document requirements in a clear and concise manner that is usable to the solution delivery team.
    • Analyze and test requirements against various user, business, and technical scenarios.

    91% of top businesses surveyed report having an ongoing investment in AI (NewVantage Partners, 2021).

    Opportunity 5: UI design and prototyping

    Analyze existing patterns and principles to generate design, layouts, and working solutions.

    What are the expected benefits?

    • Increased experimentation: Explore different approaches and tactics to solve a solution delivery problem.
    • Improved collaboration: Provide quick design layouts that can be reshaped based on stakeholder feedback.
    • Ensure design consistency: Enforce a UI/UX design standard for all solutions.

    What are the notable risks and challenges?

    • Misinterpretation of UX Requirements: Gen AI model incorrectly assumes a specific interpretation of user needs, behaviors, and problem.
    • Incorrect or missing requirements: Lead to extensive redesigns and iterations, adding to costs while hampering user experience.
    • Design creativity: May lack originality and specific brand aesthetics if not augmented well with human customizability and creativity.

    How should teams prepare for UI design and prototyping?

    It can be used to:

    • Visualize the solution through different views and perspectives such as process flows and use-case diagrams.
    • Create working prototypes that can be verified and validated by stakeholders and end users.

    A study by McKinsey & Company found that companies that invest in AI-driven design outperform their peers in revenue growth and customer experience metrics. They were found to achieve up to two times higher revenue growth than industry peers and up to 10% higher net promoter score (McKinsey & Company, 2018).

    Determine the importance of your opportunities by answering these questions

    Realizing the complete potential of Gen AI relies on effectively fostering its adoption and resulting changes throughout the entire solution delivery process.

    What are the challenges faced by your delivery teams that could be addressed by Gen AI?

    • Recognize the precise pain points, bottlenecks, or inefficiencies faced by delivery teams.
    • Include all stakeholders' perspectives during problem discovery and root cause analysis.

    What's holding back Gen AI adoption in the organization?

    • Apart from technical barriers, address cultural and organizational challenges and discuss how organizational change management strategies can mitigate Gen AI adoption risk.

    Are your objectives aligned with Gen AI capabilities?

    • Identify areas where processes can be modernized and streamlined with automation.
    • Evaluate the current capabilities and resources available within the organization to leverage Gen AI technologies effectively.

    How can Gen AI improve the entire solution delivery process?

    • Investigate and evaluate the improvements Gen AI can reasonably deliver, such as increased accuracy, quickened delivery cycles, improved code quality, or enhanced cross-functional collaboration.

    1.2.1 Align Gen AI opportunities to teams and capabilities

    1-3 hours

    1. Associate the Gen AI opportunities that can be linked to your system capabilities. These opportunities refer to the potential applications of generative AI techniques, such as code generation or synthetic data, to address specific challenges.
      1. Start by analyzing your system's requirements, constraints, and areas where Gen AI techniques can bring value. Identify the potential benefits of integrating Gen AI, such as increased productivity, or enhanced creativity.
      2. Next, discern potential risks or challenges, such as dependency or quality concerns, associated with the opportunity implementation.
    2. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Output

    • Gen AI opportunity selection

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Keep an eye out for red flags

    Not all Gen AI opportunities are delivered and adopted the same. Some present a bigger risk than others.

    • Establishing vague targets and success criteria
    • Defining Gen AI as substitution of human capital
    • Open-source software not widely adopted or validated
    • High level of dependency on automation
    • Unadaptable cross-functional training across organization
    • Overlooking privacy, security, legal, and ethical implications
    • Lack of Gen AI expertise and understanding of good practices

    Step 1.3

    Assess your readiness for Gen AI

    Activities

    1.3.1 Assess your readiness for Gen AI.

    This step involves the following participants:

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Outcomes of this step

    • A completed Gen AI Readiness Assessment to confirm how prepared you are to embrace Gen AI in your solution delivery team.

    Prepare your SDLC* to leverage Gen AI

    As organizations evolve and adopt more tools and technology, their solution delivery processes become more complex. Process improvement is needed to simplify complex and undocumented software delivery activities and artifacts and prepare it for Gen AI. Gen AI scales process throughput and output quantity, but it multiplies the negative impact of problems the process already has.

    When is your process ready for Gen AI?

    • Solution value Ensures the accuracy and alignment of the committed feature and change requests to what the stakeholder truly expects and receives.
    • ThroughputDelivers new products, enhancements, and changes at a pace and frequency satisfactory to stakeholder expectations and meets delivery commitments.
    • Process governance Has clear ownership and appropriate standardization. The roles, activities, tasks, and technologies are documented and defined. At each stage of the process someone is responsible and accountable.
    • Process management Follows a set of development frameworks, good practices, and standards to ensure the solution and relevant artifacts are built, tested, and delivered consistently and repeatably.
    • Technical quality assurance – Accommodates committed non-functional requirements within the stage's outputs to ensure products meet technical excellence expectations.

    *software development lifecycle

    To learn more, visit Info-Tech's Modernize Your SDLC blueprint.

    To learn more, visit Info-Tech's Build a Winning Business Process Automation Playbook

    Assess the impacts from Gen AI changes

    Ensure that no stone is left unturned as you evaluate the fit of Gen AI and prepare your adoption and support plans.

    By shining a light on considerations that might have otherwise escaped planners and decision makers, an impact analysis is an essential component to Gen AI success. This analysis should answer the following questions on the impact to your solution delivery teams.

    1. Will the change impact how our clients/customers receive, consume, or engage with our products/services?
    2. Will there be an increase in operational costs, and a change to compensation and/or rewards?
    3. Will this change increase the workload and alter staffing levels?
    4. Will the vision or mission of the team change?
    5. Will a new or different set of skills be needed?
    6. Will the change span multiple locations/time zones?
    7. Are multiple products/services impacted by this change?
    8. Will the workflow and approvals be changed, and will there be a substantial change to scheduling and logistics?
    9. Will the tools of the team be substantially different?
    10. Will there be a change in reporting relationships?

    See our Master Organizational Change Management Practices blueprint for more information.

    Brace for impact

    A thorough analysis of change impacts will help your software delivery teams and change leaders:

    • Bypass avoidable problems.
    • Remove non-fixed barriers to success.
    • Acknowledge and minimize the impact of unavoidable barriers.
    • Identify and leverage potential benefits.
    • Measure the success of the change.

    Many key IT capabilities are required to successfully leverage Gen AI

    Portfolio Management

    An accurate and rationalized inventory of all Gen AI tools verifies they support the goals and abide to the usage policies of the broader delivery practice. This becomes critical when tooling is updated frequently and licenses and open- source community principles drastically change (e.g. after an acquisition).

    Quality Assurance

    Gen AI tools are routinely verified and validated to ensure outcomes are accurate, complete, and aligned to solution delivery quality standards. Models are retrained using lessons learned, new use cases, and updated training data.

    Security & Access Management

    Externally developed and trained Gen AI models may not include the measures, controls, and tactics you need to prevent vulnerabilities and protect against threats that are critical in your security frameworks, policies, and standards.

    Data Management & Governance

    All solution delivery data and artifacts can be transformed and consumed in various ways as they transit through solution delivery and Gen AI tools. Data integrations, structures, and definitions must be well-defined, governed, and monitored.

    OPERATIONAL SUPPORT

    Resources are available to support the ongoing operations of the Gen AI tool, including infrastructure, preparing training data, and managing integration with other tools. They are also prepared to recover backups, roll back, and execute recovery plans at a moment's notice.

    Apply Gen AI good practices in your solution delivery practice

    1. Keep the human in the loop.
      Gen AI models cannot produce high-quality content with 100% confidence. Keeping the human in the loop allows people to directly give feedback to the model to improve output quality.
    2. Strengthen prompt and query engineering.
      The value of the outcome is dependent on what is being asked. Good prompts and queries focus on creating the optimal input by selecting and phrasing the appropriate words, sentence structures, and punctuation to illustrate the focus, scope, problem, and boundaries.
    3. Thoughtfully prepare your training data.
      Externally hosted Gen AI tools may store your training data in their systems or use it to train their other models. Intellectual property and sensitive data can leak into third-party systems and AI models if it is not properly masked and sanitized.
    4. Build guardrails into your Gen AI models.
      Guardrails can limit the variability of any misleading Gen AI responses by defining the scope and bounds of the response, enforcing the policies of its use, and clarifying the context of its response.
    5. Monitor your operational costs.
      The cost breakdown will vary among the types of Gen AI solution and the vendor offerings. Cost per query, consultant fees, infrastructure hosting, and licensing costs are just a few cost factors. Open source can be an attractive cost-saving option, but you must be willing to invest in the roles to assume traditional vendor accountabilities.
    6. Check the licenses of your Gen AI tool.
      Each platform has licenses and agreements on how their solution can or cannot be used. They limit your ability to use the tool for commercial purposes or reproductions or may require you to purchase and maintain a specific license to use their solution and materials.

    See Build Your Generative AI Roadmap for more information.

    Assess your Gen AI readiness

    • Solution delivery team
      The team is educated on Gen AI, its use cases, and the tools that enable it. They have the skills and capacity to implement, create, and manage Gen AI.
    • Solution delivery process and tools
      The solution delivery process is documented, repeatable, and optimized to use Gen AI effectively. Delivery tools are configured to enable, leverage and manage Gen AI assets to improve their performance and efficiency.
    • Solution delivery artifacts
      Delivery artifacts (e.g. code, scripts, documents) that will be used to train and be leveraged by Gen AI tools are discoverable, accurate, complete, standardized, of sufficient quantity, optimized for Gen AI use, and stored in an accessible shared central repository.
    • Governance
      Defined policies, role definitions, guidelines, and processes that guide the implementation, development, operations, and management of Gen AI.
    • Vision and executive support
      Clear alignment of Gen AI direction, ambition, and objectives with broader business and IT priorities. Stakeholders support the Gen AI initiative and allocate human and financial resources for its implementation within the solution delivery team.
    • Operational support
      The capabilities to manage the Gen AI tools and ensure they support the growing needs of the solution delivery practice, such as security management, hosting infrastructure, risk and change management, and data and application integration.

    1.3.1 Assess your readiness for Gen AI

    1-3 hours

    1. Review the current state of your solution delivery teams including their capacity, skills and knowledge, delivery practices, and tools and technologies.
    2. Determine the readiness of your team to adopt Gen AI.
    3. Discuss the gaps that need to be filled to be successful with Gen AI.
    4. Record this information in the Gen AI Solution Delivery Readiness Assessment Tool.

    Record the results in the Gen AI Solution Delivery Readiness Assessment Tool

    Output

    • Gen AI Solution Delivery Readiness Assessment

    Participants

    • Applications VP
    • Applications Director
    • Solution Delivery Manager
    • Solution Delivery Team

    Recognize that Gen AI does not require a fully optimized solution delivery process

    1. Consideration; 2. Exploration; 3. Incorporation; 4. Proliferation; 5. Optimization.  Steps 3-5 are Recommended maturity levels to properly embrace Gen AI.

    To learn more, visit Info-Tech's Develop Your Value-First Business Process Automation (BPA) Strategy.

    Be prepared to take the next steps

    Deliver Gen AI to your solution delivery teams

    Modernize Your SDLC
    Efficient and effective SDLC practices are vital, as products need to readily adjust to evolving and changing business needs and technologies.

    Adopt Generative AI in Solution Delivery
    Generative AI can drive productivity and solution quality gains to your solution delivery teams. Level set expectations with the right use case to demonstrate its value potential.

    Select Your AI Vendor & Implementation Partner
    The right vendor and partner are critical for success. Build the selection criteria to shortlist the products and services that best meets the current and future needs of your teams.

    Drive Business Value With Off-the-Shelf AI
    Build a framework that will guide your teams through the selection of an off-the-shelf AI tool with a clear definition of the business case and preparations for successful adoption.

    Build Your Enterprise Application Implementation Playbook
    Your Gen AI implementation doesn't start with technology, but with an effective plan that your team supports and is aligned to broader stakeholder and sponsor priorities and goals.

    Build your Gen AI practice

    • Get Started With AI
    • AI Strategy & Generative AI Roadmap
    • AI Governance

    Related Info-Tech Research

    Build a Winning Business Process Automation Playbook
    Optimize and automate your business processes with a user-centric approach.

    Embrace Business Managed Applications
    Empower the business to implement their own applications with a trusted business-IT relationship.

    Application Portfolio Management Foundations
    Ensure your application portfolio delivers the best possible return on investment.

    Maximize the Benefits from Enterprise Applications with a Center of Excellence
    Optimize your organization's enterprise application capabilities with a refined and scalable methodology.

    Create an Architecture for AI
    Build your target state architecture from predefined best-practice building blocks.

    Deliver on Your Digital Product Vision
    Build a product vision your organization can take from strategy through execution.

    Enhance Your Solution Architecture Practices
    Ensure your software systems solution is architected to reflect stakeholders' short- and long-term needs.

    Apply Design Thinking to Build Empathy With the Business
    Use design thinking and journey mapping to make IT the business' go-to problem solver.

    Modernize Your SDLC
    Deliver quality software faster with new tools and practices.

    Drive Business Value With Off-the-Shelf AI
    A practical guide to ensure return on your off-the-shelf AI investment.

    Bibliography

    "Altran Helps Developers Write Better Code Faster with Azure AI." Microsoft, 2020.
    "Apply Design Thinking to Complex Teams, Problems, and Organizations." IBM, 2021.
    Bianca. "Unleashing the Power of AI in Code Generation: 10 Applications You Need to Know — AITechTrend." AITechTrend, 16 May 2023.
    Biggs, John. "Deep Code Cleans Your Code with the Power of AI." TechCrunch, 26 Apr 2018.
    "Chat GPT as a Tool for Business Analysis — the Brazilian BA." The Brazilian BA, 24 Jan 2023.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2019." New Vantage Partners, 2019.
    Davenport, Thomas, and Randy Bean. "Big Data and AI Executive Survey 2021." New Vantage Partners, 2021.
    Das, Tamal. "9 Best AI-Powered Code Completion for Productive Development." Geek flare, 5 Apr 2023.
    Gondrezick, Ilya. "Council Post: How AI Can Transform the Software Engineering Process." Forbes, 24 Apr 2020.
    "Generative AI Speeds up Software Development: Compass UOL Study." PR Newswire, 29 Mar 2023.
    "GitLab 2023 Global Develops Report Series." Gitlab, 2023.
    "Game Changer: The Startling Power Generative AI Is Bringing to Software Development." KPMG, 30 Jan 2023.
    "How AI Can Help with Requirements Analysis Tools." TechTarget, 28 July 2020.
    Indra lingam, Ashanta. "How Spotify Is Upleveling Their Entire Design Team." Framer, 2019.
    Ingle, Prathamesh. "Top Artificial Intelligence (AI) Tools That Can Generate Code to Help Programmers." Matchcoat, 1 Jan 2023.
    Kaur, Jagreet . "AI in Requirements Management | Benefits and Its Processes." Xenon Stack, 13 June 2023.
    Lange, Danny. "Game On: How Unity Is Extending the Power of Synthetic Data beyond the Gaming Industry." CIO, 17 Dec 2020.
    Lin, Ying. "10 Artificial Intelligence Statistics You Need to Know in 2020." OBERLO, 17 Mar. 2023.
    Mauran, Cecily. "Whoops, Samsung Workers Accidentally Leaked Trade Secrets via ChatGPT." Mashable, 6 Apr 2023.

    Implement Hardware Asset Management

    • Buy Link or Shortcode: {j2store}312|cart{/j2store}
    • member rating overall impact (scale of 10): 9.4/10 Overall Impact
    • member rating average dollars saved: $29,447 Average $ Saved
    • member rating average days saved: 25 Average Days Saved
    • Parent Category Name: Asset Management
    • Parent Category Link: /asset-management
    • Executives are often aware of the benefits asset management offers, but many organizations lack a defined program to manage their hardware.
    • Efforts to implement hardware asset management (HAM) are stalled because organizations feel overwhelmed navigating the process or under use the data, failing to deliver value.

    Our Advice

    Critical Insight

    • Organizations often implement an asset management program as a one-off project and let it stagnate.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underutilized. Departments within IT become data siloes, preventing effective use of the data.

    Impact and Result

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.

    Implement Hardware Asset Management Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why you should Implement Hardware Asset Management, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Lay foundations

    Build the foundations for the program to succeed.

    • Implement Hardware Asset Management – Phase 1: Lay Foundations
    • HAM Standard Operating Procedures
    • HAM Maturity Assessment Tool
    • IT Asset Manager
    • IT Asset Administrator

    2. Procure & receive

    Define processes for requesting, procuring, receiving, and deploying hardware.

    • Implement Hardware Asset Management – Phase 2: Procure and Receive
    • HAM Process Workflows (Visio)
    • HAM Process Workflows (PDF)
    • Non-Standard Hardware Request Form
    • Purchasing Policy

    3. Maintain & dispose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    • Implement Hardware Asset Management – Phase 3: Maintain and Dispose
    • Asset Security Policy
    • Hardware Asset Disposition Policy

    4. Plan implementation

    Plan the hardware budget, then build a communication plan and roadmap to implement the project.

    • Implement Hardware Asset Management – Phase 4: Plan Implementation 
    • HAM Budgeting Tool
    • HAM Communication Plan
    • HAM Implementation Roadmap
    [infographic]

    Workshop: Implement Hardware Asset Management

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Lay Foundations

    The Purpose

    Build the foundations for the program to succeed.

    Key Benefits Achieved

    Evaluation of current challenges and maturity level

    Defined scope for HAM program

    Defined roles and responsibilities

    Identified metrics and reporting requirements

    Activities

    1.1 Outline hardware asset management challenges.

    1.2 Conduct HAM maturity assessment.

    1.3 Classify hardware assets to define scope of the program.

    1.4 Define responsibilities.

    1.5 Use a RACI chart to determine roles.

    1.6 Identify HAM metrics and reporting requirements.

    Outputs

    HAM Maturity Assessment

    Classified hardware assets

    Job description templates

    RACI Chart

    2 Procure & Receive

    The Purpose

    Define processes for requesting, procuring, receiving, and deploying hardware.

    Key Benefits Achieved

    Defined standard and non-standard requests for hardware

    Documented procurement, receiving, and deployment processes

    Standardized asset tagging method

    Activities

    2.1 Identify IT asset procurement challenges.

    2.2 Define standard hardware requests.

    2.3 Document standard hardware request procedure.

    2.4 Build a non-standard hardware request form.

    2.5 Make lease vs. buy decisions for hardware assets.

    2.6 Document procurement workflow.

    2.7 Select appropriate asset tagging method.

    2.8 Design workflow for receiving and inventorying equipment.

    2.9 Document the deployment workflow(s).

    Outputs

    Non-standard hardware request form

    Procurement workflow

    Receiving and tagging workflow

    Deployment workflow

    3 Maintain & Dispose

    The Purpose

    Define processes and policies for managing, securing, and maintaining assets then disposing or redeploying them.

    Key Benefits Achieved

    Policies and processes for hardware maintenance and asset security

    Documented workflows for hardware disposal and recovery/redeployment

    Activities

    3.1 Build a MAC policy, request form, and workflow.

    3.2 Design process and policies for hardware maintenance, warranty, and support documentation handling.

    3.3 Revise or create an asset security policy.

    3.4 Identify challenges with IT asset recovery and disposal and design hardware asset recovery and disposal workflows.

    Outputs

    User move workflow

    Asset security policy

    Asset disposition policy, recovery and disposal workflows

    4 Plan Implementation

    The Purpose

    Select tools, plan the hardware budget, then build a communication plan and roadmap to implement the project.

    Key Benefits Achieved

    Shortlist of ITAM tools

    Hardware asset budget plan

    Communication plan and HAM implementation roadmap

    Activities

    4.1 Generate a shortlist of ITAM tools that will meet requirements.

    4.2 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget.

    4.3 Build HAM policies.

    4.4 Develop a communication plan.

    4.5 Develop a HAM implementation roadmap.

    Outputs

    HAM budget

    Additional HAM policies

    HAM communication plan

    HAM roadmap tool

    Further reading

    Implement Hardware Asset Management

    Build IT services value on the foundation of a proactive asset management program.

    ANALYST PERSPECTIVE

    IT asset data impacts the entire organization. It’s time to harness that potential.

    "Asset management is like exercise: everyone is aware of the benefits, but many struggle to get started because the process seems daunting. Others fail to recognize the integrative potential that asset management offers once an effective program has been implemented.

    A proper hardware asset management (HAM) program will allow your organization to cut spending, eliminate wasteful hardware, and improve your organizational security. More data will lead to better business decision-making across the organization.

    As your program matures and your data gathering and utility improves, other areas of your organization will experience similar improvements. The true value of asset management comes from improved IT services built upon the foundation of a proactive asset management program." - Sandi Conrad, Practice Lead, Infrastructure & Operations Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • Asset Managers and Service Delivery Managers tasked with developing an asset management program who need a quick start.
    • CIOs and CFOs who want to reduce or improve budgeting of hardware lifecycle costs.
    • Information Security Officers who need to mitigate the risk of sensitive data loss due to insecure assets.

    This Research Will Help You:

    • Develop a hardware asset management (HAM) standard operating procedure (SOP) that documents:
      • Process roles and responsibilities.
      • Data classification scheme.
      • Procurement standards, processes, and workflows for hardware assets.
      • Hardware deployment policies, processes, and workflows.
      • Processes and workflows for hardware asset security and disposal.
    • Identify requirements for an IT asset management (ITAM) solution to help generate a shortlist.
    • Develop a hardware asset management implementation roadmap.
    • Draft a communication plan for the initiative.

    Executive summary

    Situation

    • Executives are aware of the numerous benefits asset management offers, but many organizations lack a defined ITAM program and especially a HAM program.
    • Efforts to implement HAM are stalled because organizations cannot establish and maintain defined processes and policies.

    Complication

    • Organizations often implement an asset management program as a one- off project and let it stagnate, but asset management needs to be a dynamic, continually involving process to succeed.
    • Organizations often fail to dedicate adequate resources to the HAM process, leading to unfinished processes and inconsistent standards.
    • Hardware asset management programs yield a large amount of useful data. Unfortunately, this data is often underused. Departments within IT become data siloes, preventing effective use of the data.

    Resolution

    • As the IT environment continues to change, it is important to establish consistency in the standards around IT asset management.
    • A current state assessment of your HAM program will shed light on the steps needed to safeguard your processes.
    • Define the assets that will need to be managed to inform the scope of the ITAM program before defining processes.
    • Build and involve an ITAM team in the process from the beginning to help embed the change.
    • Define standard policies, processes, and procedures for each stage of the hardware asset lifecycle, from procurement through to disposal.
    • Pace yourself; a staged implementation will make your ITAM program a success.

    Info-Tech Insight

    1. HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.
    2. ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.
    3. Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Implement HAM to reduce and manage costs, gain efficiencies, and ensure regulatory compliance

    Save & Manage Money

    • Companies with effective HAM practices achieve cost savings through redeployment, reduction of lost or stolen equipment, power management, and on-time lease returns.
    • The right HAM system will enable more accurate planning and budgeting by business units.

    Improve Contract Management

    • Real-time asset tracking to vendor terms and conditions allows for more effective negotiation.

    Inform Technology Refresh

    • HAM provides accurate information on hardware capacity and compatibility to inform upgrade and capacity planning

    Gain Service Efficiencies

    • Integrating the hardware lifecycle with the service desk will enable efficiencies through Install/Moves/Adds/Changes (IMAC) processes, for larger organizations.

    Meet Regulatory Requirements

    • You can’t secure organizational assets if you don’t know where they are! Meet governance and privacy laws by knowing asset location and that data is secure.

    Prevent Risk

    • Ensure data is properly destroyed through disposal processes, track lost and stolen hardware, and monitor hardware to quickly identify and isolate vulnerabilities.

    HAM is more than just inventory; 92% of organizations say that it helps them provide better customer support

    Hardware asset management (HAM) provides a framework for managing equipment throughout its entire lifecycle. HAM is more than just keeping an inventory; it focuses on knowing where the product is, what costs are associated with it, and how to ensure auditable disposition according to best options and local environmental laws.

    Implementing a HAM practice enables integration of data and enhancement of many other IT services such as financial reporting, service management, green IT, and data and asset security.

    Cost savings and efficiency gains will vary based on the organization’s starting state and what measures are implemented, but most organizations who implement HAM benefit from it. As organizations increase in size, they will find the greatest gains operationally by becoming more efficient at handling assets and identifying costs associated with them.

    A 2015 survey by HDI of 342 technical support professionals found that 92% say that HAM has helped their teams provide better support to customers on hardware-related issues. Seventy-seven percent have improved customer satisfaction through managing hardware assets. (HDI, 2015)

    HAM delivers cost savings beyond only the procurementstage

    HAM cost savings aren’t necessarily realized through the procurement process or reduced purchase price of assets, but rather through the cost of managing the assets.

    HAM delivers cost savings in several ways:

    • Use a discovery tool to identify assets that may be retired, redeployed, or reused to cut or reallocate their costs.
    • Enforce power management policies to reduce energy consumption as well as costs associated with wasted energy.
    • Enforce policies to lock down unauthorized devices and ensure that confidential information isn’t lost (and you don’t have to waste money recovering lost data).
    • Know the location of all your assets and which are connected to the network to ensure patches are up to date and avoid costly security risks and unplanned downtime.
    • Scan assets to identify and remediate vulnerabilities that can cause expensive security attacks.
    • Improve vendor and contract management to identify areas of hardware savings.

    The ROI for HAM is significant and measurable

    Benefit Calculation Sample Annual Savings

    Reduced help desk support

    • The length of support calls should be reduced by making it easier for technicians to identify PC configuration.
    # of hardware-related support tickets per year * cost per ticket * % reduction in average call length 2,000 * $40 * 20% = $16,000

    Greater inventory efficiency

    • An ITAM solution can automate and accelerate inventory preparation and tasks.
    Hours required to complete inventory * staff required * hourly pay rate for staff * number of times a year inventory required 8 hours * 5 staff * $33 per hour * 2 times a year = $2,640

    Improved employee productivity

    • Organizations can monitor and detect unapproved programs that result in lost productivity.
    # of employees * percentage of employees who encounter productivity loss through unauthorized software * number of hours per year spent using unauthorized software * average hourly pay rate 500 employees * 10% * 156 hours * $18 = $140,400

    Improved security

    • Improved asset tracking and stronger policy enforcement will reduce lost and stolen devices and data.
    # of devices lost or stolen last year * average replacement value of device + # of devices stolen * value of data lost from device (50 * $1,000) + (50 * $5,000) = $300,000
    Total Savings: $459,040
    1. Weigh the return against the annual cost of investing in an ITAM solution to calculate the ROI.
    2. Don’t forget about the intangible benefits that are more difficult to quantify but still significant, such as increased visibility into hardware, more accurate IT planning and budgeting, improved service delivery, and streamlined operations.

    Avoid these common barriers to ITAM success

    Organizations that struggle to implement ITAM successfully usually fall victim to these barriers:

    Organizational resistance to change

    Senior-level sponsorship, engagement, and communication is necessary to achieve the desired outcomes of ITAM; without it, ITAM implementations stall and fail or lack the necessary resources to deliver the value.

    Lack of dedicated resources

    ITAM often becomes an added responsibility for resources who already have other full-time responsibilities, which can quickly cause the program to lose focus. Increase the chance of success through dedicated resources.

    Focus on tool over process

    Many organizations buy a tool thinking it will do most of the work for them, but without supporting processes to define ITAM, the data within the tool can become unreliable.

    Choosing a tool or process that doesn’t scale

    Some organizations are able to track assets through manual discovery, but as their network and user base grows, this quickly becomes impossible. Choose a tool and build processes that will support the organization as it grows.

    Using data only to respond to an audit without understanding root causes

    Often, organizations implement ITAM only to the extent necessary to achieve compliance for audits, but without investigating the underlying causes of non-compliance and thus not solving the real problems.

    To help you make quick progress, Info-Tech Research Group parses hardware asset management into essential processes

    Focus on hardware asset lifecycle management essentials:

    IT Asset Procurement:

    • Define procurement standards for new hardware along with related warranties and support options.
    • Develop processes and workflows for purchasing and work out financial implications to inform budgeting later.

    IT Asset Intake and Deployment:

    • Define policies, processes, and workflows for hardware and receiving, inventory, and tracking practices.
    • Develop processes and workflows for managing imaging, change and moves, and large-scale rollouts.

    IT Asset Security and Maintenance:

    • Develop processes, policies, and workflows for asset tracking and security.
    • Maintain contracts and agreements.

    IT Asset Disposal or Recovery:

    • Manage the employee termination and equipment recovery cycle.
    • Securely wipe and dispose of assets that have reached retirement stage.

    The image is a circular graphic, with Implement HAM written in the middle. Around the centre circle are four phrases: Recover or Dispose; Plan & Procure; Receive & Deploy; Secure & Maintain. Around that circle are six words: Retire; Plan; Request; Procure; Receive; Manage.

    Follow Info-Tech’s methodology to build a plan to implement hardware asset management

    Phase 1: Assess & Plan Phase 2: Procure & Receive Phase 3: Maintain & Dispose Phase 4: Plan Budget & Build Roadmap
    1.1 Assess current state & plan scope 2.1 Request & procure 3.1 Manage & maintain 4.1 Plan budget
    1.2 Build team & define metrics 2.2 Receive & deploy 3.2 Redeploy or dispose 4.2 Communicate & build roadmap
    Deliverables
    Standard Operating Procedure (SOP)
    HAM Maturity Assessment Procurement workflow User move workflow HAM Budgeting Tool
    Classified hardware assets Non-standard hardware request form Asset security policy HAM Communication Plan
    RACI Chart Receiving & tagging workflow Asset disposition policy HAM Roadmap Tool
    Job Descriptions Deployment workflow Asset recovery & disposal workflows Additional HAM policies

    Asset management is a key piece of Info-Tech's COBIT- inspired IT Management and Governance Framework

    The image shows a graphic which is a large grid, showing Info-Tech's research, sorted into categories.

    Cisco IT reduced costs by upwards of $50 million through implementing ITAM

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Cisco Systems, Inc.

    Cisco Systems, Inc. is the largest networking company in the world. Headquartered in San Jose, California, the company employees over 70,000 people.

    Asset Management

    As is typical with technology companies, Cisco boasted a proactive work environment that encouraged individualism amongst employees. Unfortunately, this high degree of freedom combined with the rapid mobilization of PCs and other devices created numerous headaches for asset tracking. At its peak, spending on hardware alone exceeded $100 million per year.

    Results

    Through a comprehensive ITAM implementation, the new asset management program at Cisco has been a resounding success. While employees did have to adjust to new rules, the process as a whole has been streamlined and user-satisfaction levels have risen. Centralized purchasing and a smaller number of hardware platforms have allowed Cisco to cut its hardware spend in half, according to Mark Edmondson, manager of IT services expenses for Cisco Finance.

    This case study continues in phase 1

    The image shows four bars, from bottom to top: 1. Asset Gathering; 2. Asset Distribution; 3. Asset Protection; 4. Asset Data. On the right, there is an arrow pointing upwards labelled ITAM Program Maturity.

    Info-Tech delivers: Use our tools and templates to accelerate your project to completion

    HAM Standard Operating Procedures (SOP)

    HAM Maturity Assessment

    Non-Standard Hardware Request Form

    HAM Visio Process Workflows

    HAM Policy Templates

    HAM Budgeting Tool

    HAM Communication Plan

    HAM Implementation Roadmap Tool

    Measured value for Guided Implementations (GIs)

    Engaging in GIs doesn’t just offer valuable project advice, it also results in significant cost savings.

    GI Measured Value
    Phase 1: Lay Foundations
    • Time, value, and resources saved by using Info-Tech’s tools and templates to assess current state and maturity, plan scope of HAM program, and define roles and metrics.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 2: Procure & Receive
    • Time, value, and resources saved by using Info-Tech’s tools and templates to build processes for hardware request, procurement, receiving, and deployment.
    • For example, 2 FTEs * 14 days * $80,000/year = $8,615
    Phase 3: Maintain & Dispose
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to build processes and policies for managing and maintaining hardware and disposing or redeploying of equipment.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Phase 4: Plan Implementation
    • Time, value, and resources saved by following Info-Tech’s tools and methodology to select tools, plan the hardware budget, and build a roadmap.
    • For example, 2 FTE * 14 days * $80,000/year = $8,615
    Total savings $25,845

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    “Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful.”

    Guided Implementation

    “Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keep us on track.”

    Workshop

    “We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place.”

    Consulting

    “Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project.”

    Diagnostics and consistent frameworks used throughout all four options

    Guided Implementation overview

    1. Lay Foundations 2. Procure & Receive 3. Maintain & Dispose 4. Budget & Implementation
    Best-Practice Toolkit

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    2.1 Request & procure

    2.2 Receive & deploy

    3.1 Manage & maintain

    3.2 Redeploy or dispose

    4.1 Plan budget

    4.2 Communicate & build roadmap

    Guided Implementation
    • Assess current state.
    • Define scope of HAM program.
    • Define roles and metrics.
    • Define standard and non-standard hardware.
    • Build procurement process.
    • Determine asset tagging method and build equipment receiving and deployment processing.
    • Define processes for managing and maintaining equipment.
    • Define policies for maintaining asset security.
    • Build process for redeploying or disposing of assets.
    • Discuss best practices for effectively managing a hardware budget.
    • Build communications plan and roadmap.
    Results & Outcomes
    • Evaluation of current maturity level of HAM
    • Defined scope for the HAM program including list of hardware to track as assets
    • Defined roles and responsibilities
    • Defined and documented KPIs and metrics to meet HAM reporting requirements
    • Defined standard and non- standard requests and processes
    • Defined and documented procurement workflow and purchasing policy
    • Asset tagging method and process
    • Documented equipment receiving and deployment processes
    • MAC policies and workflows
    • Policies and processes for hardware maintenance and asset security
    • Documented workflows for hardware disposal and recovery/redeployment
    • Shortlist of ITAM tools
    • Hardware asset budget plan
    • Communication plan and HAM implementation roadmap

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.comfor more information.

    Phases: Teams, Scope & Hardware Procurement Hardware Procurement and Receiving Hardware Maintenance & Disposal Budgets, Roadmap & Communications
    Duration* 1 day 1 day 1 day 1 day
    * Activities across phases may overlap to ensure a timely completion of the engagement
    Projected Activities
    • Outline hardware asset management goals
    • Review HAM maturity and anticipated milestones
    • Define scope and classify hardware assets
    • Define roles and responsibilities
    • Define metrics and reporting requirements
    • Define standard and non-standard hardware requests
    • Review and document procurement workflow
    • Discuss appropriate asset tagging method
    • Design and document workflow for receiving and inventorying equipment
    • Review/create policy for hardware procurement and receiving
    • Identify data sources and methodology for inventory and data collection
    • Define install/moves/adds/changes (MAC) policy
    • Build workflows to document user MAC processes and design request form
    • Design process and policies for hardware maintenance, warranty, and support documentation handling
    • Design hardware asset recovery and disposal workflows
    • Define budgeting process and review Info-Tech’s HAM Budgeting Tool
    • Develop a communication plan
    • Develop a HAM implementation plan
    Projected Deliverables
    • Standard operating procedures for hardware
    • Visio diagrams for all workflows
    • Workshop summary with milestones and task list
    • Budget template
    • Policy draft

    Phase 1

    Lay Foundations

    Implement Hardware Asset Management

    A centralized procurement process helped cut Cisco’s hardware spend in half

    CASE STUDY

    Industry IT

    Source Cisco Systems, Inc.

    Challenge

    Cisco Systems’ hardware spend was out of control. Peaking at $100 million per year, the technology giant needed to standardize procurement processes in its highly individualized work environment.

    Users had a variety of demands related to hardware and network availability. As a result, data was spread out amongst multiple databases and was managed by different teams.

    Solution

    The IT team at Cisco set out to solve their hardware-spend problem using a phased project approach.

    The first major step was to identify and use the data available within various departments and databases. The heavily siloed nature of these databases was a major roadblock for the asset management program.

    This information had to be centralized, then consolidated and correlated into a meaningful format.

    Results

    The centralized tracking system allowed a single point of contact (POC) for the entire lifecycle of a PC. This also created a centralized source of information about all the PC assets at the company.

    This reduced the number of PCs that were unaccounted for, reducing the chance that Cisco IT would overspend based on its hardware needs.

    There were still a few limitations to address following the first step in the project, which will be described in more detail further on in this blueprint.

    This case study continues in phase 2

    Step 1.1: Assess current state and plan scope

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team & define metrics

    This step will walk you through the following activities:

    1.1.1 Complete MGD (optional)

    1.1.2 Outline hardware asset management challenges

    1.1.3 Conduct HAM maturity assessment

    1.1.4 Classify hardware assets to define scope of the program

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Step Outcomes

    • Understand key challenges related to hardware asset management within your organization to inform program development.
    • Evaluate current maturity level of hardware asset management components and overall program to determine starting point.
    • Define scope for the ITAM program including list of hardware to track as assets.

    Complete the Management & Governance Diagnostic (MGD) to weigh the effectiveness of ITAM against other services

    1.1.1 Optional Diagnostic

    The MGD helps you get the data you need to confirm the importance of improving the effectiveness of your asset management program.

    The MGD allows you to understand the landscape of all IT processes, including asset management. Evaluate all team members’ perceptions of each process’ importance and effectiveness.

    Use the results to understand the urgency to change asset management and its relevant impact on the organization.

    Establish process owners and hold team members accountable for process improvement initiatives to ensure successful implementation and realize the benefits from more effective processes.

    To book a diagnostic, or get a copy of our questions to inform your own survey, visit Info-Tech’s Benchmarking Tools, contact your account manager, or call toll-free 1-888-670-8889 (US) or 1-844-618-3192 (CAN).

    Sketch out challenges related to hardware asset management to shape the direction of the project

    Common HAM Challenges

    Processes and Policies:

    • Existing asset management practices are labor intensive and time consuming
    • Manual spreadsheets are used, making collaboration and automation difficult
    • Lack of HAM policies and standard operating procedures
    • Asset management data is not centralized
    • Lack of clarity on roles and responsibilities for ITAM functions
    • End users don’t understand the value of asset management

    Tracking:

    • Assets move across multiple locations and are difficult to track
    • Hardware asset data comes from multiple sources, creating fragmented datasets
    • No location data is available for hardware
    • No data on ownership of assets

    Security and Risk:

    • No insight into which assets contain sensitive data
    • There is no information on risks by asset type
    • Rogue systems need to be identified as part of risk management best practices
    • No data exists for assets that contain critical/sensitive data

    Procurement:

    • No centralized procurement department
    • Multiple quotes from vendors are not currently part of the procurement process
    • A lack of formal process can create issues surrounding employee onboarding such as long lead times
    • Not all procurement standards are currently defined
    • Rogue purchases create financial risk

    Receiving:

    • No formal process exists, resulting in no assigned receiving location and no assigned receiving role
    • No automatic asset tracking system exists

    Disposal:

    • No insight into where disposed assets go
    • Formal refresh and disposal system is needed

    Contracts:

    • No central repository exists for contracts
    • No insight into contract lifecycle, hindering negotiation effectiveness and pricing optimization

    Outline hardware asset management challenges

    1.1.1 Brainstorm HAM challenges

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    A. As a group, outline the hardware asset management challenges facing the organization.

    Use the previous slide to help you get started. You can use the following headings as a guide or think of your own:

    • Processes and Policies
    • Tracking
    • Procurement
    • Receiving
    • Security and Risk
    • Disposal
    • Contracts

    B. If you get stuck, use the Hardware Asset Management Maturity Assessment Tool to get a quick view of your challenges and maturity targets and kick-start the conversation.

    To be effective with hardware asset management, understand the drivers and potential impact to the organization

    Drivers of effective HAM Results of effective HAM
    Contracts and vendor licensing programs are complex and challenging to administer without data related to assets and their environment. Improved access to accurate data on contracts, licensing, warranties, installed hardware and software for new contracts, renewals, and audit requests.
    Increased need to meet compliance requires a formal approach to tracking and managing assets, regardless of device type. Encryption, hardware tracking and discovery, software application controls, and change notifications all contribute to better asset controls and data security.
    Cost cutting is on the agenda, and management is looking to reduce overall IT spend in the organization in any possible way. Reduction of hardware spend by as much as 5% of the total budget through data for better forecasting and planning.
    Assets with sensitive data are not properly secured, go missing, or are not safely disposed of when retired. Document and enforce security policies for end users and IT staff to ensure sensitive data is properly secured, preventing costs much larger than the cost of only the device.

    Each level of HAM maturity comes with its own unique challenges

    Maturity People & Policies Processes Technology
    Chaos
    • No dedicated staff
    • No policies published
    • Procedures not documented or standardized
    • Hardware not safely secured or tagged
    • Hardware purchasing decisions not based on data
    • Minimal tracking tools in place
    Reactive
    • Semi-focused HAM manager
    • No policies published
    • Reliance on suppliers to provide reports for hardware purchases
    • Hardware standards are enforced
    • Discovery tools and spreadsheets used to manage hardware
    Controlled
    • Full-time HAM manager
    • End-user policies published
    • HAM manager involved in budgeting and planning sessions
    • Inventory tracking is in place
    • Hardware is secured and tagged
    • Discovery and inventory tools used to manage hardware
    • Compliance reports run as needed
    Proactive
    • Extended HAM team, including Help Desk, HR, Purchasing
    • Corporate hardware use policies in place and enforced
    • HAM process integrated with help desk and HR processes
    • More complex reporting and integrated financial information and contracts with asset data
    • Hardware requests are automated where possible
    • Product usage reports and alerts in place to harvest and reuse licenses
    • Compliance and usage reports used to negotiate software contracts
    Optimized
    • HAM manager trained and certified
    • Working with HR, Legal, Finance, and IT to enforce policies
    • Quarterly meetings with ITAM team to review policies, procedures, upcoming contracts, and rollouts; data is reviewed before any financial decisions made
    • Full transparency into hardware lifecycle
    • Aligned with business objectives
    • Detailed savings reports provided to executive team annually
    • Automated policy enforcement and process workflows

    Conduct a hardware maturity assessment to understand your starting point and challenges

    1.1.3 Complete HAM Maturity Assessment Tool

    Complete the Hardware Asset Management Maturity Assessment Tool to understand your organization’s overall maturity level in HAM, as well as the starting maturity level aligned with each step of the blueprint, in order to identify areas of strength and weakness to plan the project. Use this to track progress on the project.

    An effective asset management project has four essential components, with varying levels of management required

    The hardware present in your organization can be classified into four categories of ascending strategic complexity: commodity, inventory, asset, and configuration.

    Commodity items are devices that are low-cost, low-risk items, where tracking is difficult and of low value.

    Inventory is tracked primarily to identify location and original expense, which may be depreciated by Finance. Typically there will not be data on these devices and they’ll be replaced as they lose functionality.

    Assets will need the full lifecycle managed. They are identified by cost and risk. Often there is data on these devices and they are typically replaced proactively before they become unstable.

    Configuration items will generally be tracked in a configuration management database (CMDB) for the purpose of enabling the support teams to make decisions involving dependencies, configurations, and impact analysis. Some data will be duplicated between systems, but should be synchronized to improve accuracy between systems.

    See Harness Configuration Management Superpowers to learn more about building a CMDB.

    Classify your hardware assets to determine the scope and strategy of the program

    Asset: A unique device or configuration of devices that enables a user to perform productive work tasks and has a defined location and ownership attributes.

    • Hardware asset management involves tracking and managing physical components from procurement through to retirement. It provides the base for software asset management and is an important process that can lead to improved lifecycle management, service request fulfillment, security, and cost savings through harvesting and redeployment.
    • When choosing your strategy, focus on those devices that are high cost and high risk/function such as desktops, laptops, servers, and mobile devices.

    ASSET - Items of high importance and may contain data, such as PCs, mobile devices, and servers.

    INVENTORY - Items that require significant financial investment but no tracking beyond its existence, such as a projector.

    COMMODITY - Items that are often in use but are of relatively low cost, such as keyboards or mice.

    Classify your hardware assets to define the scope of the program

    1.1.4 Define the assets to be tracked within your organization

    Participants

    • Participants
    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security (optional)
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 1 – Overview & Scope

    1. Determine value/risk threshold at which items should be tracked (e.g. over $1,000 and holding data).
    2. Divide a whiteboard or flip chart into three columns: commodity, asset, and inventory.
    3. Divide participants into groups by functional role to brainstorm devices in use within the organization. Write them down on sticky notes.
    4. Place the sticky notes in the column that best describes the role of the product in your organization.

    Align the scope of the program with business requirements

    CASE STUDY

    Industry Public Administration

    Source Client Case Study

    Situation

    A state government designed a process to track hardware worth more than $1,000. Initially, most assets consisted of end-user computing devices.

    The manual tracking process, which relied on a series of Excel documents, worked well enough to track the lifecycle of desktop and laptop assets.

    However, two changes upended the organization’s program: the cost of end-user computing devices dropped dramatically and the demand for network services led to the proliferation of expensive equipment all over the state.

    Complication

    The existing program was no longer robust enough to meet business requirements. Networking equipment was not only more expensive than end-user computing devices, but also more critical to IT services.

    What was needed was a streamlined process for procuring high-cost, high-utility equipment, tracking their location, and managing their lifecycle costs without compromising services.

    Resolution

    The organization decided to formalize, document, and automate hardware asset management processes to meet the new challenges and focus efforts on high-cost, high-utility end-user computing devices only.

    Step 1.2: Build team and define metrics

    Phase 1: Assess & Plan

    1.1 Assess current state & plan scope

    1.2 Build team and define metrics

    This step will walk you through the following activities:

    1.2.1 Define responsibilities for Asset Manager and Asset Administrator

    1.2.2 Use a RACI chart to determine roles within HAM team

    1.2.3 Further clarify HAM responsibilities for each role

    1.2.4 Identify HAM reporting requirements

    This step involves the following participants:

    • CIO/CFO
    • IT Director
    • IT Managers
    • Asset Manager
    • Asset Coordinators
    • ITAM Team
    • Service Desk
    • End-User Device Support Team

    Step Outcomes:

    • Defined responsibilities for Asset Manager and Asset Administrator
    • Documented RACI chart assigning responsibility and accountability for core HAM processes
    • Documented responsibilities for ITAM/HAM team
    • Defined and documented KPIs and metrics to meet HAM reporting requirements

    Form an asset management team to lead the project

    Asset management is an organizational change. To gain buy-in for the new processes and workflows that will be put in place, a dedicated, passionate team needs to jump-start the project.

    Delegate the following roles to team members and grow your team accordingly.

    Asset Manager

    • Responsible for setting policy and governance of process and data accuracy
    • Support budget process
    • Support asset tracking processes in the field
    • Train employees in asset tracking processes

    Asset Administrator

    • The front-lines of asset management
    • Communicates with and supports asset process implementation teams
    • Updates and contributes information to asset databases
    Service Desk, IT Operations, Applications
    • Responsible for advising asset team of changes to the IT environment, which may impact pricing or ability to locate devices
    • Works with Asset Coordinator/Manager to set standards for lifecycle stages
    • The ITAM team should visit and consult with each component of the business as well as IT.
    • Engage with leaders in each department to determine what their pain points are.
    • The needs of each department are different and their responses will assist the ITAM team when designing goals for asset management.
    • Consultations within each department also communicates the change early, which will help with the transition to the new ITAM program.

    Info-Tech Insight

    Ensure that there is diversity within the ITAM team. Assets for many organizations are diverse and the composition of your team should reflect that. Have multiple departments and experience levels represented to ensure a balanced view of the current situation.

    Define the responsibilities for core ITAM/HAM roles of Asset Manager and Asset Administrator

    1.2.1 Use Info-Tech’s job description templates to define roles

    The role of the IT Asset Manager is to oversee the daily and long-term strategic management of software and technology- related hardware within the organization. This includes:

    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Forming procurement strategies to optimize technology spend across the organization.
    • Developing and implementing procedures for tracking company assets to oversee quality control throughout their lifecycles.

    The role of the IT Asset Administrator is to actively manage hardware and software assets within the organization. This includes:

    • Updating and maintaining accurate asset records.
    • Planning, monitoring, and recording software licenses and/or hardware assets to ensure compliance with vendor contracts.
    • Administrative duties within procurement and inventory management.
    • Maintaining records and databases regarding warranties, service agreements, and lifecycle management.
    • Product standardization and tracking.

    Use Info-Tech’s job description templates to assist in defining the responsibilities for these roles.

    Organize your HAM team based on where they fit within the strategic, tactical, and operational components

    Typically the asset manager will answer to either the CFO or CIO. Occasionally they answer to a vendor manager executive. The hierarchy may vary based on experience and how strategic a role the asset manager will play.

    The image shows a flowchart for organizing the HAM team, structured by three components: Strategic (at the top); Tactical (in the middle); and Operational (at the bottom). The chart shows how the job roles flow together within the hierarchy.

    Determine the roles and responsibilities of the team who will support your HAM program

    1.2.2 Complete a RACI

    A RACI chart will identify who should be responsible, accountable, consulted, and informed for each key activity during the consolidation.

    Participants

    • Project Sponsor
    • IT Director, CIO
    • Project Manager
    • IT Managers and Asset Manager(s)
    • ITAM Team

    Document

    Document in the Standard Operating Procedure.

    Instructions:

    1. Write out the list of all stakeholders along the top of a whiteboard. Write out the key initiative steps for the consolidation project along the left side (use this list as a starting point).
    2. For each initiative, identify each team member’s role. Are they:
      • Responsible? The one responsible for getting the job done.
      • Accountable? Only one person can be accountable for each task.
      • Consulted? Involved through input of knowledge and information.
      • Informed? Receive information about process execution and quality.
    3. As you proceed through the initiative, continue to add tasks and assign responsibility to this RACI chart.

    A sample RACI chart is provided on the next slide

    Start with a RACI chart to determine the responsibilities

    1.2.2 Complete a RACI chart for your organization

    HAM Tasks CIO CFO HAM Manager HAM Administrator Service Desk (T1,T2, T3) IT Operations Security Procurement HR Business Unit Leaders Compliance /Legal Project Manager
    Policies and governance A I R I I C I C C I I
    Strategy A R R R R
    Data entry and quality management C I A I C C I I C C
    Risk management and asset security A R C C R C C
    Process compliance auditing A R I I I I I
    Awareness, education, and training I A I I C
    Printer contracts C A C C C R C C
    Hardware contract management A I R R I I R R I I
    Workflow review and revisions I A C C C C
    Budgeting A R C I C
    Asset acquisition A R C C C C I C C
    Asset receiving (inspection/acceptance) I A R R I
    Asset deployment A R R I I
    Asset recovery/harvesting A R R I I
    Asset disposal C A R R I I
    Asset inventory (input/validate/maintain) I I A/R R R R I I I

    Further clarify HAM responsibilities for each role

    1.2.3 Define roles and responsibilities for the HAM team

    Participants

    • Participants IT Asset Managers and Coordinators
    • ITAM Team
    • IT Managers and IT Director

    Document

    1. Discuss and finalize positions to be established within the ITAM/HAM office as well as additional roles that will be involved in HAM.
    2. Review the sample responsibilities below and revise or create responsibilities for each key position within the HAM team.
    3. Document in the HAM Standard Operating Procedures.
    Role Responsibility
    IT Manager
    • Responsible for writing policies regarding asset management and approving final documents
    • Build and revise budget, tracking actual spend vs. budget, seeking final approvals from the business
    • Process definition, communication, reporting and ensuring people are following process
    • Awareness campaign for new policy and process
    Asset Managers
    • Approval of purchases up to $10,000
    • Inventory and contract management including contract review and recommendations based on business and IT requirements
    • Liaison between business and IT regarding software and hardware
    • Monitor and improve workflows and asset related processes
    • Monitor controls, audit and recommend policies and procedures as needed
    • Validate, manage and analyze data as related to asset management
    • Provide reports as needed for decision making and reporting on risk, process effectiveness and other purposes as required
    • Asset acquisition and disposal
    Service Desk
    Desktop team
    Security
    Infrastructure teams

    Determine criteria for success: establish metrics to quantify and demonstrate the results and value of the HAM function

    HAM metrics fall in the following categories:

    HAM Metrics

    • Quantity e.g. inventory levels and need
    • Cost e.g. value of assets, budget for hardware
    • Compliance e.g. contracts, policies
    • Quality e.g. accuracy of data
    • Duration e.g. time to procure or deploy hardware

    Follow a process for establishing metrics:

    1. Identify and obtain consensus on the organization’s ITAM objectives, prioritized if possible.
    2. For each ITAM objective, select two or three metrics in the applicable categories (not all categories will apply to all objectives); be sure to select metrics that are achievable with reasonable effort.
    3. Establish a baseline measurement for each metric.
    4. Establish a method and accountability for ongoing measurement and analysis/reporting.
    5. Establish accountability for taking action on reported results.
    6. As ITAM expands and matures, change or expand the metrics as appropriate.

    Define KPIs and associated metrics

    • Identify the critical success factors (CSFs) for your hardware asset management program based on strategic goals.
    • For each success factor, identify the key performance indicators (KPIs) to measure success and specific metrics that will be tracked and reported on.
    • Sample metrics are below:
    CSF KPI Metrics
    Improve accuracy of IT budget and forecasting
    • Asset costs and value
    • Average cost of workstation
    • Total asset spending
    • Total value of assets
    • Budget vs. spend
    Identify discrepancies in IT environment
    • Unauthorized or failing assets
    • Number of unauthorized assets
    • Assets identified as cause of service failure
    Avoid over purchasing equipment
    • Number of unused and underused computers
    • Number of unaccounted-for computers
    • Money saved from harvesting equipment instead of purchasing new
    Make more-effective purchasing decisions
    • Predicted replacement time and cost of assets
    • Deprecation rate of assets
    • Average cost of maintaining an asset
    • Number of workstations in repair
    Improve accuracy of data
    • Accuracy of asset data
    • Accuracy rate of inventory data
    • Percentage improvement in accuracy of audit of assets
    Improved service delivery
    • Time to deploy new hardware
    • Mean time to purchase new hardware
    • Mean time to deploy new hardware

    Identify hardware asset reporting requirements and the data you need to collect to meet them

    1.2.4 Identify asset reporting requirements

    Participants

    • CIO/CFO
    • IT Director
    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 13: Reporting

    1. Discuss the goals and objectives of implementing or improving hardware asset management, based on challenges identified in Step 1.2.
    2. From the goals, identify the critical success factors for the HAM program
    3. For each CSF, identify one to three key performance indicators to evaluate achievement of the success factor.
    4. For each KPI, identify one to three metrics that can be tracked and reported on to measure success. Ensure that the metrics are tangible and measurable and will be useful for decision making or to take action.
    5. Determine who needs this information and the frequency of reporting.
    6. If you have existing ITAM data, record the baseline metric.
    CSF KPI Metrics Stakeholder/frequency

    Phase 1 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Lay Foundations

    Proposed Time to Completion: 4 weeks

    Step 1.1: Assess current state and plan scope

    Start with an analyst kick-off call:

    • Review challenges.
    • Assess current HAM maturity level.
    • Define scope of HAM program.

    Then complete these activities…

    • Complete MGD (optional).
    • Outline hardware asset management challenges.
    • Conduct HAM maturity assessment.
    • Classify hardware assets to define scope of the program.

    With these tools & templates:

    HAM Maturity Assessment

    Standard Operating Procedures

    Step 1.2: Build team and define metrics

    Review findings with analyst:

    • Define roles and responsibilities.
    • Assess reporting requirements.
    • Document metrics to track.

    Then complete these activities…

    • Define responsibilities for Asset Manager and Asset Administrator.
    • Use a RACI chart to determine roles within HAM team.
    • Document responsibilities for HAM roles.
    • Identify HAM reporting requirements.

    With these tools & templates:

    RACI Chart

    Asset Manager and Asset Administrator Job Descriptions

    Standard Operating Procedures

    Phase 1 Results & Insights:

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1.4 Classify hardware assets to define scope of the program

    Determine value/risk threshold at which assets should be tracked, then divide a whiteboard into four quadrants representing four categories of assets. Participants write assets down on sticky notes and place them in the appropriate quadrant to classify assets.

    1.2.2 Build a RACI chart to determine responsibilities

    Identify all roles within the organization that will play a part in hardware asset management, then document all core HAM processes and tasks. For each task, assign each role to be responsible, accountable, consulted, or informed.

    Phase 2

    Procure and Receive

    Implement Hardware Asset Management

    Step 2.1: Request and Procure Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.1.1 Identify IT asset procurement challenges

    2.1.2 Define standard hardware requests

    2.1.3 Document standard hardware request procedure

    2.1.4 Build a non-standard hardware request form

    2.1.5 Make lease vs. buy decisions for hardware assets

    2.1.6 Document procurement workflow

    2.1.7 Build a purchasing policy

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Step Outcomes:

    • Definition of standard hardware requests for roles, including core vs. optional assets
    • End-user request process for standard hardware
    • Non-standard hardware request form
    • Lease vs. buy decisions for major hardware assets
    • Defined and documented procurement workflow
    • Documented purchasing policy

    California saved $40 million per year using a green procurement strategy

    CASE STUDY

    Industry Government

    Source Itassetmanagement.net

    Challenge

    Signed July 27, 2004, Executive order S-20-04, the “Green Building Initiative,” placed strict regulations on energy consumption, greenhouse gas emissions, and raw material usage and waste.

    In compliance with S-20-04, the State of California needed to adopt a new procurement strategy. Its IT department was one of the worst offenders given the intensive energy usage by the variety of assets managed under the IT umbrella.

    Solution

    A green IT initiative was enacted, which involved an extensive hardware refresh based on a combination of agent-less discovery data and market data (device age, expiry dates, power consumption, etc.).

    A hardware refresh of almost a quarter-million PCs, 9,500 servers, and 100 email systems was rolled out as a result.

    Other changes, including improved software license compliance and data center consolidation, were also enacted.

    Results

    Because of the scale of this hardware refresh, the small changes meant big savings.

    A reduction in power consumption equated to savings of over $40 million per year in electricity costs. Additionally, annual carbon emissions were trimmed by 200,000 tons.

    Improve your hardware asset procurement process to…

    Asset Procurement

    • Standardization
    • Aligned procurement processes
    • SLAs
    • TCO reduction
    • Use of centralized/ single POC

    Standardize processes: Using standard products throughout the enterprise lowers support costs by reducing the variety of parts that must be stocked for onsite repairs or for provisioning and supporting equipment.

    Align procurement processes: Procurement processes must be aligned with customers’ business requirements, which can have unique needs.

    Define SLAs: Providing accurate and timely performance metrics for all service activities allows infrastructure management based on fact rather than supposition.

    Reduce TCO: Management recognizes service infrastructure activities as actual cost drivers.

    Implement a single POC: A consolidated service desk is used where the contact understands both standards (products, processes, and practices) and the user’s business and technical environment.

    Identify procurement challenges to identify process improvement needs

    2.1.1 Identify IT asset procurement challenges

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    1. As a group, brainstorm existing challenges related to IT hardware requests and procurement.
    2. If you get stuck, consider the common challenges listed below.
    3. Use the results of the discussion to focus on which problems can be resolved and integrated into your organization as operational standards.

    Document hardware standards to speed time to procure and improve communications to users regarding options

    The first step in your procurement workflow will be to determine what is in scope for a standard request, and how non-standard requests will be handled. Questions that should be answered by this procedure include:

    • What constitutes a non-standard request?
    • Who is responsible for evaluating each type of request? Will there be one individual or will each division in IT elect a representative to handle requests specific to their scope of work?
    • What additional security measures need to be taken?
    • Are there exceptions made for specific departments or high-ranking individuals?

    If your end-user device strategy requires an overhaul, schedule time with an Info-Tech analyst to review our blueprint Build an End-User Computing Strategy.

    Once you’ve answered questions like these, you can outline your hardware standards as in the example below:

    Use Case Mobile Standard Mac Standard Mobile Power User
    Asset Lenovo ThinkPad T570 iMac Pro Lenovo ThinkPad P71
    Operating system Windows 10 Pro Mac OSX Windows 10 Pro, 64 bit
    Display 15.6" 21.5" 17.3”

    Memory

    32GB 8GB 64GB
    Processor Intel i7 – 7600U Processor 2.3GHz Xeon E3 v6 Processor
    Drive 500GB 1TB 1TB
    Warranty 3 year 1 year + 2 extended 3 year

    Info-Tech Insight

    Approach hardware standards from a continual improvement frame of mind. Asset management is a dynamic process. Hardware standards will need to adapt over time to match the needs of the business. Plan assessments at routine intervals to ensure your current hardware standards align with business needs.

    Document specifications to meet environmental, security, and manageability requirements

    Determine environmental requirements and constraints.

    Power management

    Compare equipment for power consumption and ability to remotely power down machines when not in use.

    Heat and noise

    Test equipment run to see how hot the device gets, where the heat is expelled, and how much noise is generated. This may be particularly important for users who are working in close quarters.

    Carbon footprint

    Ask what the manufacturer is doing to reduce post-consumer waste and eliminate hazardous materials and chemicals from their products.

    Ensure security requirements can be met.

    • Determine if network/wireless cards meet security requirements and if USB ports can be turned off to prevent removal of data.
    • Understand the level of security needed for mobile devices including encryption, remote shut down or wipe of hard drives, recovery software, or GPS tracking.
    • Decide if fingerprint scanners with password managers would be appropriate to enable tighter security and reduce the forgotten-password support calls.

    Review features available to enhance manageability.

    • Discuss manageability goals with your IT team to see if any can be solved with added features, for example:
      • Remote control for troubleshooting and remote management of data security settings.
      • Asset management software or tags for bar coding, radio frequency identification (RFID), or GPS, which could be used in combination with strong asset management practices to inventory, track, and manage equipment.

    If choosing refurbished equipment, avoid headaches by asking the right questions and choosing the right vendor

    • Is the equipment functional and for how long is it expected to last?
    • How long will the vendor stand behind the product and what support can be expected?
      • This is typically two to five years, but will vary from vendor to vendor.
      • Will they repair or replace machines? Many will just replace the machine.
    • How big is the inventory supply?
      • What kind of inventory does the vendor keep and for how long can you expect the vendor to keep it?
      • How does the vendor source the equipment and do they have large quantities of the same make and model for easier imaging and support?
    • How complete is the refurbishment process?
      • Do they test all components, replace as appropriate, and securely wipe or replace hard drives?
      • Are they authorized to reload MS Windows OEM?
    • Is the product Open Box or used?
      • Open Box is a new product returned back to the vendor. Even if it is not used, the product cannot be resold as a new product. Open Box comes with a manufacturer’s warranty and the latest operating system.
      • If used, how old is the product?

    "If you are looking for a product for two or three years, you can get it for less than half the price of new. I bought refurbished equipment for my call center for years and never had a problem". – Glen Collins, President, Applied Sales Group

    Info-Tech Insight

    Price differences are minimal between large and small vendors when dealing with refurbished machines. The decision to purchase should be based on ability to provide and service equipment.

    Define standard hardware requests, including core and optional assets

    2.1.2 Identify standards for hardware procurement by role

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement.

    1. Divide a whiteboard into columns representing all major areas of the business.
    2. List the approximate number of end users present at each tier and record these totals on the board.
    3. Distribute sticky notes. Use two different sizes: large sizes represent critically important hardware and small sizes represent optional hardware.
    4. Define core hardware assets for each division as well as optional hardware assets.
    5. Focus on the small sticky notes to determine if these optional purchases are necessary.
    6. Finalize the group decision to determine the standard hardware procurement for each role in the organization. Record results in a table similar to the example below:
    Department Core Hardware Assets Optional Hardware Assets
    IT PC, tablet, monitor Second monitor
    Sales PC, monitor Laptop
    HR PC, monitor Laptop
    Marketing PC (iMac) Tablet, laptop

    Document procedures for users to make standard hardware requests

    2.1.3 Document standard hardware request procedure

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document in the Standard Operating Procedures, Section 6: End-User Request Process.

    Discuss and document the end-user request process:

    1. In which cases can users request a primary device?
    2. In which cases can users request a secondary (optional device)?
    3. What justification is needed to approve of a secondary device?
      1. E.g. The request for a secondary device should be via email to the IS Projects and Procurements Officer. This email should outline the business case for why multiple devices are required.
    4. Will a service catalog be available and integrated with an ITAM solution for users to make standard requests? If so, can users also configure their options?
    5. Document the process in the standard operating procedure. Example:

    End-User Request Process

    • Hardware and software will be purchased through the user-facing catalog.
    • Peripherals will be ordered as needed.
    • End-user devices will be routed to business managers for approval prior to fulfillment by IT.
    • Requests for secondary devices must be accompanied by a business case.
    • Equipment replacements due to age will be managed through IT replacement processes.

    Improve the process for ordering non-standard hardware by formalizing the request process, including business needs

    2.1.4 Build a non-standard hardware request form

    • Although the goal should be to standardize as much as possible, this isn’t always possible. Ensure users who are requesting non-standard hardware have a streamlined process to follow that satisfies the justifications for increased costs to deliver.
    • Use Info-Tech’s template to build a non-standard hardware request form that may be used by departments/users requesting non-standard hardware in order to collect all necessary information for the request to be evaluated, approved, and sent to procurement.
    • Ensure that the requestor provides detailed information around the equipment requested and the reason standard equipment does not suffice and includes all required approvals.
    • Include instructions for completing and submitting the form as well as expected turnaround time for the approval process.

    Info-Tech Insight

    Include non-standard requests in continual improvement assessment. If a large portion of requests are for non-standard equipment, it’s possible the hardware doesn’t meet the recommended requirements for specialized software in use with many of your business users. Determine if new standards need to be set for all users or just “power users.”

    Identify the information you need to collect to ensure a smooth purchasing process

    Categories Peripherals Desktops/Laptops Servers
    Financial
    • Operational expenses
    • Ordered for inventory with the exceptions of monitors that will be ordered as needed
    • Equipment will be purchased through IT budget
    • Capital expenses
    • Ordered as needed…
    • Inventory kept for…
    • End-user devices will be purchased through departmental budgets
    • Capital expenses
    • Ordered as needed to meet capacity or stability requirements
    • Devices will be purchased through IT budgets
    Request authorization
    • Any user can request
    • Users who are traveling can purchase and expense peripherals as needed, with manager approvals
    • Tier 3 technicians
    Required approvals
    • Manager approvals required for monitors
    • Infrastructure and applications manager up to [$]
    • CIO over [$]
    Warranty requirements
    • None
    • Three years
    • Will be approved with project plan
    Inventory requirements
    • Minimum inventory at each location of 5 of each: mice, keyboards, cables
    • Docking stations will be ordered as needed
    • Laptops (standard): 5
    • Laptops (ultra light): 1
    • Desktops: 5
    • Inventory kept in stock as per DR plan
    Tracking requirements
    • None
    • Added to ITAM database, CMDB
    • Asset tag to be added to all equipment
    • Added to ITAM database, CMDB

    Info-Tech Best Practice

    Take into account the possibility of encountering taxation issues based on where the equipment is being delivered as well as taxes imposed or incurred in the location from which the asset was shipped or sent. This may impact purchasing decisions and shipping instructions.

    Develop a procurement plan to get everyone in the business on the same page

    • Without an efficient and structured process around how IT purchases are budgeted and authorized, maverick spending and dark procurement can result, limiting IT’s control and visibility into purchases.
    • The challenge many IT departments face is that there is a disconnect between meeting the needs of the business and bringing in equipment according to existing policies and procedures.
    • The asset manager should demonstrate how they can bridge the gaps and improve tracking mechanisms at the same time.

    Improve procurement decisions:

    • Demonstrate how technology is a value-add.
    • Make a clear case for the budget by using the same language as the rest of the business.
    • Quantify the output of technology investments in tangible business terms to justify the cost.
    • Include the refresh cycle in the procurement plan to ensure mission- critical systems will include support and appropriate warranty.
    • Plan technology needs for the future and ensure IT technology will continue to meet changing needs.
    • Synchronize redundant organizational procurement chains in order to lower cost.

    Document the following in your procurement procedure:

    • Process for purchase requests
    • Roles and responsibilities, including requestors and approvers
    • Hardware assets to purchase and why they are needed
    • Timelines for purchase
    • Process for vendors

    Info-Tech Insight

    IT procurement teams are often heavily siloed from ITAM teams. The procurement team is typically found in the finance department. One way to bridge the gap is to implement routine, reliable reporting between departments.

    Determine if it makes sense to lease or buy your equipment; weigh the pros and cons of leasing hardware

    Pros

    • Keeps operational costs low in the short term by containing immediate cost.
    • Easy, predictable payments makes it easier to budget for equipment over long term.
    • Get the equipment you need to start doing business right away if you’re just starting out.
    • After the leasing term is up, you can continue the lease and update your hardware to the latest version.
    • Typical leases last 2 or 3 years, meaning your hardware can get upgrades when it needs it and your business is in a better position to keep up with technology.
    • Leasing directly from the vendor provides operational flexibility.
    • Focus on the business and let the vendor focus on equipment service and updates as you don’t have to pay for maintenance.
    • Costs structured as OPEX.

    Cons

    • In the long term, leasing is almost always more expensive than buying because there’s no equity in leased equipment and there may be additional fees and interest.
    • Commitment to payment through the entire lease period even if you’re not using the equipment anymore.
    • Early termination fees if you need to get out of the lease.
    • No option to sell equipment once you’re finished with it to make money back.
    • Maintenance is up to leasing company’s specifications.
    • Product availability may be limited.

    Recommended for:

    • Companies just starting out
    • Business owners with limited capital or budget
    • Organizations with equipment that needs to be upgraded relatively often

    Weigh the pros and cons of purchasing hardware

    Pros

    • Complete control over assets.
    • More flexible and straightforward procurement process.
    • Tax incentives: May be able to fully deduct the cost of some newly purchased assets or write off depreciation for computers and peripherals on taxes.
    • Preferable if your equipment will not be obsolete in the next two or three years.
    • You can resell the asset once you don’t need it anymore to recover some of the cost.
    • Customization and management of equipment is easier when not bound by terms of leasing agreement.
    • No waiting on vendor when maintenance is needed; no permission needed to make changes.

    Cons

    • High initial cost of investment with CAPEX expense model.
    • More paperwork.
    • You (as opposed to vendor) are responsible for equipment disposal in accordance with environmental regulations.
    • You are responsible for keeping up with upgrades, updates, and patches.
    • You risk ending up with out-of-date or obsolete equipment.
    • Hardware may break after terms of warranty are up.

    Recommended for:

    • Established businesses
    • Organizations needing equipment with long-term lifecycles

    Make a lease vs. buy decision for equipment purchases

    2.1.4 Decide whether to purchase or lease

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • Representatives from all other areas of the business

    Document

    Document policy decisions in the Standard Operating Procedures – Section 7: Procurement

    1. Identify hardware equipment that requires a purchase vs. lease decision.
    2. Discuss with Finance whether it makes sense to purchase or lease each major asset, considering the following:
    • Costs of equipment through each method
    • Tax deductions
    • Potential resale value
    • Potential revenue from using the equipment
    • How quickly the equipment will be outdated or require refresh
    • Size of equipment
    • Maintenance and support requirements
    • Overall costs
  • The leasing vs. buying decision should take considerable thought and evaluation to make the decision that best fits your organizational needs and situation.
  • Determine appropriate warranty and service-level agreements for your organization

    Determine acceptable response time, and weigh the cost of warranty against the value of service.

    • Standard warranties vary by manufacturer, but are typically one or three years.
    • Next-day, onsite service may be part of the standard offering or may be available as an uplift.
    • Four-hour, same-day service can also be added for high availability needs.
    • Extended warranties can be purchased beyond three years, although not many organizations take advantage of this offering.
    • Other organizations lower or remove the warranty and have reported savings of as much as $150 per machine.

    Speak to your partner to see how they can help the process of distributing machines.

    • Internal components change frequently with laptops and desktops. If purchasing product over time rather than buying in bulk, ensure the model will be available for a reasonable term to reduce imaging and support challenges.
    • Determine which services are important to your organization and request these services as part of the initial quote. If sending out a formal RFQ or RFP, document required services and use as the basis for negotiating SLAs.
    • Document details of SLA, including expectations of services for manufacturer, vendor, and internal team.
    • If partner will be providing services, request they stock an appropriate number of hot spares for frequently replaced parts.
    • If self-certifying, review resource capabilities, understand skill and certification requirements; for example, A+ certification may be a pre-requisite.
    • Understand DOA policy and negotiate a “lemon policy,” meaning if product dies within 15 or 30 days it can be classified as DOA. Seek clarity on return processes.

    Consider negotiation strategies, including how and when to engage with different partners during acquisition

    Direct Model

    • Dell’s primary sales model is direct either through a sales associate or through its e-commerce site. Promotions are regularly listed on the website, or if customization is required, desktops and laptops have some flexibility in configuration. Discounts can be negotiated with a sales rep on quantity purchases, but the discount level changes based on the model and configuration.
    • Other tier-one manufacturers typically sell direct only from their e-commerce sites, providing promotions based on stock they wish to move, and providing some configuration flexibility. They rely heavily on the channel for the majority of their business.

    Channel Model

    • Most tier one manufacturers have processes in place to manage a smaller number of partners rather than billing and shipping out to individual customers. Deviating from this process and dealing direct with end customers can create order processing issues.
    • Resellers have the ability to negotiate discounts based on quantities. Discounts will vary based on model, timing (quarter or year end), and quantity commitment.
    • Negotiations on large quantities should involve a manufacturer rep as well as the reseller to clearly designate roles and services, ensure processes are in place to fulfill your needs, and agree on pricing scheme. This will prevent misunderstandings and bring clarity to any commitments.
    • Often the channel partners are authorized to provide repair services under warranty for the manufacturer.
    • Dell also uses the channel model for distribution where customers demand additional services.

    Expect discounts to reflect quantity and method of purchase

    Transaction-based purchases will receive the smallest discounting.

    • Understand requirements to find the most appropriate make and model of equipment.
    • Prepare a forecast of expected purchases for the year and discuss discounting.
    • Typically initial discounts will be 3-5% off suggested retail price.
    • Once a history is in place, and the vendor is receiving regular orders, it may extend deeper discounts.

    Bulk purchases will receive more aggressive discounting of 5-15% off suggested retail price, depending on quantities.

    • Examine shipping options and costs to take advantage of bulk deliveries; in some cases vendors may waive shipping fees as an extension of the discounting.
    • If choosing end-of-line product, ensure appropriate quantity of a single model is available to efficiently roll out equipment.
    • Various pricing models can be used to obtain best price.

    Larger quantities rolled out over time will require commitments to the manufacturer to obtain deepest discounts.

    • Discuss all required services as part of negotiation to ensure there are no surprise charges.
    • Several pricing models can be used to obtain the best price.
      • Suggested retail price minus as much as 20%.
      • Cost plus 3% up to 10% or more.
      • Fixed price based on negotiating equipment availability with budget requirements.

    If sending out to bid, determine requirements and scoring criteria

    It’s nearly impossible to find two manufacturers with the exact same specifications, so comparisons between vendors is more art than science.

    New or upgraded components will be introduced into configurations when it makes the most sense in a production cycle. This creates a challenge in comparing products, especially in an RFP. The best way to handle this is to:

    • Define and document minimum technology requirements.
    • Define and document service needs.
    • Compare vendors to see if they’ve met the criteria or not; if yes, compare prices.
    • If the vendors have included additional offerings, see if they make sense for your organization. If they do, include that in the scoring. If not, exclude and score based on price.
    • Recognize that the complexity of the purchase will dictate the complexity of scoring.

    "The hardware is the least important part of the equation. What is important is the warranty, delivery, imaging, asset tagging, and if they cannot deliver all these aspects the hardware doesn’t matter." – Doug Stevens, Assistant Manager Contract Services, Toronto District School Board

    Document and analyze the hardware procurement workflow to streamline process

    The procurement process should balance the need to negotiate appropriate pricing with the need to quickly approve and fulfill requests. The process should include steps to follow for approving, ordering, and tracking equipment until it is ready for receipt.

    Within the process, it is particularly important to decide if this is where equipment is added into the database or if it will happen upon receipt.

    A poorly designed procurement workflow:

    • Includes many bottlenecks, stopping and starting points.
    • May impact project and service requests and requires unrealistic lead times.
    • May lead to lost productivity for users and lost credibility for the IT department.

    A well-designed hardware procurement workflow:

    • Provides reasonable lead times for project managers and service or hardware request fulfillment.
    • Provides predictability for technical resources to plan deployments.
    • Reduces bureaucracy and workload for following up on missing shipments.
    • Enables improved documentation of assets to start lifecycle management.

    Info-Tech Insight

    Where the Hardware Asset Manager is unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand. Projects, replacements, and new-user requests cannot be delayed in a service-focused IT organization due to bureaucratic processes.

    Document and analyze your procurement workflow to identify opportunities for improvement and communicate process

    Determine if you need one workflow for all equipment or multiples for small vs. large purchases.

    Occasionally large rollouts require significant changes from lower dollar purchases.

    Watch for:

    • Back and forth communications
    • Delays in approvals
    • Inability to get ETAs from vendors
    • Too many requests for quotes for small purchases
    • Entry into asset database

    This sample can be found in the HAM Process Workflows.

    The image shows a workflow, titled Procurement-Equipment-Small Quantity. On the left, the chart is separated into categories: IT Procurment; Tier 2 or Tier 3; IT Director; CIO.

    Design the process workflow for hardware procurement

    2.1.6 Illustrate procurement workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 7: Procurement

    1. In a group, distribute sticky notes or cue cards.
    2. Designate a space on the table/whiteboard to plot the workflow.
    3. Determine which individuals are responsible for handling non-standard requests. Establish any exceptions that may apply to your defined hardware standard.
    4. Gather input from Finance on what the threshold will be for hardware purchases that will require further approval.
    5. Map the procurement process for a standard hardware purchase.
    6. If applicable, map the procurement process for a non-standard request separately.
    7. Evaluate the workflow to identify any areas of inefficiency and make any changes necessary to improve the process.
    8. Be sure to discuss and include:
      • All necessary approvals
      • Time required for standard equipment process
      • Time required for non-standard equipment process
      • How information will be transferred to ITAM database

    Document and share an organizational purchasing policy

    2.1.7 Build a purchasing policy

    A purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    The policy will ensure that all purchasing processes are consistent and in alignment with company strategy. The purchasing policy is key to ensuring that corporate purchases are effective and the best value for money is obtained.

    Implement a purchasing policy to prevent or reduce:

    • Costly corporate conflict of interest cases.
    • Unauthorized purchases of non-standard, difficult to support equipment.
    • Unauthorized purchases resulting in non-traceable equipment.
    • Budget overruns due to decentralized, equipment acquisition.

    Download Info-Tech’s Purchasing Policytemplate to build your own purchasing policy.

    Step 2.2: Receive and Deploy Hardware

    Phase 2: Procure & Receive

    2.1 Request & Procure

    2.2 Receive & Deploy

    This step will walk you through the following activities:

    2.2.1 Select appropriate asset tagging method

    2.2.2 Design workflow for receiving and inventorying equipment

    2.2.3 Document the deployment workflow(s)

    This step involves the following participants:

    • Asset Manager
    • Purchasing
    • Receiver (optional)
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Understanding of the pros and cons of various asset tagging methods
    • Defined asset tagging method, process, and location by equipment type
    • Identified equipment acceptance, testing, and return procedures
    • Documented equipment receiving and inventorying workflow
    • Documented deployment workflows for desktop hardware and large-scale deployments

    Cisco implemented automation to improve its inventory and deployment system

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Although Cisco Systems had implemented a centralized procurement location for all PCs used in the company, inventory tracking had yet to be addressed.

    Inventory tracking was still a manual process. Given the volume of PCs that are purchased each year, this is an incredibly labor-intensive process.

    Sharing information with management and end users also required the generation of reports – another manual task.

    Solution

    The team at Cisco recognized that automation was the key component holding back the success of the inventory management program.

    Rolling out an automated process across multiple offices and groups, both nationally and internationally, was deemed too difficult to accomplish in the short amount of time needed, so Cisco elected to outsource its PC management needs to an experienced vendor.

    Results

    As a result of the PC management vendor’s industry experience, the implementation of automated tracking and management functions drastically improved the inventory management situation at Cisco.

    The vendor helped determine an ideal leasing set life of 30 months for PCs, while also managing installations, maintenance, and returns.

    Even though automation helped improve inventory and deployment practices, Cisco still needed to address another key facet of asset management: security.

    This case study continues in phase 3.

    An effective equipment intake process is critical to ensure product is correct, documented, and secured

    Examine your current process for receiving assets. Typical problems include:

    Receiving inventory at multiple locations can lead to inconsistent processes. This can make invoice reconciliation challenging and result in untracked or lost equipment and delays in deployment.

    Equipment not received and secured quickly. Idle equipment tends to go missing if left unsupervised for too long. Missed opportunities to manage returns where equipment is incorrect or defective.

    Disconnect between procurement and receiving where ETAs are unknown or incorrect. This can create an issue where no one is prepared for equipment arrival and is especially problematic on large orders.

    How do you solve these problems? Create a standardized workflow that outlines clear steps for asset receiving.

    A workflow will help to answer questions such as:

    • How do you deal with damaged shipments? Incorrect shipments?
    • Did you reach an agreement with the vendor to replace damaged/incorrect shipments within a certain timeframe?
    • When does the product get tagged and entered into the system as received?
    • What information needs to get captured on the asset tag?

    Standardize the process for receiving your hardware assets

    The first step in effective hardware asset intake is establishing proper procedures for receiving and handling of assets.

    Process: Start with information from the procurement process to determine what steps need to follow to receive into appropriate systems and what processes will enable tagging to happen as soon as possible.

    People: Ensure anyone who may impact this process is aware of the importance of documenting before deployment. Having everyone who may be handling equipment on board is key to success.

    Security: Equipment will be secured at the loading dock or reception. It will need to be secured as inventory and be secured if delivering directly to the bench for imaging. Ensure all receiving activities are done before equipment is deployed.

    Tools: A centralized ERP system may already provide a place to receive and reconcile with purchasing and invoicing, but there may still be a need to receive directly into the ITAM and/or CMDB database rather than importing directly from the ERP system.

    Tagging: A variety of methods can be used to tag equipment to assist with inventory. Consider the overall lifecycle management when determining which tagging methods are best.

    Info-Tech Insight

    Decentralized receiving doesn’t have to mean multiple processes. Take advantage of enterprise solutions that will centralize the data and ensure everyone follows the same processes unless there is an uncompromising and compelling logistical reason to deviate.

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    RFID with barcoding – asset tag with both a barcode and RFID solution $$$$
    • Secure, fast, and robust
    • Track assets in real time
    • Quick and efficient
    • Most expensive option, requiring purchase of barcode scanner with RFID reader and software)
    • Does not work as well in an environment with less control over assets
    • Requires management of asset database
    • Best in a controlled environment with mature processes and requirement for secure assets
    RFID only – small chip with significant data capacity $$$
    • Track assets from remote locations
    • RFID can be read through boxes so you don’t have to unpack equipment
    • Scan multiple RFID-tagged hardware simultaneously
    • Large data capacity on small chip
    • Expensive, requiring purchase of RFID reading equipment and software
    • Ideal if your environment is spread over multiple locations
    Barcoding only – adding tags with unique barcodes $$
    • Reasonable security
    • Report inventory directly to database
    • Relatively low cost
    • Only read one at a time
    • Need to purchase barcode scanners and software
    • Can be labor intensive to deploy with manual scanning of individual assets
    • Less secure
    • Can’t hold as much data
    • Not as secure as barcodes with RFID but works for environments that are more widely distributed and less controlled

    Evaluate the pros and cons of different asset tagging methods

    Method Cost Strengths Weaknesses Recommendation
    QR codes – two-dimensional codes that can store text, binary, image, or URL data $$
    • Easily scannable from many angles
    • Save and print on labels
    • Can be read by barcode scanning apps or mobile phones
    • Can encode more data than barcodes
    • QR codes need to be large enough to be usable, which can be difficult with smaller IT assets
    • Scanning on mobile devices takes longer than scanning barcodes
    • Ideal if you need to include additional data and information in labels and want workers to use smartphones to scan labels
    Manual tags – tag each asset with your own internal labels and naming system $
    • Most affordable
    • Manual
    • Tags are not durable
    • Labor intensive and time consuming
    • Leaves room for error, misunderstanding, and process variances between locations
    • As this is the most time consuming and resource intensive with a low payoff, it is ideal for low maturity organizations looking for a low-cost option for tagging assets
    Asset serial numbers – tag assets using their serial number $
    • Less expensive
    • Unique serial numbers identified by vendor
    • Serial numbers have to be added to database manually, which is labor intensive and leaves room for error
    • Serial numbers can rub off over time
    • Hard to track down already existing assets
    • Doesn’t help track location of assets after deployment
    • Potential for duplicates
    • Inconsistent formats of serial numbers by manufacturers makes this method prone to error and not ideal for asset management

    Select the appropriate method for tagging and tracking your hardware assets

    2.2.1 Select asset tagging method

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 8

    1. Define your asset tagging method. For most organizations, asset tracking is done via barcoding or QR codes, either by using one method or a combination of the two. Other methods, including RFID, may be applicable based on cost or tracking complexity. Overall, barcodes embedded with RFID are the most robust and efficient method for asset tagging, but also the most expensive. Choose the best method for your organization, taking into account affordability, labor-intensiveness, data complexity needs, and ease of deployment.
    2. Define the process for tagging assets, including how soon they should receive the tag, whose responsibility it is, and whether the tag type varies depending on the asset type.
    3. Define the location of asset tags according to equipment type. Example:
    Asset Type Asset Tag Location
    PC desktop Right upper front corner
    Laptop Right corner closest to user when laptop is closed
    Server Right upper front corner
    Printer Right upper front corner
    Modems Top side, right corner

    Inspect and test equipment before accepting it into inventory to ensure it’s working according to specifications

    Upon receipt of procured hardware, validate the equipment before accepting it into inventory.

    1. Receive - Upon taking possession of the equipment, stage them for inspection before placing them into inventory or deploying for immediate use.
    2. Inspect - The inspection process should involve at minimum examining the products that have been delivered to determine conformance to purchase specifications.
    3. Test -Depending on the type and cost of hardware, some assets may benefit from additional testing to determine if they perform at a satisfactory level before being accepted.
    4. Accept - If the products conform to the requirements of the purchase order, acknowledge receipt so the supplier may be paid. Most shipments are automatically considered as accepted and approved for payment within a specific timeframe.

    Assign responsibility and accountability for inspection and acceptance of equipment, verifying the following:

    • The products conform to purchase order requirements.
    • The quantity ordered is the same as the quantity delivered.
    • There is no damage to equipment.
    • Delivery documentation is acceptable.
    • Products are operable and perform according to specifications.
    • If required, document an acceptance testing process as a separate procedure.

    Build the RMA procedure into the receiving process to handle receipt of defective equipment

    The return merchandise authorization (RMA) process should be a standard part of the receiving process to handle the return of defective materials to the vendor for either repair or replacement.

    If there is a standard process in place for all returns in the organization, you can follow the same process for returning hardware equipment:

    • Call the vendor to receive a unique RMA number that will be attached to the equipment to be returned, then follow manufacturer specifications for returning equipment within allowable timelines according to the contract where applicable.
    • Establish a lemon policy with vendors, allowing for full returns up to 30 days after equipment is deployed if the product proves defective after initial acceptance.

    Info-Tech Insight

    Make sure you’re well aware of the stipulations in your contract or purchase order. Sometimes acceptance is assumed after 60 days or less, and oftentimes the clock starts as soon as the equipment is shipped out rather than when it is received.

    Info-Tech Best Practice

    Keep in mind that the serial number on the received assed may not be the asset that ultimately ends up on the user’s desk if the RMA process is initiated. Record the serial number after the RMA process or add a correction process to the workflow to ensure the asset is properly accounted for.

    Determine what equipment should be stocked for quick deployment where demand is high or speed is crucial

    The most important feature of your receiving and inventory process should be categorization. A well-designed inventory system should reflect not only the type of asset, but also the usage level.

    A common technique employed by asset managers is to categorize your assets using an ABC analysis. Assets are classified as either A, B, or C items. The ratings are based on the following criteria:

    A

    A items have the highest usage. Typically, 10-20% of total assets in your inventory account for upwards of 70-80% of the total asset requests.

    A items should be tightly controlled with secure storage areas and policies. Avoiding stock depletion is a top priority.

    B

    B items are assets that have a moderate usage level, with around 30% of total assets accounting for 15-25% of total requests.

    B items must be monitored; B items can transition to A or C items, especially during cycles of heavier business activity.

    C

    C items are assets that have the lowest usage, with upwards of 50% of your total inventory accounting for just 5% of total asset requests.

    C items are reordered the least frequently, and present a low demand and high risk for excessive inventory (especially if they have a short lifecycle). Many organizations look to move towards an on-demand policy to mitigate risk.

    Info-Tech Insight

    Get your vendor to keep stock of your assets. If large quantities of a certain asset are required but you lack the space to securely store them onsite, ask your vendor to keep stock for you and release as you issue purchase orders. This speeds up delivery and delays warranty activation until the item is shipped. This does require an adherence to equipment standards and understanding of demand to be effective.

    Define the process for receiving equipment into inventory

    Define the following in your receiving process:

    • When will equipment be opened once delivered?
    • Who will open and validate equipment upon receipt?
    • How will discrepancies be resolved?
    • When will equipment be tagged and identified in the tracking tool?
    • When will equipment be locked in secure storage?
    • Where will equipment go if it needs to be immediately deployed?

    The image shows a workflow chart titled Receiving and Tagging. The process is split into two sections, labelled on the left as: Desktop Support Team and Procurement.

    Design the workflow for receiving and inventorying equipment

    2.2.2 Illustrate receiving workflow with a tabletop exercise

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 8: Receiving and Equipment Inventory

    Option 1: Whiteboard

    1. Discuss the workflow and draw it on the whiteboard.
    2. Assess whether you are using the best workflow. Modify it if necessary.
    3. Use the sample workflow from this step as a guide if starting from scratch.
    4. Engage the team in refining the process workflow.
    5. Transfer data to Visio and add to the SOP.

    Option 2: Tabletop Exercise

    1. Distribute index cards to each member of the team.
    2. Have each person write a single task they perform on the index card. Be granular. Include the title or the name of the person responsible.
    3. Mark cards that are decision points. Use a card of a different color or use a marker to make a colored dot.
    4. Arrange the index cards in order, removing duplicates.
    5. Assess whether you are using the best workflow. Engage the team to refine it if necessary.
    6. Transfer data to Visio and add to the SOP.

    Improve device deployment by documenting software personas for each role

    • Improve the deployment process for new users by having a comprehensive list of software used by common roles within the organization. With large variations in roles, it may be impossible to build a complete list, but as you start to see patterns in requirements, you may find less distinct personas than anticipated.
    • Consider a survey to business units to determine what they need if this will solve some immediate problems. If this portion of the project will be deferred, use the data uncovered in the discovery process to identify which software is used by which roles.
    • Replacement equipment can have the software footprint created by what was actually utilized by the user, not necessarily what software was installed on the previous device.

    The image shows 4 bubbles, representing software usage. The ARC-GIS bubble is the largest, Auto CAD the second largest, and MS Office and Adobe CS equal in size.

    A software usage snapshot for an urban planner/engineer.

    • Once software needs are determined, use this information to review the appropriate device for each persona.
      • Ensure hardware is appropriate for the type of work the user does and supports required software.
      • If it is more appropriate for a user to have a tablet, ensure the software they use can be used on any device.
    • Review deployment methods to determine if there is any opportunity to improve the imaging or software deployment process with better tools or methodologies.
    • Document the device’s location if it will be static, or if the user may be more mobile, add location information for their primary location.
    • Think about the best place to document – if this information can be stored in Active Directory and imported to the ITAM database, you can update once and use in multiple applications. But this process is built into your add/move/change workflows.

    Maintain a lean library to simplify image management

    Simplify, simplify, simplify. Use a minimal number of desktop images and automate as much as you can.

    • Embrace minimalism. When it comes to managing your desktop image library, your ultimate goal should be to minimize the manual effort involved in provisioning new desktops.
    • Less is more. Try to maintain as few standard desktop images as possible and consider a thin gold image, which can be patched and updated on a regular basis. A thin image with efficient application deployment will improve the provisioning process.
    • Standardize and repeat. System provisioning should be a repeatable process. This means it is ripe for standardization and automation. Look at balancing the imaging process with software provisioning, using group policy and deployment tools to reduce time to provision and deliver equipment.
    • Outsource where appropriate. Imaging is one of the most employed services, where the image is built in-house and deployed by the hardware vendor. As a minimum, quarterly updates should still be provided to integrate the latest patches into the operating system.

    Document the process workflow for hardware deployment

    Define the process for deploying hardware to users.

    Include the following in your workflow:

    • How will equipment be configured and imaged before deployment?
    • Which images will be used for specific roles?
    • Which assets are assigned to specific roles?
    • How will the device status be changed in the ITAM tool once deployed?

    The image shows a workflow chart titled Hardware Deployment. It is divided into two categories, listed on the left: Desktop Support Team and Procurement.

    Large-scale deployments should be run as projects, benefitting from economies of scale in each step

    Large-scale desktop deployments or data center upgrades will likely be managed as projects.

    These projects should include project plans, including resources, timelines, and detailed procedures.

    Define the process for large-scale deployment if it will differ from the regular deployment process.

    The image is a graphic of a flowchart titled Deployment-Equipment-Large Quantity Rollout. It is divided into three categories, listed on the left: IT Procurement; Desktop Rollout Team; Asset Manager.

    Document the deployment workflow(s)

    2.2.3 Document deployment workflows for desktop and large-scale deployment

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Operations (optional)
    • CFO or other management representative from Finance

    Document

    Document in the Standard Operating Procedures, Section 9: Deployment

    Document each step in the system deployment process with notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for it.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If yes, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Look for opportunities to improve the request and deployment process with better communication and tools

    The biggest challenge in deploying equipment is meeting expectations of the business, and without cooperation from multiple departments, this becomes significantly more difficult.

    • Work with the procurement and the services team to ensure inventory is accessible, and regularly validate that inventory levels in the ITAM database are accurate.
    • Work with the HR department to predict (where possible) anticipated new hires. Plan for inventory ebbs and flows to match the hiring timelines where there are large variations.
    • If service catalogs will be made available for communicating options and SLAs for equipment purchases, work with the service catalog administrators to automate inventory checks and notifications. Work with the end-user device managers to set standards and reduce equipment variations to a manageable amount.
    • Where deployments are part of equipment refresh, ensure data is up to date for the services team to plan the project rollouts and know which software should be redeployed with the devices.
    • Infrastructure and security teams may have specific hardware assets relating to networking, data centers, and security, which may bypass the end-user device workflows but need to be tagged and entered into inventory early in the process. Work with these teams to have their equipment follow the same receiving and inventory processes. Deployment will vary based on equipment type and location.

    Automate hardware deployment where users are dispersed and deployment volume is high

    Self-serve kiosks (vending machines) can provide cost reductions in delivery of up to 25%. Organizations that have a high distribution rate are seeing reductions in cost of peripherals averaging 30-35% and a few extreme cases of closer to 85%.

    Benefits of using vending machines:

    • Secure equipment until deployed.
    • Equipment can be either purchased by credit card or linked to employee ID cards, enabling secure transactions and reporting.
    • Access rights can be controlled in real time, preventing terminated employees from accessing equipment or managing how many devices can be deployed to each user.
    • Vending machines can be managed through a cellular or wireless network.
    • Technology partners can be tasked with monitoring and refilling vending machines.
    • Employees are able to access technology wherever a vending machine can be located rather than needing to travel to the help desk.
    • Equipment loans and new employee packages can be managed through vending machines.

    Phase 2 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Request, Procure, Receive, and Deploy

    Proposed Time to Completion: 4 weeks

    Step 2.1: Request & Procure

    Start with an analyst kick-off call:

    • Define standard and non-standard hardware.
    • Weigh the pros and cons of leasing vs. buying.
    • Build the procurement process.

    Then complete these activities…

    • Define standard hardware requests.
    • Document standard hardware request procedure.
    • Document procurement workflow.
    • Build a purchasing policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Non-Standard Hardware Request Form
    • Hardware Procurement Workflow
    • Purchasing Policy

    Step 2.2: Receive & Deploy

    Review findings with analyst:

    • Determine appropriate asset tagging method.
    • Define equipment receiving process.
    • Define equipment deployment process.

    Then complete these activities…

    • Select appropriate asset tagging method.
    • Design workflow for receiving and inventorying equipment.
    • Document the deployment workflow(s).

    With these tools & templates:

    • Standard Operating Procedures
    • Equipment Receiving & Tagging Workflow
    • Deployment Workflow

    Phase 2 Insight: Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1.2 Define standard hardware requests

    Divide whiteboard into columns representing core business areas. Define core hardware assets for end users in each division along with optional hardware assets. Discuss optional assets to narrow and define standard equipment requests.

    2.2.1 Select appropriate method for tagging and tracking assets

    Discuss the various asset tagging methods and choose the tagging method that is most appropriate for your organization. Define the process for tagging assets and document the standard asset tag location according to equipment type.

    Phase 3

    Maintain and Dispose

    Implement Hardware Asset Management

    Cisco overcame organizational resistance to change to improve asset security

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Cisco Systems had created a dynamic work environment that prized individuality. This environment created high employee satisfaction, but it also created a great deal of risk surrounding device security.

    Cisco lacked an asset security policy; there were no standards for employees to follow. This created a surplus of not only hardware, but software to support the variety of needs amongst various teams at Cisco.

    Solution

    The ITAM team at Cisco recognized that their largest problem was the lack of standardization with respect to PCs. Variance in cost, lifecycle, and software needs/compatibility were primary issues.

    Cisco introduced a PC leasing program with the help of a PC asset management vendor to correct these issues. The primary goal was to increase on-time returns of PCs. A set life of 30 months was defined by the vendor.

    Results

    Cisco engaged employees to help contribute to improving its asset management protocols, and the approach worked.

    On-time returns increased from 60% to 80%. Costs were reduced due to active tracking and disposal of any owned assets still present.

    A reduction in hardware and software platforms has cut costs and increased security thanks to improved tracking capabilities.

    This case study continues in phase 4

    Step 3.1: Manage, Maintain, and Secure Hardware Assets

    Phase 3: Maintain & Dispose

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.1.1 Build a MAC policy and request form

    3.1.2 Build workflows to document user MAC processes

    3.1.3 Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.4 Revise or create an asset security policy

    This step involves the following participants:

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    • Security Department

    Step Outcomes

    • Understanding of inventory management process best practices
    • Templates for move/add/change request policy and form
    • Documented process workflows for the user move/add/change process
    • Process and policies for hardware maintenance, warranty, and support documentation handling
    • Defined policies for maintaining asset security

    Determine methods for performing inventory audits on equipment

    Auto-discovery

    • Auto-discovery tools will be crucial to the process of understanding what equipment is connected to the network and in use.
    • The core functionality of discovery tools is to scan the environment and collect configuration data from all connected assets, but most tools can also be used to collect usage data, network monitoring, and software asset management data including software distribution, compliance, and license information.
    • These tools may not connect to peripheral devices such as monitors and external drives, will not scan devices that are turned off or disconnected from the network, may not inventory remote users, and will rarely provide location information. This often results in a need to complete physical audits as well.

    Info-Tech Insight

    One of the most common mistakes we see when it comes to asset management is to assume that the discovery tool will discovery most or all of your inventory and do all the work. It is better to assume only 80-90% coverage by the discovery tool and build ownership records to uncover the unreportable assets that are not tied into the network.

    Physical audit

    • The physical audit can be greatly improved with barcode, RFID, or QR codes, allowing items to be scanned, records opened, then updated.
    • If not everything is tagged or entered into the ITAM database, then searching closets, cabinets, and desk drawers may be required to tag and enter those devices into the database.
    • Provide the inventory team with exact instructions on what needs to be collected, verified, and recorded. Depending on the experience and thoroughness of the team, spot checks early in the process may alleviate quality issues often discovered at the end of the inventory cycle.

    Determine requirements for performing inventory audits on equipment

    Conduct an annual hardware audit to ensure hardware is still assigned to the person and location identified in your ITAM system, and assess its condition.

    Perform a quarterly review of hardware stock levels in order to ensure all equipment is relevant and usable. The table below is an example of how to organize this information.

    Item Target Stock Levels Estimated $ Value
    Desktop computers
    Standard issue laptops
    Mice
    Keyboards
    Network cables
    Phones

    Info-Tech Insight

    Don’t forget about your remotely deployed assets. Think about how you plan to inventory remotely deployed equipment. Some tools will allow data collection through an agent that will talk to the server over the internet, and some will completely ignore those assets or provide a way to manually collect the data and email back to the asset manager. Mobile device management tools may also help with this inventory process. Determine what is most appropriate based on the volume of remote workers and devices.

    Build an inventory management process to maintain an accurate view of owned hardware assets

    • Your inventory should capture which assets are on hand, where they are located, and who owns them, at minimum. Maintaining an accurate, up-to-date view of owned hardware assets allows you to see at any time the actual state of the components that make up your infrastructure across the enterprise.
    • Automated inventory practices save time and effort from doing physical inventories and also reduce the interruption to business users while improving accuracy of data.
    • If you are just starting out, define the process for conducting an inventory of deployed assets, and then define the process for regular upkeep and audit of inventory data.

    Inventory Methods

    • Electronic – captures networked asset information only and can be deployed over the network with no deskside service interaction.
    • Physical – captures environmental detail and must be performed manually by a service technician with possible disruption to users.
    • Full inventory – both physical and electronic inventory of assets.

    Internal asset information to collect electronically

    • Hardware configuration
    • Installed software
    • Operating system
    • System BIOS
    • Network configuration
    • Network drive mappings
    • Printer setups
    • System variables

    External asset information that cannot be detected electronically

    • Assigned user
    • Associated assets
    • Asset/user location
    • Usage of asset
    • Asset tag number

    IMAC (Install, Move, Add, Change) services will form the bulk of asset management work while assets are deployed

    IMAC services are usually performed at a user’s deskside by a services technician and can include:

    • Installing new desktops or peripherals
    • Installing or modifying software
    • Physically moving an end user’s equipment
    • Upgrading or adding components to a desktop

    Specific activities may include:

    Changes

    • Add new user IDs
    • Manage IDs
    • Network changes
    • Run auto-discovery scan

    Moves

    • Perform new location site survey
    • Coordinate with facilities
    • Disconnect old equipment
    • Move to new location
    • Reconnect at new location
    • Test installed asset
    • Obtain customer acceptance
    • Close request

    Installs and Adds

    • Perform site survey
    • Perform final configuration
    • Coordinate with Facilities
    • Asset tagging
    • Transfer data from old desktop
    • Wipe old desktop hard drive
    • Test installed asset
    • Initiate auto-discovery scan
    • Obtain customer acceptance
    • Close request

    A strong IMAC request process will lessen the burden on IT asset managers

    • When assets are actively in use, Asset Managers must also participate in the IMAC (Install-Move-Add-Change) process and ensure that any changes to asset characteristics or locations are updated and tracked in the asset management tool and that the value and usefulness of the asset is monitored.
    • The IMAC process should not only be reactive in response to requests, but proactive to plan for moves and relocations during any organizational change events.

    Recommendations:

    Automate. Wherever possible, use tools to automate the IMAC process.

    E-forms, help desk, ticketing, or change management software can automate the request workflow by allowing the requestor to submit a request ticket that can then be automatically assigned to a designated team member according to the established chain of command. As work is completed, the ticket can be updated, and the requestor will be able to check the status of the work at any time.

    Communicate the length of any downtime associated with execution of the IMAC request to lessen the frustration and impatience among users.

    Involve HR. When it comes to adding or removing user accounts, HR can be a valuable resource. As most new employees should be hired through HR, work with them to improve the onboarding process with enough advanced notice to set up accounts and equipment. Role changes with access rights and software modifications can benefit from improved communications. Review the termination process as well, to secure data and equipment.

    Build a MAC request policy and form for end users

    A consistent Move, Add, Change (MAC) request process is essential for lessening the burden on the IT department. MAC requests are used to address any number of tasks, including:

    • Relocation of PCs and/or peripherals.
    • New account setup.
    • Hardware or software upgrades.
    • Equipment swaps or replacements.
    • User account/access changes.
    • Document generation.
    • User acceptance testing.
    • Vendor coordination.

    Create a request form.

    If you are not using help desk or other ticketing software, create a request template that must be submitted for each MAC. The request should include:

    • The name and department of the requester.
    • The date of the request.
    • Severity of the request. For example, severity can be graded on a score of high, medium, or low where high represents a mission-critical change that could compromise business continuity if not addressed immediately, and low represents a more cosmetic change that will not negatively affect operations. The severity of the request can be determined by the service-level agreement (SLA) associated with the service.
    • Date the request must be completed by. Or at least, what would be the ideal date for completion. This will vary greatly depending on the severity of the request. For example, deleting the access of a terminated employee would be very time sensitive.
    • Item or service to be moved, added, or changed. Include location, serial number, or other designated identifier where possible.
    • If the item or service is to be moved, indicated where it is being moved.
    • It is a good idea to include a comments section where the requester can add any additional questions or details.

    Use Info-Tech’s templates to build your MAC policy and request form

    3.1.1 Build a MAC policy and request form

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy should be put in place to mitigate the risk associated with unauthorized changes, minimize disruption to the business, IT department, and end users, and maintain consistent expectations.

    Move, Add, Change Request Form

    Help end users navigate the move/add/change process. Use the Move/Add/Change Request Form to increase efficiency and organization for MAC requests.

    Document the process for user equipment moves

    Include the following in your process documentation:

    • How and when will any changes to user or location information be made in the ITAM tool?
    • Will any changes in AD automatically update in the ITAM tool?
    • How should requests for equipment moves or changes be made?
    • How will resources be scheduled?

    The image shows a flowchart titled SErvice Request - User Moves. The chart of processes is split into three categories, listed on the left side of the chart: User Manager; IT Coordinator; and Tier 2 & Facilities.

    Build workflows to document user MAC processes

    3.1.2 Build MAC process workflows

    Participants

    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10: Equipment Install, Adds, Moves, and Changes

    Document each step in the system deployment process using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Outline each step in the process of desktop deployment. Be as granular as possible. On each card, describe the step as well as the individual responsible for each step.
    2. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    3. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    4. Document separately the process for large-scale deployment if required.

    Define a policy to ensure effective maintenance of hardware assets

    Effective maintenance and support of assets provides longer life, higher employee productivity, and increased user satisfaction.

    • Your asset management documentation and database should store equipment maintenance contract information so that it can be consulted whenever hardware service is required.
    • Record who to contact as well as how, warranty information, and any SLAs that are associated with the maintenance agreement.
    • Record all maintenance that hardware equipment receives, which will be valuable for evaluating asset and supplier performance.
    • In most cases, the Service Desk should be the central point of contact for maintenance calls to all suppliers.

    Sample equipment maintenance policy terms:

    • Maintenance and support arrangements are required for all standard and non-standard hardware.
    • All onsite hardware should be covered by onsite warranty agreements with appropriate response times to meet business continuity needs.
    • Defective items under warranty should be repaired in a timely fashion.
    • Service, maintenance, and support shall be managed through the help desk ticketing system.

    Design process and policies for hardware maintenance, warranty, and support documentation handling

    3.1.3 Design process for hardware maintenance

    Participants

    • Asset Manager
    • Purchasing
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Section 10

    1. Discuss and document the policy for hardware maintenance, warranty, and support.
    2. Key outcomes should include:
    • Who signs off on policies?
    • What is the timeline for documentation review?
    • Where are warranty and maintenance documents stored?
    • How will equipment be assessed for condition during audits?
    • How often will deployed equipment be reimaged?
    • How will equipment repair needs be requested?
    • How will repairs for equipment outside warranty be handled?
  • Document in the Standard Operating Procedure.
  • Use your HAM program to improve security and meet regulatory requirements

    ITAM complements and strengthens security tools and processes, improving the company’s ability to protect its data and systems and reduce operational risk.

    It’s estimated that businesses worldwide lose more than $221 billion per year as a result of security breaches. HAM is one important factor in securing data, equipment investment, and meeting certain regulatory requirements.

    How does HAM help keep your organization secure?

    • Educating users on best practices for securing their devices, and providing physical security such as cable locks and tracking mechanisms.
    • Best practices for reporting lost or stolen equipment for quickly removing access and remotely wiping devices.
    • Accurate location and disposal records will enable accurate reporting for HIPAA and PCI DSS audits where movement of media or hardware containing data is a requirement. Best practices for disposal will include properly wiping drives, recording information, and ensuring equipment is disposed of according to environmental regulations.
    • Secure access to data through end-user mobile devices. Use accurate records and MDM tools to securely track, remove access, and wipe mobile devices if compromised.
    • Encrypt devices that may be difficult to track such as USB drives or secure ports to prevent data from being copied to external drives.
    • Managed hardware allows software to be managed and patched on a regular basis.

    Best Practices

    1. Educate end users about traveling with equipment. Phones and laptops are regularly stolen from cars; tablets and phones are left on planes. Encourage users to consider how they store equipment on the way home from work.
    2. Cable locks used at unsecured offsite or onsite work areas should be supplied to employees.
    3. Equipment stored in IT must be secured at all times.

    Implement mobile device management (MDM) solutions

    Organizations with a formal mobile management strategy have fewer problems with their mobile devices.

    Develop a secure MDM to:

    • Provide connection and device support when the device is fully subsidized by the organization to increase device control.
    • Have loaner devices for when traveling to limit device theft or data loss.
    • Personal devices not managed by MDM should be limited to internet access on a guest network.
    • Limit personal device access to only internet access or a limited zone for data access and a subset of applications.
    • Advanced MDM platforms provide additional capabilities including containerization.

    The benefits of a deployed MDM solution:

    • Central management of a variety of devices and platforms is the most important advantage of MDM. Administrators can gain visibility into device status and health, set policies to groups of users, and control who has access to what.
    • Security features such as enforcing passcodes and remote wipe are also essential, given the increased risk of mobile devices.
      • Remote wipe should be able to wipe either the whole device or just selected areas.
    • Separation of personal data is becoming increasingly important as BYOD becomes the norm. This is a feature that vendors are approaching radically differently.
    • Device lock: Be able to lock the device itself, its container, or its SIM. Even if the SIM is replaced, the device should still remain locked. Consider remote locking a device if retrieval is possible.

    Mobile device management is constantly evolving to incorporate new features and expand to new control areas. This is a high-growth area that warrants constant up-to-date knowledge on the latest developments.

    What can be packed into an MDM can vary and be customized in many forms for what your organization needs.

    Secure endpoint devices to protect the data you cannot control

    Endpoint Encryption

    Endpoints Average None
    Desktop 73% 4%
    Laptops 65% 9%
    Smartphones 27% 28%
    Netbooks 26% 48%
    Tablets 16% 59%
    Grand average 41%

    Benefits from endpoint encryption:

    • Reduced risk associated with mobile workers.
    • Enabled sharing of data in secured workspace.
    • Enhanced end-user accountability.
    • Reduced number of data breach incidents.
    • Reduced number of regulatory violations.

    Ways to reduce endpoint encryption costs:

    • Use multiple vendors (multiple platforms): 33%
    • Use a single vendor (one platform): 40%
    • Use a single management console: 22%
    • Outsource to managed service provider: 26%
    • Permit user self-recovery: 26%

    Remote Wiping

    • If all else fails, a device can always be erased of all its data, protecting sensitive data that may have been on it.
    • Selective wipe takes it a step further by erasing only sensitive data.

    Selective wipe is not perfect.

    It is nearly impossible to keep the types of data separate, even with a sandbox approach. Selective wipe will miss some corporate data, and even a full remote wipe can only catch some of users’ increasingly widely distributed data.

    Selective wipe can erase:

    • Corporate profiles, email, and network settings.
    • Data within a corporate container or other sandbox.
    • Apps deployed across the enterprise.

    Know when to perform a remote wipe.

    Not every violation of policy warrants a wipe. Playing Candy Crush during work hours probably does not warrant a wipe, but jail breaking or removing a master data management client can open up security holes that do warrant a wipe.

    Design an effective asset security policy to protect the business

    Data security is not simply restricted to compromised software. In fact, 70% of all data breaches in the healthcare industry since 2010 are due to device theft or loss, not hacking. (California Data Breach Report – October, 2014) ITAM is not just about tracking a device, it is also about tracking the data on the device.

    Organizations often struggle with the following with respect to IT asset security:

    • IT hardware asset removal control.
    • Personal IT hardware assets (BYOD).
    • Data removal from IT hardware assets.
    • Inventory control with respect to leased hardware and software.
    • Unused software.
    • Repetitive versions of software.
    • Unauthorized software.

    Your security policy should seek to protect IT hardware and software that:

    • Have value to the business.
    • Require ongoing maintenance and support.
    • Create potential risk in terms of financial loss, data loss, or exposure.

    These assets should be documented and controlled in order to meet security requirements.

    The asset security policy should encompass the following:

    • Involved parties.
    • Hardware removal policy/documentation procedure.
    • End-user asset security responsibilities.
    • Theft/loss reporting procedure.
    • BYOD standards, procedures, and documentation requirements.
    • Data removal.
    • Software usage.
    • Software installation.

    Info-Tech Insight

    Hardware can be pricey; data is priceless. The cost of losing a device is minimal compared to the cost of losing data contained on a device.

    Revise or create an asset security policy

    3.1.4 Develop IT asset security policy

    Participants

    • CIO or IT Director
    • Asset Manager
    • Service Desk Manager
    • Security
    • Operations (optional)

    Document

    Document in the Asset Security Policy.

    1. Identify asset security challenges within your organization. Record them in a table like the one below.
    Challenge Current Security Risk Target Policy
    Hardware removal Secure access and storage, data loss Designated and secure storage area
    BYOD No BYOD policy in place N/A → phasing out BYOD as an option
    Hardware data removal Secure data disposal Data disposal, disposal vendor
    Unused software Lack of support/patching makes software vulnerable Discovery and retirement of unused software
    Unauthorized software Harder to track, less secure Stricter stance on pirated software
    1. Brainstorm the reasons for why these challenges exist.
    2. Identify target policy details that pertain to each challenge. Record the outcomes in section(s) 5.1, 5.2, or 5.3 of the Asset Security Policy.

    Poor asset security and data protection had costly consequences for UK Ministry of Justice

    CASE STUDY

    Industry Legal

    Source ICO

    Challenge

    The Ministry of Justice (MoJ) in the UK had a security problem: hard drives that contained sensitive prisoner data were unencrypted and largely unprotected for theft.

    These hard drives contained information related to health, history of drug use, and past links to organized crime.

    After two separate incidents of hard drive theft that resulted in data breaches, the Information Commissioner’s Office (ICO), stepped in.

    Solution

    It was determined that after the first hard drive theft in October 2011, replacement hard drives with encryption software were provisioned to prisons managed by the MoJ.

    Unfortunately, the IT security personnel employed by the MoJ were unaware that the encryption software required manual activation.

    When the second hard drive theft occurred, the digital encryption could not act as a backup to poor physical security (the hard drive was not secured in a locker as per protocol).

    Results

    The perpetrators were never found and the stolen hard drives were never recovered.

    As a result of the two data breaches, the MoJ had to implement costly security upgrades to its data protection system.

    The ICO fined the MoJ £180,000 for its repeated security breaches. This costly fine could have been avoided if more diligence was present in the MoJ’s asset management program.

    Step 3.2: Dispose or Redeploy Assets

    3.1 Manage & Maintain

    3.2 Dispose or Redeploy

    This step will walk you through the following activities:

    3.2.1 Identify challenges with IT asset recovery and disposal

    3.2.2 Design hardware asset recovery and disposal workflows

    3.2.3 Build a hardware asset disposition policy

    This step involves the following participants:

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Step Outcomes:

    • Defined process to determine when to redeploy vs. dispose of hardware assets
    • Process for recovering and redeploying hardware equipment
    • Process for safely disposing of assets that cannot be redeployed
    • Comprehensive asset disposition policy

    Balance the effort to roll out new equipment against the cost to maintain equipment when building your lifecycle strategy

    The image shows two line graphs. The graph on the left is titled: Desktop Refresh Rate by Company Size (based on Revenue). The graph on the right is titled: Laptop Refresh Rate by Company Size (based on Revenue). Each graph has four lines, defined by a legend in the centre of the image: yellow is small ($25mm); dark blue is Mid ($25-500MM); light blue is large ( data-verified=$500MM); and orange is Overall.">

    (Info-Tech Research Group; N=96)

    Determining the optimal length of time to continue to use equipment will depend on use case and equipment type

    Budget profiles Refresh methods

    Stretched

    Average equipment age: 7+ years

    To save money, some organizations will take a cascading approach, using the most powerful machines for engineers or scientists to ensure processing power, video requirements and drives will meet the needs of their applications and storage needs; then passing systems down to departments who will require standard-use machines. The oldest and least powerful machines are either used as terminals or disposed.

    Generous

    Average equipment age: 3 years

    Organizations that do not want to risk user dissatisfaction or potential compatibility or reliability issues will take a more aggressive replacement approach. These organizations often have less people assigned to end-user device maintenance and will not repair equipment outside of warranty. There is little variation in processing power among devices, with major differences determined by mobility and operating system.

    Cautious

    Average equipment age: 4 to 5 years

    Organizations that fit between the other two profiles will look to stretch the budget beyond warranty years, but will keep a close eye on maintenance requirements. Repairs needed outside of warranty will require an eye to costs, efforts, and subsequent administrative work of loaning equipment to keep the end user productive while waiting on service.

    Recommendations to keep users happy and equipment in prime form is to check condition at the 2-3 year mark, reimage at least once to improve performance, and have backup machines, if equipment starts to become problematic.

    Build a process to determine when and how to redeploy or dispose of hardware assets at end of use

    • When equipment is no longer needed for the function or individual to whom it was assigned, the Hardware Asset Manager needs to use data to ensure the right decision is made as to what to do with the asset.
    • End of use involves evaluating options for either continuing to use the equipment in another capacity or by another individual or determining that the asset has no remaining value to the organization in any capacity and it is time to retire it.
    • If the asset is retired, it may still have capacity for continued use outside of the organization or it may be disposed.

    Redeployment

    • Deliver the asset to a new user if it is no longer needed by the original user but still has value and usability.
    • Redeployment saves money and prevents unnecessary purchases.
    • Common when employees leave the company or a merge or acquisition changes the asset pool.

    VS.

    Disposal

    • When an asset is no longer of use to the organization, it may be disposed of.
    • Need to consider potential financial and public relations considerations if disposal is not done according to environmental legislation.
    • Need to ensure proper documentation and data removal is built into disposition policy.

    Use persistent documentation and communication to improve hardware disposal and recovery

    Warning! Poor hardware disposal and recovery practices can be caused by the following:

    1. Your IT team is too busy and stretched thin. Data disposal is one of many services your IT team is likely to have to deal with, but this service requires undivided attention. By standardizing hardware refreshes, you can instill more predictability with your hardware life cycles and better manage disposal.
    2. Poor inventory management. Outdated data and poor tracking practices can result in lost assets during the disposal phase. It only takes a single lost asset to cause a disastrous data breach in your supply chain.
    3. Obliviousness to disposal regulations. Electronic disposal and electronically stored data are governed by strict regulation.

    How do you improve your hardware disposal and recovery process?

    • A specific, controlled process needs to be in place to wipe all equipment and verify that it’s been wiped properly. Otherwise, companies will continue to spend money to protect data while equipment is in use, but overlook the dangerous implications of careless IT asset disposal. Create a detailed documentation process to track your assets every step of the way to ensure that data and applications are properly disposed of. Detailed documentation can also help bolster sustainability reporting for organizations wishing to track such data.
    • Better communication should be required. Most decommissioning or refresh processes use multiple partners for manufacturing, warehousing, data destruction, product resale, and logistics. Setting up and vetting these networks can take years, and even then, managing them can be like playing a game of telephone; transparency is key.

    Address three core challenges of asset disposal and recovery

    Asset Disposal

    Data Security

    Sixty-five percent of organizations cite data security as their top concern. Many data breaches are a result of hardware theft or poor data destruction practices.

    Choosing a reputable IT disposal company or data removal software is crucial to ensuring data security with asset disposal.

    Environmental

    Electronics contain harmful heavy metals such as mercury, arsenic, and cadmium.

    Disposal of e-waste is heavily regulated, and improper disposal can result in hefty fines and bad publicity for organizations.

    Residual value

    Many obsolete IT assets are simply confined to storage at their end of life.

    This often imposes additional costs with maintenance or storage fees and leaves a lot of value on the table through assets that could be sold or re-purposed within the organization.

    Identify challenges with IT asset recovery and disposal with a triple bottom line scorecard

    3.2.1 Identify challenges with IT asset recovery and disposal

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)
    1. Divide the whiteboard into three boxes: Social, Economic, and Environmental.
    2. Divide each box into columns like the one shown below:
    Economic
    Challenge Objectives Targets Initiatives
    No data capture during disposal Develop reporting standards 80% disposed assets recorded Work with Finance to develop reporting procedure
    Idle assets Find resale market/dispose of idle assets 50% of idle assets disposed of within the year Locate resale vendor and disposal service
    1. Ask participants to list challenges associated with each area.
    2. Once challenges facing recovery and disposal have been exhausted from the group, assign a significance of 1-5 (1 being the lowest and 5 being the highest) to each challenge.
    3. Discuss the most significant challenges and how they might be addressed through the next steps of building recovery & disposal processes.

    Build a process for recovery and redeployment of hardware

    • Having hardware standards in place makes redeploying easier by creating a larger pool of possible users for a standardized asset.
    • Most redeployment activities will be carried out by the Help Desk as a service request ticket, so it is important to have clear communication and guidelines with the Help Desk as to which tasks need to be carried out as part of the request.

    Ensure the following are addressed:

    • Where will equipment be stored before being redeployed?
    • Will shipping be required and are shipping costs factored into analysis?
    • Ensure equipment is cleaned before it is redeployed.
    • Do repairs and reconfigurations need to be made?
    • How will software be removed and licenses harvested and reported to Software Asset Manager?
    • How will data be securely wiped and protected?

    The image shows a work process in flowchart format titled Equipment Recovery. The chart is divided into two sections, listed on the left: Business Manager/HR and Desktop Support Team.

    Define the process for safely disposing of assets that cannot be redeployed

    Asset Disposal Checklist

    1. Review the data stored on the device.
    2. Determine if there has been any sensitive or confidential information stored.
    3. Remove all sensitive/confidential information.
    4. Determine if software licenses are transferable.
    5. Remove any non- transferable software prior to reassignment.
    6. Update the department’s inventory record to indicate new individual assigned custody.
    7. In the event of a transfer to another department, remove data and licensed software.
    8. If sensitive data has been stored, physically destroy the storage device.
    • Define the process for retiring and disposing of equipment that has reached replacement age or no longer meets minimum conditions or standards.
    • Clearly define the steps that need to be taken both before and after the involvement of an ITAD partner.

    The image shows a flowchart titled Equipment Disposal. It is divided into two sections, labelled on the left as: Desktop Support Team and Asset Manager.

    Design hardware asset recovery and disposal workflows

    3.2.2 Design hardware asset recovery and disposal policies and workflows

    Participants

    • Infrastructure Director/Manager
    • Asset Manager
    • Service Desk Manager
    • Operations (optional)

    Document

    Document in the Standard Operating Procedures, Sections 11 and 12

    Document each step in the recovery and disposal process in two separate workflows using notecards or on a whiteboard. Identify the challenges faced by your organization and strategize potential solutions.

    1. Keeping in mind current challenges around hardware asset recovery and disposal, design the target state for both the asset recovery and disposal processes.
    2. Outline each step of the process and be as granular as possible.
    3. When you are satisfied that each step is accurately captured, use a second color of notecard to document any challenges, inefficiencies, or pains associated with each step. Consider further documenting the time on each task.
    4. Examine each challenge or pain point. Discuss whether or not there is a clear solution to the problem. If so, document the solution and amend the workflow. If not, engage in a broader discussion of possible solutions, taking into account people, processes, and available technology.
    5. Review the checklists on the previous slides to ensure all critical tasks are accounted for in your process workflows.

    Add equipment disposition to asset lifecycle decisions to meet environmental regulations and mitigate risk

    Although traditionally an afterthought in asset management, IT asset disposition (ITAD) needs to be front and center. Increase focus on data security and concern surrounding environmental sustainability and develop an awareness of the cost efficiencies possible through best-practices disposition.

    Optimized ITAD solutions:

    1. Protect sensitive or valuable data
    2. Support sustainability
    3. Focus on asset value recovery

    Info-Tech Insight

    A well-thought-out asset management program mitigates risk and is typically less costly than dealing with a large-scale data loss incident or an inappropriate disposal suit. Also, it protects your company’s reputation – which is difficult to put a price on.

    Partner with an ITAD vendor to support your disposition strategy

    Maximizing returns on assets requires knowledge and skills in asset valuation, upgrading to optimize market return, supply chain management, and packaging and shipping. It’s unlikely that the return will be adequate to justify that level of investment, so partnering with a full-service ITAD vendor is a no-brainer.

    • An ITAD vendor knows the repurpose and resale space better than your organization. They know the industry and have access to more potential buyers.
    • ITAD vendors can help your organization navigate costly environmental regulations for improper disposal of IT assets.

    Disposal doesn’t mean your equipment has to go to waste.

    Additionally, your ITAD vendor can assist with a large donation of hardware to a charitable organization or a school.

    Donating equipment to schools or non-profits may provide charitable receipts that can be used as taxable benefits.

    Before donating:

    • Ensure equipment is needed and useful to the organization.
    • Be prepared for an appraisal requirement. Receipts can only be issued for fair market value.
    • Prevent compromised data by thoroughly wiping or completely replacing drives.
    • Ensure official transfer of ownership to prevent liability if improper disposal practices follow.

    Info-Tech Insight

    Government assistance grants may be available to help keep your organization’s hardware up to date, thereby providing incentives to upgrade equipment while older equipment still has a useful life.

    Protect the organization by sufficiently researching potential ITAD partners

    Research ITAD vendors as diligently as you would primary hardware vendors.

    Failure to thoroughly investigate a vendor could result in a massive data breach, fines for disposal standards violations, or a poor resale price for your disposed assets. Evaluate vendors using questions such as the following:

    • Are you a full-service vendor or are you connected to a wholesaler?
    • Who are your collectors and processors?
    • How do you handle data wiping? If you erase the data, how many passes do you perform?
    • What do you do with the e-waste? How much is reused? How much is recycled?
    • Do you have errors and omissions insurance in case data is compromised?
    • How much will it cost to recycle or dispose of worthless equipment?
    • How much will I receive for assets that still have useful life?

    ITAD vendors that focus on recycling will bundle assets to ship to an e-waste plant – leaving money on the table.

    ITAD vendors with a focus on reuse will individually package salable assets for resale – which will yield top dollars.

    Info-Tech Insight

    To judge the success of a HAM overhaul, you need to establish a baseline with which to compare final results. Be sure to take HAM “snapshots” before ITAD partnering so it’s easy to illustrate the savings later.

    Work with ITAD partner or equipment supplier to determine most cost-effective method and appropriate time for disposal

    2-4 Two-to-four year hardware refresh cycle

    • Consider selling equipment to an ITAD partner who specializes in sales of refurbished equipment.
    • Consider donating equipment to schools or non-profits, possibly using an ITAD partner who specializes in refurbishing equipment and managing the donation process.

    5-7 Five-to-seven year hardware refresh cycle

    • At this stage equipment may still have a viable life, but would not be appropriate for school or non-profit donations, due to a potentially shorter lifespan. Consider selling equipment to an ITAD partner who has customers interested in older, refurbished equipment.

    7+ Seven or more years hardware refresh cycle

    • If keeping computers until they reach end of life, harvest parts for replacement on existing machines and budget for disposal fees.
    • Ask new computer supplier about disposal services or seek out ITAD partner who will disassemble and dispose of equipment in an environmentally responsible manner.

    Info-Tech Insight

    • In all cases, ensure hard drives are cleansed of data with no option for data recovery. Many ITAD partners will provide a drive erasure at DoD levels as part of their disposal service.
    • Many ITAD partners will provide analysts to help determine the most advantageous time to refresh.

    Ensure data security and compliance by engaging in reliable data wiping before disposition

    Failure to properly dispose of data can not only result in costly data breaches, but also fines and other regulatory repercussions. Choosing an ITAD vendor or a vendor that specializes in data erasure is crucial. Depending on your needs, there are a variety of data wiping methods available.

    Certified data erasure is the only method that leaves the asset’s hard drive intact for resale or donation. Three swipes is the bare minimum, but seven is recommended for more sensitive data (and required by the US Department of Defense). Data erasure applications may be destructive or non-destructive – both methods overwrite data to make it irretrievable.

    Physical destruction must be done thoroughly, and rigorous testing must be done to verify data irretrievability. Methods such as hand drilling are proven to be unreliable.

    Degaussing uses high-powered magnets to erase hard drives and makes them unusable. This is the most expensive option; degaussing devices can be purchased or rented.

    Info-Tech Best Practice

    Data wiping can be done onsite or can be contracted to an ITAD partner. Using an ITAD partner can ensure greater security at a more affordable price.

    Make data security a primary driver of asset disposition practices

    It is estimated that 10-15% of data loss cases result from insecure asset disposal. Protect yourself by following some simple disposition rules.

    1. Reconcile your data onsite
    • Verify that bills of landing and inventory records match before assets leave. Otherwise, you must take the receiver’s word on shipment contents.
  • Wipe data at least once onsite
    • Do at least one in-house data wipe before the assets leave the site for greater data security.
  • Transport promptly after data wiping
    • Prompt shipment will minimize involvement with the assets, and therefore, cost. Also, the chance of missing assets will drop dramatically.
  • Avoid third-party transport services
    • Reputable ITAD companies maintain strict chain of custody control over assets. Using a third party introduces unnecessary risk.
  • Keep detailed disposition records
    • Records will protect you in the event of an audit, a data loss incident, or an environmental degradation claim. They could save you millions.
  • Wipe all data-carrying items
    • Don’t forget cell phones, fax machines, USB drives, scanners, and printers – they can carry sensitive information that can put the organization at risk.
  • Only partner with insured ITAD vendors
    • You are never completely out of danger with regards to liability, but partnering with an insured vendor is potent risk mitigation.
  • Work these rules into your disposition policy to mitigate data loss risk.

    Support your HAM efforts with a comprehensive disposition policy

    3.2.3 Build a Hardware Asset Disposition Policy

    Implementation of a HAM program is a waste of time if you aren’t going to maintain it. Maintenance requires the implementation of detailed policies, training, and an ongoing commitment to proper management.

    Use Info-Tech’s Hardware Asset Disposition Policy to:

    1. Establish and define clear standards, procedures, and restrictions surrounding disposition.
    2. Ensure continual compliance with applicable data security and environmental legislation.
    3. Assign specific responsibilities to individuals or groups to ensure ongoing adherence to policy standards and that costs or benefits are in line with expectations.

    Phase 3 Guided Implementation

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Maintain & Dispose

    Proposed Time to Completion: 4 weeks

    Start with an analyst kick-off call:

    • Discuss inventory management best practices.
    • Build process for moves, adds, and changes.
    • Build process for hardware maintenance.
    • Define policies for maintaining asset security.

    Then complete these activities…

    • Build a MAC policy and request form.
    • Build workflows to document user MAC processes.
    • Design processes and policies for hardware maintenance, warranty, and support documentation handling.
    • Build an asset security policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Security Policy

    Step 3.2: Dispose or Redeploy Assets

    Review findings with analyst:

    • Discuss when to dispose vs. redeploy assets.
    • Build process for redeploying vs. disposing of assets.
    • Review ITAD vendors.

    Then complete these activities…

    • Identify challenges with IT asset recovery and disposal.
    • Design hardware asset recovery and disposal workflows.
    • Build a hardware asset disposition policy.

    With these tools & templates:

    • Standard Operating Procedures
    • Asset Recovery Workflow
    • Asset Disposal Workflow
    • Hardware Asset Disposition Policy

    Phase 3 Insight: Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1.4 Revise or create an asset security policy

    Discuss asset security challenges within the organization; brainstorm reasons the challenges exist and process changes to address them. Document a new asset security policy.

    3.2.2 Design hardware asset recovery and disposal workflows

    Document each step in the hardware asset recovery and disposal process, including all decision points. Examine challenges and amend the workflow to address them.

    Phase 4

    Plan Budget Process and Build Roadmap

    Implement Hardware Asset Management

    Cisco deployed an enterprise-wide re-education program to implement asset management

    CASE STUDY

    Industry Networking

    Source Cisco IT

    Challenge

    Even though Cisco Systems had designed a comprehensive asset management program, implementing it across the enterprise was another story.

    An effective solution, complete with a process that could be adopted by everyone within the organization, would require extensive internal promotion of cost savings, efficiencies, and other benefits to the enterprise and end users.

    Cisco’s asset management problem was as much a cultural challenge as it was a process challenge.

    Solution

    The ITAM team at Cisco began discussions with departments that had been tracking and managing their own assets.

    These sessions were used as an educational tool, but also as opportunities to gather internal best practices to deploy across the enterprise.

    Eventually, Cisco introduced weekly meetings with global representation to encourage company-wide communication and collaboration.

    Results

    By establishing a process for managing PC assets, we have cut our hardware costs in half.” – Mark Edmonson, Manager – IT Services Expenses

    Cisco reports that although change was difficult to adopt, end-user satisfaction has never been higher. The centralized asset management approach has resulted in better contract negotiations through better data access.

    A reduced number of hardware and software platforms has streamlined tracking and support, and will only drive down costs as time goes on.

    Step 4.1: Plan Hardware Asset Budget

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.1 Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    This step involves the following participants:

    • IT Director
    • Asset Manager
    • Finance Department

    Step Outcomes

    • Know where to find data to budget for hardware needs accurately
    • Learn how to manage a hardware budget
    • Plan hardware asset budget with a budgeting tool

    Gain control of the budget to increase the success of HAM

    A sophisticated hardware asset management program will be able to uncover hidden costs, identify targets for downsizing, save money through redistributing equipment, and improve forecasting of equipment to help control IT spending.

    While some asset managers may not have experience managing budgets, there are several advantages to ITAM owning the hardware budget:

    • Be more involved in negotiating pricing with suppliers.
    • Build better relationships with stakeholders across the business.
    • Forecast requirements more accurately.
    • Inform benchmarks for hardware performance.
    • Gain more responsibility and have a greater influence on purchasing decisions.
    • Directly impact the reduction in IT spend.
    • Manage the asset database more easily and have a greater understanding of hardware needs.
    • Build a continuous rolling refresh.

    Use ITAM data to forecast hardware needs accurately and realistically

    Your IT budget should be realistic, accounting for business needs, routine maintenance, hardware replacement costs, unexpected equipment failures, and associated support and warranty costs. Know where to find the data you need and who to work with to forecast hardware needs as accurately as possible.

    What type of data should I take into account?

    Plan for:

    • New hardware purchases required
      • Planned refreshes based on equipment lifecycle
      • Inventory for break and fix
      • Standard equipment for new hires
      • Non-standard equipment required
      • Hardware for planned projects
      • Implementation and setup costs
      • Routine hardware implementation
      • Large hardware implementation for projects
      • Support and warranty costs

    Take into account:

    • Standard refresh cycle for each hardware asset
    • Amount of inventory to keep on hand
    • Length of time from procurement to inventory
    • Current equipment costs and equipment price increases
    • Equipment depreciation rates and resale profits

    Where do I find the information I need to budget accurately?

    • Work with HR to forecast equipment needs for new hires.
    • Work with the Infrastructure Manager to forecast devices and equipment needed for approved and planned projects.
    • Use the asset management database to forecast hardware refresh and replacement needs based on age and lifecycle.
    • Work with business stakeholders to ensure all new equipment needs are accounted for in the budget.

    Use Info-Tech’s HAM Budgeting Tool to plan your hardware asset budget

    4.1.1 Build HAM budget

    This tool is designed to assist in developing and justifying the budget for hardware assets for the upcoming year. The tool will allow you to budget for projects requiring hardware asset purchases as well as equipment requiring refresh and to adjust the budget as needed to accommodate both projects and refreshes. Follow the instructions on each tab to complete the tool.

    The hardware budget should serve as a planning and communications tool for the organization

    The most successful relationships have a common vocabulary. Thus, it is important to translate “tech speak” into everyday language and business goals and initiatives as you plan your budget.

    One of the biggest barriers that infrastructure and operations team face with regards to equipment budgeting is the lack of understanding of IT infrastructure and how it impacts the rest of the organization. The biggest challenge is to help the rest of the organization overcome this barrier.

    There are several things you can do to overcome this barrier:

    • Avoid using technical terms or jargon. Terms many would consider common knowledge, such as “WLAN,” are foreign to many.
    • Don’t assume the business knows how the technology you’re referring to will impact their day-to-day work. You will need to demonstrate it to them.
    • Help the audience understand the business impact of not implementing each initiative. What does this mean for them?
    • Discuss the options on the table in terms of the business value that the hardware can enable. Review how deferring refresh projects can impact user-facing applications, systems, and business unit operations.
    • Present options. If you can’t implement everything on the project list, present what you can do at different levels of funding.

    Info-Tech Insight

    Err on the side of inviting more discussion. Your budgeting process relies on business decision makers and receiving actionable feedback requires an ongoing exchange of information.

    Help users understand the importance of regular infrastructure refreshes

    Getting business users to support regular investments in maintenance relies on understanding and trust. Present the facts in plain language. Provide options, and clearly state the impact of each option.

    Example: Your storage environment is nearing capacity.

    Don’t:

    Explain the project exclusively in technical terms or slang.

    We’re exploring deduping technology as well as cheap solid state, SATA, and tape storage to address capacity.”

    Do:

    • Explain impact in terms that the business can understand.

    Deduplication technology can reduce our storage needs by up to 50%, allowing us to defer a new storage purchase.”

    • Be ready to present project alternatives and impacts.

    Without implementing deduplication technology, we will need to purchase additional storage by the end of the year at an estimated cost of $25,000.”

    • Connect the project to business initiatives and strategic priorities.

    This is a cost-effective technique to increase storage capacity to manage annual average data growth at around 20% per year.

    Step 4.2: Build Communication Plan and Roadmap

    Phase 4: Plan Budget & Build Roadmap

    4.1 Plan Budget

    4.2 Communicate & Build Roadmap

    This step will walk you through the following activities:

    4.2 Develop a HAM implementation roadmap

    This step involves the following participants:

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Step Outcomes

    • Documented end-user hardware asset management policies
    • Communications plan to achieve support from end users and other business units
    • HAM implementation roadmap

    Educate end users through ITAM training to increase program success

    As part of your communication plan and overall HAM implementation, training should be provided to end users within the organization.

    All facets of the business, from management to new hires, should be provided with ITAM training to help them understand their role in the project’s success.

    ITAM solutions are complex by nature with both business process and technical knowledge required to use them correctly. Keep the message appropriate to the audience – end users don’t need to know the complete process, but will need to know policy and how to request.

    Management may have priorities that appear to clash with new processes. Engage management by making them aware of the benefits and importance of ITAM. Include the benefits and consequences of not implementing ITAM in your education approach. Encourage them to support efforts by reinforcing your messages to end users.

    New hires should have ITAM training bundled into their onboarding process. Fresh minds are easier to train and the ITAM program will be seen as an organizational standard, not merely a change.

    Policy documents can help summarize end users’ obligations and clarify processes. Consider an IT Resources Acceptable UsePolicy.

    "The lowest user is the most important user in your asset management program. New employees are your most important resource. The life cycle of the assets will go much smoother if new employees are brought on board." – Tyrell Hall, ITAM Program Coordinator

    Info-Tech Insight

    During training, you should present the material through the lens of “what’s in it for me?” Otherwise, you risk alienating end users through implementing organizational change viewed as low value.

    Include policy design and enforcement in your communication plan

    • Hardware asset management policies should define the actions to be taken to protect and preserve technology assets from failure, loss, destruction, theft, or damage.
    • Implementing asset management policies enforces the notion that the organization takes its IT assets and the management of them seriously, and will help ensure the benefits of ITAM are achieved.
    • Designing, approving, documenting, and adopting one set of standard ITAM policies for each department to follow will ensure the processes are enforced equally across the organization.
    • Good ITAM policies answer the “what, how, and why” of IT asset management, provide the means for ITAM governance, and provide a basis for strategy and decision making.

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but be sure to modify and adapt policies to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation and involvement from the committees and departments to whom it will pertain.

    Use Info-Tech’s policy templates to build HAM policies

    4.2.1 Build HAM policies

    Use these HAM policy templates to get started:

    Information Technology Standards Policy

    This policy establishes standards and guidelines for a company’s information technology environment to ensure the confidentiality, integrity, and availability of company computing resources.

    Desktop Move/Add/Change Policy

    This desktop move/add/change policy is put in place for users to request to change their desktop computing environments. This policy applies configuration changes within a company.

    Purchasing Policy

    The purchasing policy helps to establish company standards, guidelines, and procedures for the purchase of all information technology hardware, software, and computer-related components as well as the purchase of all technical services.

    Hardware Asset Disposition Policy

    This policy assists in creating guidelines around disposition in the last stage of the asset lifecycle.

    Additional policy templates

    Info-Tech Insight

    Use policy templates to jumpstart your policy development and ensure policies are comprehensive, but modify and adapt them to suit your corporate culture or they will not gain buy-in from employees. For a policy to be successful, it must be a living document and have participation from the committees and departments to whom it will pertain.

    Create a communication plan to achieve end-user support and adherence to policies

    Communication is crucial to the integration and overall implementation of your ITAM program. An effective communication plan will:

    • Gain support from management at the project proposal phase.
    • Create end-user buy-in once the program is set to launch.
    • Maintain the presence of the program throughout the business.
    • Instill ownership throughout the business from top-level management to new hires.

    Use the variety of components as part of your communication plan in order to reach the organization.

    1. Advertise successes.
    • Regularly demonstrate the value of the ITAM program with descriptive statistics focused on key financial benefits.
    • Share data with the appropriate personnel; promote success to obtain further support from senior management.
  • Report and share asset data.
    • Sharing detailed asset-related reports frequently gives decision makers useful data to aid in their strategy.
    • These reports can help your organization prepare for audits, adjust asset budgeting, and detect unauthorized assets.
  • Communicate the value of ITAM.
    • Educate management and end users about how they fit into the bigger picture.
    • Individuals need to know that their behaviors can adversely affect data quality and, ultimately, lead to better decision making.
  • Develop a communication plan to convey the right messages

    4.2.2 Develop a communication plan to convey the right messages

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the HAM Communication Plan

    1. Identify the groups that will be affected by the HAM program as those who will require communication.
    2. For each group requiring a communication plan, identify the following:
    • Benefits of HAM for that group of individuals (e.g. better data, security).
    • The impact the change will have on them (e.g. change in the way a certain process will work).
    • Communication method (i.e. how you will communicate).
    • Timeframe (i.e. when and how often you will communicate the changes).
  • Complete this information in a table like the one below and document in the Communication Plan.
  • Group Benefits Impact Method Timeline
    Service Desk Improve end-user device support Follow new processes Email campaign 3 months
    Executives Mitigate risks, better security, more data for reporting Review and sign off on policies
    End Users Smoother request process Adhere to device security and use policies
    Infrastructure Faster access to data and one source of truth Modified processes for centralized procurement and inventory

    Implement ITAM in a phased, constructive approach

    • One of the most difficult decisions to make when implementing ITAM is: “where do we start?”
    • The pyramid to the right mirrors Maslow’s hierarchy of needs. The base is the absolute bare minimum that should be in place, and each level builds upon the previous one.
    • As you track up the pyramid, your ITAM program will become more and more mature.

    Now that your asset lifecycle environment has been constructed in full, it’s time to study it. Gather data about your assets and use the results to create reports and new solutions to continually improve the business.

    • Asset Data
    • Asset Protection: safely protect and dispose of assets once they are mass distributed throughout your organization.
    • Asset Distribution: determine standards for asset provisioning and asset inventory strategy.
    • Asset Gathering: define what assets you will procure, distribute, and track. Classifying your assets by tier will allow you to make decisions as you progress up the pyramid.

    ↑ ITAM Program Maturity

    Integrate your HAM program into the organization to assist its implementation

    The HAM program cannot perform on its own – it must be integrated with other functional areas of the organization in order to maintain its stability and support.

    • Effective IT asset management is supported by a comprehensive set of processes as part of its implementation.
    • For example, integration with the purchasing/procurement team is required to gather hardware and software purchase data to control asset costs and mitigate software license compliance risk.
    • Integration with Finance is required to support internal cost allocations and charge backs.

    To integrate your ITAM program into your organization effectively, a clear implementation roadmap needs to be designed. Prioritize “quick wins” in order to demonstrate success to the business early and gain buy-in from your team. Long-term goals should be designed that will be supported by the outcomes of the short-term gains of your ITAM program.

    Short-term goal Long-term goal
    Identify inventory classification and tool (hardware first) Hardware contract data integration (warranty, maintenance, lease)
    Create basic ITAM policies and processes Continual improvement through policy impact review and revision
    Implement ITAM auto-discovery tools Software compliance reports, internal audits

    Info-Tech Insight

    Installing an ITAM tool does not mean you have an effective asset management program. A complete solution needs to be built around your tool, but the strength of ITAM comes from processes embedded in the organization that are shaped and supported by your ITAM data.

    Develop an IT hardware asset management implementation roadmap

    4.2.3 Develop a HAM implementation roadmap

    Participants

    • CIO
    • IT Director
    • Asset Manager
    • Service Desk Manager

    Document

    Document in the IT Hardware Asset Management Implementation Roadmap

    1. Identify up to five streams to work on initiatives for the hardware asset management project.
    2. Fill out key tasks and objectives for each process. Assign responsibility for each task.
    3. Select a start date and end date for each task. See tab 1 of the tool for instructions on which letters to input for each stage of the process.
    4. Once your list is complete, open tab 3 of the tool to see your completed sunshine diagram.
    5. Keep this diagram visible for your team and use it as a guide to task completion as you work towards your future-state value stream.

    Focus on continual improvement to sustain your ITAM program

    Periodically review the ITAM program in order to achieve defined goals, objectives, and benefits.

    Act → Plan → Do → Check

    Once ITAM is in place in your organization, a focus on continual improvement creates the following benefits:

    • Remain in sync with the business: your asset management program reflects the current and desired future states of your organization at the time of its creation. But the needs of the business change. As mentioned previously, asset management is a dynamic process, so in order for your program to keep pace, a focus on continual improvement is needed.
      • For example, imagine if your organization had designed your ITAM program before cloud-based solutions were an option. What if your asset classification scheme did not include personal devices or tablets or your asset security policy lacked a section on BYOD?
    • Create funding for new projects through ITAM continual improvement: one of the goals is to save money through more efficient use of your assets by “sweating” out underused hardware and software.
      • It may be tempting to simply present the results to Finance as savings, but instead, describe the results as “available funds for other projects.” Otherwise, Finance may view the savings as a nod to restrict IT’s budget and allocate funds elsewhere. Make it clear that any saved funds are still required, albeit in a different capacity.

    Info-Tech Best Practice

    Look for new uses for ITAM data. Ask management what their goals are for the next 12-18 months. Analyze the data you are gathering and determine how your ITAM data can assist with achieving these goals.

    Phase 4 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Step 4.1: Plan Budget

    Start with an analyst kick-off call:

    • Know where to find data to budget for hardware needs accurately.
    • Learn how to manage a hardware budget.

    Then complete these activities…

    • Plan hardware asset budget.

    With these tools & templates:

    HAM Budgeting Tool

    Step 4.2: Communicate & Roadmap

    Review findings with analyst:

    • Develop policies for end users.
    • Build communications plan.
    • Build an implementation roadmap.

    Then complete these activities…

    • Build HAM policies.
    • Develop a communication plan.
    • Develop a HAM implementation roadmap.

    With these tools & templates:

    HAM policy templates

    HAM Communication Plan

    HAM Implementation Roadmap

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1.1 Build a hardware asset budget

    Review upcoming hardware refresh needs and projects requiring hardware purchases. Use this data to forecast and budget equipment for the upcoming year.

    4.2.2 Develop a communication plan

    Identify groups that will be affected by the new HAM program and for each group, document a communications plan.

    Insight breakdown

    Overarching Insights

    HAM is more than just tracking inventory. A mature asset management program provides data for proactive planning and decision making to reduce operating costs and mitigate risk.

    ITAM is not just IT. IT leaders need to collaborate with Finance, Procurement, Security, and other business units to make informed decisions and create value across the enterprise.

    Treat HAM like a process, not a project. HAM is a dynamic process that must react and adapt to the needs of the business.

    Phase 1 Insight

    For asset management to succeed, it needs to support the business. Engage business leaders to determine needs and build your HAM program around these goals.

    Phase 2 Insight

    Bridge the gap between IT and Finance to build a smoother request and procurement process through communication and routine reporting. If you’re unable to affect procurement processes to reduce time to deliver, consider bringing inventory onsite or having your hardware vendor keep stock, ready to ship on demand.

    Phase 3 Insight

    Not all assets are created equal. Taking a blanket approach to asset maintenance and security is time consuming and costly. Focus on the high-cost, high-use, and data-sensitive assets first.

    Phase 4 Insight

    Deploying a fancy ITAM tool will not make hardware asset management implementation easier. Implementation is a project that requires you focus on people and process first – the technology comes after.

    Related Info-Tech research

    Implement Software Asset Management

    Build an End-User Computing Strategy

    Find the Value – and Remain Valuable – With Cloud Asset Management

    Consolidate IT Asset Management

    Harness Configuration Management Superpowers

    IT Asset Management Market Overview

    Bibliography

    Chalkley, Martin. “Should ITAM Own Budget?” The ITAM Review. 19 May 2011. Web.

    “CHAMP: Certified Hardware Asset Management Professional Manual.” International Association of Information Technology Asset Managers, Inc. 2008. Web.

    Foxen, David. “The Importance of Effective HAM (Hardware Asset Management).” The ITAM Review. 19 Feb. 2015. Web.

    Foxen, David. “Quick Guide to Hardware Asset Tagging.” The ITAM Review. 5 Sep. 2014. Web.

    Galecki, Daniel. “ITAM Lifecycle and Savings Opportunities – Mapping out the Journey.” International Association of IT Asset Managers, Inc. 16 Nov. 2014. Web.

    “How Cisco IT Reduced Costs Through PC Asset Management.” Cisco IT Case Study. 2007. Web.

    Irwin, Sherry. “ITAM Metrics.” The ITAM Review. 14 Dec. 2009. Web.

    “IT Asset and Software Management.” ECP Media LLC, 2006. Web.

    Rains, Jenny. “IT Hardware Asset Management.” HDI Research Brief. May 2015. Web.

    Riley, Nathan. “IT Asset Management and Tagging Hardware: Best Practices.” Samanage Blog. 5 March 2015. Web.

    “The IAITAM Practitioner Survey Results for 2016 – Lean Toward Ongoing Value.” International Association of IT Asset Managers, Inc. 24 May 2016. Web.

    Create a Service Management Roadmap

    • Buy Link or Shortcode: {j2store}394|cart{/j2store}
    • member rating overall impact (scale of 10): 8.9/10 Overall Impact
    • member rating average dollars saved: $71,003 Average $ Saved
    • member rating average days saved: 24 Average Days Saved
    • Parent Category Name: Service Management
    • Parent Category Link: /service-management
    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Our Advice

    Critical Insight

    • Having effective service management practices in place will allow you to pursue activities, such as innovation, and drive the business forward.
    • Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value.
    • Providing consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Impact and Result

    • Understand the foundational and core elements that allow you to build a successful service management practice focused on outcomes.
    • Use Info-Tech’s advice and tools to perform an assessment of your organization’s current state, identify the gaps, and create a roadmap for success.
    • Increase business and customer satisfaction by delivering services focused on creating business value.

    Create a Service Management Roadmap Research & Tools

    Start here – read the Executive Brief

    Read our concise Executive Brief to find out why many service management maturity projects fail to address foundational and core elements, review Info-Tech’s methodology, and understand the four ways we can support you in completing this project.

    Besides the small introduction, subscribers and consulting clients within this management domain have access to:

    1. Launch the project

    Kick-off the project and complete the project charter.

    • Create a Service Management Roadmap – Phase 1: Launch Project
    • Service Management Roadmap Project Charter

    2. Assess the current state

    Determine the current state for service management practices.

    • Create a Service Management Roadmap – Phase 2: Assess the Current State
    • Service Management Maturity Assessment Tool
    • Organizational Change Management Capability Assessment Tool
    • Service Management Roadmap Presentation Template

    3. Build the roadmap

    Build your roadmap with identified initiatives.

    • Create a Service Management Roadmap – Phase 3: Identify the Target State

    4. Build the communication slide

    Create the communication slide that demonstrates how things will change, both short and long term.

    • Create a Service Management Roadmap – Phase 4: Build the Roadmap
    [infographic]

    Workshop: Create a Service Management Roadmap

    Workshops offer an easy way to accelerate your project. If you are unable to do the project yourself, and a Guided Implementation isn't enough, we offer low-cost delivery of our project workshops. We take you through every phase of your project and ensure that you have a roadmap in place to complete your project successfully.

    1 Understand Service Management

    The Purpose

    Understand service management.

    Key Benefits Achieved

    Gain a common understanding of service management, the forces that impact your roadmap, and the Info-Tech Service Management Maturity Model.

    Activities

    1.1 Understand service management.

    1.2 Build a compelling vision and mission.

    Outputs

    Constraints and enablers chart

    Service management vision, mission, and values

    2 Assess the Current State of Service Management

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand attitudes, behaviors, and culture.

    Understand governance and process ownership needs.

    Understand strengths, weaknesses, opportunities, and threats.

    Defined desired state.

    Activities

    2.1 Assess cultural ABCs.

    2.2 Assess governance needs.

    2.3 Perform SWOT analysis.

    2.4 Define desired state.

    Outputs

    Cultural improvements action items

    Governance action items

    SWOT analysis action items

    Defined desired state

    3 Continue Current-State Assessment

    The Purpose

    Assess the organization’s current service management capabilities.

    Key Benefits Achieved

    Understand the current maturity of service management processes.

    Understand organizational change management capabilities.

    Activities

    3.1 Perform service management process maturity assessment.

    3.2 Complete OCM capability assessment.

    3.3 Identify roadmap themes.

    Outputs

    Service management process maturity activities

    OCM action items

    Roadmap themes

    4 Build Roadmap and Communication Tool

    The Purpose

    Use outputs from previous steps to build your roadmap and communication one-pagers.

    Key Benefits Achieved

    Easy-to-understand roadmap one-pager

    Communication one-pager

    Activities

    4.1 Build roadmap one-pager.

    4.2 Build communication one-pager.

    Outputs

    Service management roadmap

    Service management roadmap – Brought to Life communication slide

    Further reading

    Create a Service Management Roadmap

    Implement service management in an order that makes sense.

    ANALYST PERSPECTIVE

    "More than 80% of the larger enterprises we’ve worked with start out wanting to develop advanced service management practices without having the cultural and organizational basics or foundational practices fully in place. Although you wouldn’t think this would be the case in large enterprises, again and again IT leaders are underestimating the importance of cultural and foundational aspects such as governance, management practices, and understanding business value. You must have these fundamentals right before moving on."

    Tony Denford,

    Research Director – CIO

    Info-Tech Research Group

    Our understanding of the problem

    This Research Is Designed For:

    • CIO
    • Senior IT Management

    This Research Will Help You:

    • Create or maintain service management (SM) practices to ensure user-facing services are delivered seamlessly to business users with minimum interruption.
    • Increase the level of reliability and availability of the services provided to the business and improve the relationship and communication between IT and the business.

    This Research Will Also Assist

    • Service Management Process Owners

    This Research Will Help Them:

    • Formalize, standardize, and improve the maturity of service management practices.
    • Identify new service management initiatives to move IT to the next level of service management maturity.

    Executive summary

    Situation

    • Inconsistent adoption of holistic practices has led to a chaotic service delivery model that results in poor customer satisfaction.
    • There is little structure, formalization, or standardization in the way IT services are designed and managed, leading to diminishing service quality and low business satisfaction.

    Complication

    • IT organizations want to be seen as strategic partners, but they fail to address the cultural and organizational constraints.
    • Without alignment with the business goals, services often fail to provide the expected value.
    • Traditional service management approaches are not adaptable for new ways of working.

    Resolution

    • Follow Info-Tech’s methodology to create a service management roadmap that will help guide the optimization of your IT services and improve IT’s value to the business.
    • The blueprint will help you right-size your roadmap to best suit your specific needs and goals and will provide structure, ownership, and direction for service management.
    • This blueprint allows you to accurately identify the current state of service management at your organization. Customize the roadmap and create a plan to achieve your target service management state.

    Info-Tech Insight

    Having effective service management practices in place will allow you to pursue activities such as innovation and drive the business forward. Addressing foundational elements like business alignment and management practices will enable you to build effective core practices that deliver business value. Consistent leadership support and engagement is essential to allow practitioners to focus on delivering expected outcomes.

    Poor service management manifests in many different pains across the organization

    Immaturity in service management will not result in one pain – rather, it will create a chaotic environment for the entire organization, crippling IT’s ability to deliver and perform.

    Low Service Management Maturity

    These are some of the pains that can be attributed to poor service management practices.

    • Frequent service-impacting incidents
    • Low satisfaction with the service desk
    • High % of failed deployments
    • Frequent change-related incidents
    • Frequent recurring incidents
    • Inability to find root cause
    • No communication with the business
    • Frequent capacity-related incidents

    And there are many more…

    Mature service management practices are a necessity, not a nice-to-have

    Immature service management practices are one of the biggest hurdles preventing IT from reaching its true potential.

    In 2004, PwC published a report titled “IT Moves from Cost Center to Business Contributor.” However, the 2014-2015 CSC Global CIO Survey showed that a high percentage of IT is still considered a cost center.

    And low maturity of service management practices is inhibiting activities such as agility, DevOps, digitalization, and innovation.

    A pie chart is shown that is titled: Where does IT sit? The chart has 3 sections. One section represents IT and the business have a collaborative partnership 28%. The next section represents at 33% where IT has a formal client/service provider relationship with the business. The last section has 39% where IT is considered as a cost center.
    Source: CSC Global CIO Survey: 2014-2015 “CIOs Emerge as Disruptive Innovators”

    39%: Resources are primarily focused on managing existing IT workloads and keeping the lights on.

    31%: Too much time and too many resources are used to handle urgent incidents and problems.

    There are many misconceptions about what service management is

    Misconception #1: “Service management is a process”

    Effective service management is a journey that encompasses a series of initiatives that improves the value of services delivered.

    Misconception #2: “Service Management = Service Desk”

    Service desk is the foundation, since it is the main end-user touch point, but service management is a set of people and processes required to deliver business-facing services.

    Misconception #3: “Service management is about the ITSM tool”

    The tool is part of the overall service management program, but the people and processes must be in place before implementing.

    Misconception #4: “Service management development is one big initiative”

    Service management development is a series of initiatives that takes into account an organization’s current state, maturity, capacities, and objectives.

    Misconception #5: “Service management processes can be deployed in any order, assuming good planning and design”

    A successful service management program takes into account the dependencies of processes.

    Misconception #6: “Service management is resolving incidents and deploying changes”

    Service management is about delivering high-value and high-quality services.

    Misconception #7: “Service management is not the key determinant of success”

    As an organization progresses on the service management journey, its ability to deliver high-value and high-quality services increases.

    Misconception #8: “Resolving Incidents = Success”

    Preventing incidents is the name of the game.

    Misconception #9: “Service Management = Good Firefighter”

    Service management is about understanding what’s going on with user-facing services and proactively improving service quality.

    Misconception #10: “Service management is about IT and technical services (e.g. servers, network, database)”

    Service management is about business/user-facing services and the value the services provide to the business.

    Service management projects often don’t succeed because they are focused on process rather than outcomes

    Service management projects tend to focus on implementing process without ensuring foundational elements of culture and management practices are strong enough to support the change.

    1. Aligning your service management goals with your organizational objectives leads to better understanding of the expected outcomes.
    2. Understand your customers and what they value, and design your practices to deliver this value.

    3. IT does not know what order is best when implementing new practices or process improvements.
    4. Don't run before you can walk. Fundamental practices must reach the maturity threshold before developing advanced practices. Implement continuous improvement on your existing processes so they continue to support new practices.

    5. IT does not follow best practices when implementing a practice.
    6. Our best-practice research is based on extensive experience working with clients through advisory calls and workshops.

    Info-Tech can help you create a customized, low-effort, and high-value service management roadmap that will shore up any gaps, prove IT’s value, and achieve business satisfaction.

    Info-Tech’s methodology will help you customize your roadmap so the journey is right for you

    With Info-Tech, you will find out where you are, where you want to go, and how you will get there.

    With our methodology, you can expect the following:

    • Eliminate or reduce rework due to poor execution.
    • Identify dependencies/prerequisites and ensure practices are deployed in the correct order, at the correct time, and by the right people.
    • Engage all necessary resources to design and implement required processes.
    • Assess current maturity and capabilities and design the roadmap with these factors in mind.

    Doing it right the first time around

    You will see these benefits at the end

      ✓ Increase the quality of services IT provides to the business.

      ✓ Increase business satisfaction through higher alignment of IT services.

      ✓ Lower cost to design, implement, and manage services.

      ✓ Better resource utilization, including staff, tools, and budget.

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Follow our model and get to your target state

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The canopy of the tree are labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Each step along the way, Info-Tech has the tools to help you

    Phase 1: Launch the Project

    Assemble a team with the right talent and vision to increase the chances of project success.

    Phase 2: Assess Current State

    Understand where you are currently on the service management journey using the maturity assessment tool.

    Phase 3: Build Roadmap

    Based on the assessments, build a roadmap to address areas for improvement.

    Phase 4: Build Communication slide

    Based on the roadmap, define the current state, short- and long-term visions for each major improvement area.

    Info-Tech Deliverables:

    • Project Charter
    • Assessment Tools
    • Roadmap Template
    • Communication Template

    CIO call to action

    Improving the maturity of the organization’s service management practice is a big commitment, and the project can only succeed with active support from senior leadership.

    Ideally, the CIO should be the project sponsor, even the project leader. At a minimum, the CIO needs to perform the following activities:

    1. Walk the talk – demonstrate personal commitment to the project and communicate the benefits of the service management journey to IT and the steering committee.
    2. Improving or adopting any new practice is difficult, especially for a project of this size. Thus, the CIO needs to show visible support for this project through internal communication and dedicated resources to help complete this project.

    3. Select a senior, capable, and results-driven project leader.
    4. Most likely, the implementation of this project will be lengthy and technical in some nature. Therefore, the project leader must have a good understanding of the current IT structure, senior standing within the organization, and the relationship and power in place to propel people into action.

    5. Help to define the target future state of IT’s service management.
    6. Determine a realistic target state for the organization based on current capability and resource/budget restraints.

    7. Conduct periodic follow-up meetings to keep track of progress.
    8. Reinforce or re-emphasize the importance of this project to the organization through various communication channels if needed.

    Stabilizing your environment is a must before establishing any more-mature processes

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • The business landscape was rapidly changing for this manufacturer and they wanted to leverage potential cost savings from cloud-first initiatives and consolidate multiple, self-run service delivery teams that were geographically dispersed.

    Solution

    Original Plan

    • Consolidate multiple service delivery teams worldwide and implement service portfolio management.

    Revised Plan with Service Management Roadmap:

    • Markets around the world had very different needs and there was little understanding of what customers value.
    • There was also no understanding of what services were currently being offered within each geography.

    Results

    • Plan was adjusted to understand customer value and services offered.
    • Services were then stabilized and standardized before consolidation.
    • Team also focused on problem maturity and drove a continuous improvement culture and increasing transparency.

    MORAL OF THE STORY:

    Understanding the value of each service allowed the organization to focus effort on high-return activities rather than continuous fire fighting.

    Understand the processes involved in the proactive phase

    CASE STUDY

    Industry: Manufacturing

    Source: Engagement

    Challenge

    • Services were fairly stable, but there were significant recurring issues for certain services.
    • The business was not satisfied with the service quality for certain services, due to periodic availability and reliability issues.
    • Customer feedback for the service desk was generally good.

    Solution

    Original Plan

    • Review all service desk and incident management processes to ensure that service issues were handled in an effective manner.

    Revised Plan with Service Management Roadmap:

    • Design and deploy a rigorous problem management process to determine the root cause of recurring issues.
    • Monitor key services for events that may lead to a service outage.

    Results

    • Root cause of recurring issues was determined and fixes were deployed to resolve the underlying cause of the issues.
    • Service quality improved dramatically, resulting in high customer satisfaction.

    MORAL OF THE STORY:

    Make sure that you understand which processes need to be reviewed in order to determine the cause for service instability. Focusing on the proactive processes was the right answer for this company.

    Have the right culture and structure in place before you become a service provider

    CASE STUDY

    Industry: Healthcare

    Source:Journal of American Medical Informatics Association

    Challenge

    • The IT organization wanted to build a service catalog to demonstrate the value of IT to the business.
    • IT was organized in technology silos and focused on applications, not business services.
    • IT services were not aligned with business activities.
    • Relationships with the business were not well established.

    Solution

    Original Plan

    • Create and publish a service catalog.

    Revised Plan: with Service Management Roadmap:

    • Establish relationships with key stakeholders in the business units.
    • Understand how business activities interface with IT services.
    • Lay the groundwork for the service catalog by defining services from the business perspective.

    Results

    • Strong relationships with the business units.
    • Deep understanding of how business activities map to IT services.
    • Service definitions that reflect how the business uses IT services.

    MORAL OF THE STORY:

    Before you build and publish a service catalog, make sure that you understand how the business is using the IT services that you provide.

    Calculate the benefits of using Info-Tech’s methodology

    To measure the value of developing your roadmap using the Info-Tech tools and methodology, you must calculate the effort saved by not having to develop the methods.

    A. How much time will it take to develop an industry-best roadmap using Info-Tech methodology and tools?

    Using Info-Tech’s tools and methodology you can accurately estimate the effort to develop a roadmap using industry-leading research into best practice.

    B. What would be the effort to develop the insight, assess your team, and develop the roadmap?

    This metric represents the time your team would take to be able to effectively assess themselves and develop a roadmap that will lead to service management excellence.

    C. Cost & time saving through Info-Tech’s methodology

    Measured Value

    Step 1: Assess current state

    Cost to assess current state:

    • 5 Directors + 10 Managers x 10 hours at $X an hour = $A

    Step 2: Build the roadmap

    Cost to create service management roadmap:

    • 5 Directors + 10 Managers x 8 hours at $X an hour = $B

    Step 3: Develop the communication slide

    Cost to create roadmaps for phases:

    • 5 Directors + 10 Managers x 6 hours at $X an hour = $C

    Potential financial savings from using Info-Tech resources:

    Estimated cost to do “B” – (Step 1 ($A) + Step 2 ($B) + Step 3 ($C)) = $Total Saving

    Info-Tech offers various levels of support to best suit your needs

    DIY Toolkit

    "Our team has already made this critical project a priority, and we have the time and capability, but some guidance along the way would be helpful."

    Guided Implementation

    "Our team knows that we need to fix a process, but we need assistance to determine where to focus. Some check-ins along the way would help keeps us on track."

    Workshop

    "We need to hit the ground running and get this project kicked off immediately. Our team has the ability to take this over once we get a framework and strategy in place."

    Consulting

    "Our team does not have the time or the knowledge to take this project on. We need assistance through the entirety of this project."

    Diagnostics and consistent frameworks are used throughout all four options.

    Create a Service Management Roadmap – project overview


    Launch the project

    Assess the current state

    Build the roadmap

    Build communication slide

    Best-Practice Toolkit

    1.1 Create a powerful, succinct mission statement

    1.2 Assemble a project team with representatives from all major IT teams

    1.3 Determine project stakeholders and create a communication plan

    1.4 Establish metrics to track the success of the project

    2.1 Assess impacting forces

    2.2 Build service management vision, mission, and values

    2.3 Assess attitudes, behaviors, and culture

    2.4 Assess governance

    2.5 Perform SWOT analysis

    2.6 Identify desired state

    2.7 Assess SM maturity

    2.8 Assess OCM capabilities

    3.1 Document overall themes

    3.2 List individual initiatives

    4.1 Document current state

    4.2 List future vision

    Guided Implementations

    • Kick-off the project
    • Build the project team
    • Complete the charter
    • Understand current state
    • Determine target state
    • Build the roadmap based on current and target state
    • Build short- and long-term visions and initiative list

    Onsite Workshop

    Module 1: Launch the project

    Module 2: Assess current service management maturity

    Module 3: Complete the roadmap

    Module 4: Complete the communication slide

    Workshop overview

    Contact your account representative or email Workshops@InfoTech.com for more information

    Workshop Day 1

    Workshop Day 2

    Workshop Day 3

    Workshop Day 4

    Activities

    Understand Service Management

    1.1 Understand the concepts and benefits of service management.

    1.2 Understand the changing impacting forces that affect your ability to deliver services.

    1.3 Build a compelling vision and mission for your service management program.

    Assess the Current State of Your Service Management Practice

    2.1 Understand attitudes, behaviors, and culture.

    2.2 Assess governance and process ownership needs.

    2.3 Perform SWOT analysis.

    2.4 Define the desired state.

    Complete Current-State Assessment

    3.1 Conduct service management process maturity assessment.

    3.2 Identify organizational change management capabilities.

    3.3 Identify themes for roadmap.

    Build Roadmap and Communication Tool

    4.1 Build roadmap one-pager.

    4.2 Build roadmap communication one-pager.

    Deliverables

    1. Constraints and enablers chart
    2. Service management vision, mission, and values
    1. Action items for cultural improvements
    2. Action items for governance
    3. Identified improvements from SWOT
    4. Defined desired state
    1. Service Management Process Maturity Assessment
    2. Organizational Change Management Assessment
    1. Service management roadmap
    2. Roadmap Communication Tool in the Service Management Roadmap Presentation Template

    PHASE 1

    Launch the Project

    Launch the project

    This step will walk you through the following activities:

    • Create a powerful, succinct mission statement based on your organization’s goals and objectives.
    • Assemble a project team with representatives from all major IT teams.
    • Determine project stakeholders and create a plan to convey the benefits of this project.
    • Establish metrics to track the success of the project.

    Step Insights

    • The project leader should have a strong relationship with IT and business leaders to maximize the benefit of each initiative in the service management journey.
    • The service management roadmap initiative will touch almost every part of the organization; therefore, it is important to have representation from all impacted stakeholders.
    • The communication slide needs to include the organizational change impact of the roadmap initiatives.

    Phase 1 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 1: Launch the Project

    Step 1.1 – Kick-off the Project

    Start with an analyst kick-off call:

    • Identify current organization pain points relating to poor service management practices
    • Determine high-level objectives
    • Create a mission statement

    Then complete these activities…

    • Identify potential team members who could actively contribute to the project
    • Identify stakeholders who have a vested interest in the completion of this project

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Step 1.2 – Complete the Charter

    Review findings with analyst:

    • Create the project team; ensure all major IT teams are represented
    • Review stakeholder list and identify communication messages

    Then complete these activities…

    • Establish metrics to complete project planning
    • Complete the project charter

    With these tools & templates:

    • Service Management Roadmap Project Charter

    Use Info-Tech’s project charter to begin your initiative

    1.1 Service Management Roadmap Project Charter

    The Service Management Roadmap Project Charter is used to govern the initiative throughout the project. It provides the foundation for project communication and monitoring.

    The template has been pre-populated with sample information appropriate for this project. Please review this sample text and change, add, or delete information as required.

    The charter includes the following sections:

    • Mission Statement
    • Goals & Objectives
    • Project Team
    • Project Stakeholders
    • Current State (from phases 2 & 3)
    • Target State (from phases 2 & 3)
    • Target State
    • Metrics
    • Sponsorship Signature
    A screenshot of Info-Tech's Service Management Roadmap Project Charter is shown.

    Use Info-Tech’s ready-to-use deliverable to customize your mission statement

    Adapt and personalize Info-Tech’s Service Management Roadmap Mission Statement and Goals & Objectives below to suit your organization’s needs.

    Goals & Objectives

    • Create a plan for implementing service management initiatives that align with the overall goals/objectives for service management.
    • Identify service management initiatives that must be implemented/improved in the short term before deploying more advanced initiatives.
    • Determine the target state for each initiative based on current maturity and level of investment available.
    • Identify service management initiatives and understand dependencies, prerequisites, and level of effort required to implement.
    • Determine the sequence in which initiatives should be deployed.
    • Create a detailed rollout plan that specifies initiatives, time frames, and owners.
    • Engage the right teams and obtain their commitment throughout both the planning and assessment of roadmap initiatives.
    • both the planning and assessment of roadmap initiatives. Obtain support for the completed roadmap from executive stakeholders.

    Example Mission Statement

    To help [Organization Name] develop a set of service management practices that will better address the overarching goals of the IT department.

    To create a roadmap that sequences initiatives in a way that incorporates best practices and takes into consideration dependencies and prerequisites between service management practices.

    To garner support from the right people and obtain executive buy-in for the roadmap.

    Create a well-balanced project team

    The project leader should be a member of your IT department’s senior executive team with goals and objectives that will be impacted by service management implementation. The project leader should possess the following characteristics:

    Leader

    • Influence and impact
    • Comprehensive knowledge of IT and the organization
    • Relationship with senior IT management
    • Ability to get things done

    Team Members

    Identify

    The project team members are the IT managers and directors whose day-to-day lives will be impacted by the service management roadmap and its implementation. The service management initiative will touch almost every IT staff member in the organization; therefore, it is important to have representatives from every single group, including those that are not mentioned. Some examples of individuals you should consider for your team:

    • Service Delivery Managers
    • Director/Manager of Applications
    • Director/Manager of Infrastructure
    • Director/Manager of Service Desk
    • Business Relationship Managers
    • Project Management Office

    Engage & Communicate

    You want to engage your project participants in the planning process as much as possible. They should be involved in the current-state assessment, the establishment of goals and objectives, and the development of your target state.

    To sell this project, identify and articulate how this project and/or process will improve the quality of their job. For example, a formal incident management process will benefit people working at the service desk or on the applications or infrastructure teams. Helping them understand the gains will help to secure their support throughout the long implementation process by giving them a sense of ownership.

    The project stakeholders should also be project team members

    When managing stakeholders, it is important to help them understand their stake in the project as well as their own personal gain that will come out of this project.

    For many of the stakeholders, they also play a critical role in the development of this project.

    Role & Benefits

    • CIO
    • The CIO should be actively involved in the planning stage to help determine current and target stage.

      The CIO also needs to promote and sell the project to the IT team so they can understand that higher maturity of service management practices will allow IT to be seen as a partner to the business, giving IT a seat at the table during decision making.

    • Service Delivery Managers/Process Owners
    • Service Delivery Managers are directly responsible for the quality and value of services provided to the business owners. Thus, the Service Delivery Managers have a very high stake in the project and should be considered for the role of project leader.

      Service Delivery Managers need to work closely with the process owners of each service management process to ensure clear objectives are established and there is a common understanding of what needs to be achieved.

    • IT Steering Committee
    • The Committee should be informed and periodically updated about the progress of the project.

    • Manager/Director – Service Desk
    • The Manager of the Service Desk should participate closely in the development of fundamental service management processes, such as service desk, incident management, and problem management.

      Having a more established process in place will create structure, governance, and reduce service desk staff headaches so they can handle requests or incidents more efficiently.

    • Manager/Director –Applications & Infrastructure
    • The Manager of Applications and Infrastructure should be heavily relied on for their knowledge of how technology ties into the organization. They should be consulted regularly for each of the processes.

      This project will also benefit them directly, such as improving the process to deploy a fix into the environment or manage the capacity of the infrastructure.

    • Business Relationship Manager
    • As the IT organization moves up the maturity ladder, the Business Relationship Manager will play a fundamental role in the more advanced processes, such as business relationship management, demand management, and portfolio management.

      This project will be an great opportunity for the Business Relationship Manager to demonstrate their value and their knowledge of how to align IT objectives with business vision.

    Ensure you get the entire IT organization on board for the project with a well-practiced change message

    Getting the IT team on board will greatly maximize the project’s chance of success.

    One of the top challenges for organizations embarking on a service management journey is to manage the magnitude of the project. To ensure the message is not lost, communicate this roadmap in two steps.

    1. Communicate the roadmap initiative

    The most important message to send to the IT organization is that this project will benefit them directly. Articulate the pains that IT is currently experiencing and explain that through more mature service management, these pains can be greatly reduced and IT can start to earn a place at the table with the business.

    2. Communicate the implementation of each process separately

    The communication of process implementation should be done separately and at the beginning of each implementation. This is to ensure that IT staff do not feel overwhelmed or overloaded. It also helps to keep the project more manageable for the project team.

    Continuously monitor feedback and address concerns throughout the entire process

    • Host lunch and learns to provide updates on the service management initiative to the entire IT team.
    • Understand if there are any major roadblocks and facilitate discussions on how to overcome them.

    Articulate the service management initiative to the IT organization

    Spread the word and bring attention to your change message through effective mediums and organizational changes.

    Key aspects of a communication plan

    The methods of communication (e.g. newsletters, email broadcast, news of the day, automated messages) notify users of implementation.

    In addition, it is important to know who will deliver the message (delivery strategy). You need IT executives to deliver the message – work hard on obtaining their support as they are the ones communicating to their staff and should be your project champions.

    Anticipate organizational changes

    The implementation of the service management roadmap will most likely lead to organizational changes in terms of structure, roles, and responsibilities. Therefore, the team should be prepared to communicate the value that these changes will bring.

    Communicating Change

    • What is the change?
    • Why are we doing it?
    • How are we going to go about it?
    • What are we trying to achieve?
    • How often will we be updated?

    The Qualities of Leadership: Leading Change

    Create a project communication plan for your stakeholders

    This project cannot be successfully completed without the support of senior IT management.

    1. After the CIO has introduced this project through management meetings or informal conversation, find out how each IT leader feels about this project. You need to make sure the directors and managers of each IT team, especially the directors of application and infrastructure, are on board.
    2. After the meeting, the project leader should seek out the major stakeholders (particularly the heads of applications and infrastructure) and validate their level of support through formal or informal meetings. Create a list documenting the major stakeholders, their level of support, and how the project team will work to gain their approval.
    3. For each identified stakeholder, create a custom communication plan based on their role. For example, if the director of infrastructure is not a supporter, demonstrate how this project will enable them to better understand how to improve service quality. Provide periodic reporting or meetings to update the director on project progress.

    INPUT

    • A collaborative discussion between team members

    OUTPUT

    • Thorough briefing for project launch
    • A committed team

    Materials

    • Communication message and plan
    • Metric tracking

    Participants

    • Project leader
    • Core project team

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.
    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    1.1

    A screenshot of activity 1.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    1.2

    A screenshot of activity 1.2 is shown.

    Assemble the project team

    Create a project team with representatives from all major IT teams. Engage and communicate to the project team early and proactively.

    1.3

    A screenshot of activity 1.3 is shown.

    Identify project stakeholders and create a communication plan

    Info-Tech will help you identify key stakeholders who have a vested interest in the success of the project. Determine the communication message that will best gain their support.

    1.4

    A screenshot of activity 1.4 is shown.

    Use metrics to track the success of the project

    The onsite analyst will help the project team determine the appropriate metrics to measure the success of this project.

    PHASE 2

    Assess Your Current Service Management State

    Assess your current state

    This step will walk you through the following activities:

    • Use Info-Tech’s Service Management Maturity Assessment Tool to determine your overall practice maturity level.
    • Understand your level of completeness for each individual practice.
    • Understand the three major phases involved in the service management journey; know the symptoms of each phase and how they affect your target state selection.

    Step Insights

    • To determine the real maturity of your service management practices, you should focus on the results and output of the practice, rather than the activities performed for each process.
    • Focus on phase-level maturity as opposed to the level of completeness for each individual process.

    Phase 2 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 2: Determine Your Service Management Current State

    Step 2.1 – Assess Impacting Forces

    Start with an analyst kick-off call:

    • Discuss the impacting forces that can affect the success of your service management program
    • Identify internal and external constraints and enablers
    • Review and interpret how to leverage or mitigate these elements

    Then complete these activities…

    • Present the findings of the organizational context
    • Facilitate a discussion and create consensus amongst the project team members on where the organization should start

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.2 – Build Vision, Mission, and Values

    Review findings with analyst:

    • Review your service management vision and mission statement and discuss the values

    Then complete these activities…

    • Socialize the vision, mission, and values to ensure they are aligned with overall organizational vision. Then, set the expectations for behavior aligned with the vision, mission, and values

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.3 – Assess Attitudes, Behaviors, and Culture

    Review findings with analyst:

    • Discuss tactics for addressing negative attitudes, behaviors, or culture identified

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.4 – Assess Governance Needs

    Review findings with analyst:

    • Understand the typical types of governance structure and the differences between management and governance
    • Choose the management structure required for your organization

    Then complete these activities…

    • Determine actions required to establish an effective governance structure and add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.5 – Perform SWOT Analysis

    Review findings with analyst:

    • Discuss SWOT analysis results and tactics for addressing within the roadmap

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.6 – Identify Desired State

    Review findings with analyst:

    • Discuss desired state and commitment needed to achieve aspects of the desired state

    Then complete these activities…

    • Use the desired state to critically assess the current state of your service management practices and whether they are achieving the desired outcomes
    • Prep for the SM maturity assessment

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 2.7 – Perform SM Maturity Assessment

    Review findings with analyst:

    • Review and interpret the output from your service management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Service Management Maturity Assessment

    Step 2.8 – Review OCM Capabilities

    Review findings with analyst:

    • Review and interpret the output from your organizational change management maturity assessment

    Then complete these activities…

    • Add items to be addressed to roadmap

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Organizational Change Management Assessment

    Understand and assess impacting forces – constraints and enablers

    Constraints and enablers are organizational and behavioral triggers that directly impact your ability and approach to establishing Service Management practices.

    A model is shown to demonstrate the possibe constraints and enablers on your service management program. It incorporates available resources, the environment, management practices, and available technologies.

    Effective service management requires a mix of different approaches and practices that best fit your organization. There’s not a one-size-fits-all solution. Consider the resources, environment, emerging technologies, and management practices facing your organization. What items can you leverage or use to mitigate to move your service management program forward?

    Use Info-Tech’s “Organizational Context” template to list the constraints and enablers affecting your service management

    The Service Management Roadmap Presentation Template will help you understand the business environment you need to consider as you build out your roadmap.

    Discuss and document constraints and enablers related to the business environment, available resources, management practices, and emerging technologies. Any constraints will need to be addressed within your roadmap and enablers should be leveraged to maximize your results.


    Screenshot of Info-Tech's Service Management Roadmap Presentation Template is shown.

    Document constraints and enablers

    1. Discuss and document the constrains and enablers for each aspect of the management mesh: environment, resources, management practices, or technology.
    2. Use this as a thought provoker in later exercises.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Organizational context constraints and enablers

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Build compelling vision and mission statements to set the direction of your service management program

    While you are articulating the vision and mission, think about the values you want the team to display. Being explicit can be a powerful tool to create alignment.

    A vision statement describes the intended state of your service management organization, expressed in the present tense.

    A mission statement describes why your service management organization exists.

    Your organizational values state how you will deliver services.

    Use Info-Tech’s “Vision, Mission, and Values” template to set the aspiration & purpose of your service management practice

    The Service Management Roadmap Presentation Template will help you document your vision for service management, the purpose of the program, and the values you want to see demonstrated.

    If the team cannot gain agreement on their reason for being, it will be difficult to make traction on the roadmap items. A concise and compelling statement can set the direction for desired behavior and help team members align with the vision when trying to make ground-level decisions. It can also be used to hold each other accountable when undesirable behavior emerges. It should be revised from time to time, when the environment changes, but a well-written statement should stand the test of time.

    A screenshot of the Service Management Roadmap Presentation Temaplate is shown. Specifically it is showing the section on the vision, mission, and values results.

    Document your organization’s vision, mission , and values

    1. Vision: Identify your desired target state, consider the details of that target state, and create a vision statement.
    2. Mission: Consider the fundamental purpose of your SM program and craft a statement of purpose.
    3. Values: As you work through the vision and mission, identify values that your organization prides itself in or has the aspiration for.
    4. Discuss common themes and then develop a concise vision statement and mission statement that incorporates the group’s ideas.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Vision statement
    • Mission statement
    • Organizational values

    Materials

    • Whiteboards or flip charts
    • Sample vision and mission statements

    Participants

    • All stakeholders
    • Senior leadership

    Understanding attitude, behavior, and culture

    Attitude

    • What people think and feel. It can be seen in their demeanor and how they react to change initiatives, colleagues, and users.

    Any form of organizational change involves adjusting people’s attitudes, creating buy-in and commitment. You need to identify and address attitudes that can lead to negative behaviors and actions or that are counter-productive. It must be made visible and related to your desired behavior.

    Behaviour

    • What people do. This is influenced by attitude and the culture of the organization.

    To implement change within IT, especially at a tactical level, both IT and organizational behavior needs to change. This is relevant because people don’t like to change and will resist in an active or passive way unless you can sell the need, value, and benefit of changing their behavior.

    Culture

    • The accepted and understood ways of working in an organization. The values and standards that people find normal and what would be tacitly identified to new resources.

    The organizational or corporate “attitude,” the impact on employee behavior and attitude is often not fully understood. Culture is an invisible element, which makes it difficult to identify, but it has a strong impact and must be addressed to successfully embed any organizational change or strategy.

    Culture is a critical and under-addressed success factor

    43% of CIOs cited resistance to change as the top impediment to a successful digital strategy.

    CIO.com

    75% of organizations cannot identify or articulate their culture or its impact.

    Info-Tech

    “Shortcomings in organizational culture are one of the main barriers to company success in the digital age.”

    McKinsey – “Culture for a digital age”

    Examples of how they apply

    Attitude

    • “I’ll believe that when I see it”
    • Positive outlook on new ideas and changes

    Behaviour

    • Saying you’ll follow a new process but not doing so
    • Choosing not to document a resolution approach or updating a knowledge article, despite being asked

    Culture

    • Hero culture (knowledge is power)
    • Blame culture (finger pointing)
    • Collaborative culture (people rally and work together)

    Why have we failed to address attitude, behavior, and culture?

      ✓ While there is attention and better understanding of these areas, very little effort is made to actually solve these challenges.

      ✓ The impact is not well understood.

      ✓ The lack of tangible and visible factors makes it difficult to identify.

      ✓ There is a lack of proper guidance, leadership skills, and governance to address these in the right places.

      ✓ Addressing these issues has to be done proactively, with intent, rigor, and discipline, in order to be successful.

      ✓ We ignore it (head in the sand and hoping it will fix itself).

    Avoidance has been a common strategy for addressing behavior and culture in organizations.

    Use Info-Tech’s “Culture and Environment” template to identify cultural constraints that should be addressed in roadmap

    The Service Management Roadmap Presentation Template will help you document attitude, behavior, and culture constraints.

    Discuss as a team attitudes, behaviors, and cultural aspects that can either hinder or be leveraged to support your vision for the service management program. Capture all items that need to be addressed in the roadmap.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically showing the culture and environment slide.

    Document your organization’s attitudes, behaviors, and culture

    1. Discuss and document positive and negative aspects of attitude, behavior, or culture within your organization.
    2. Identify the items that need to be addressed as part of your roadmap.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Culture and environment worksheet

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    The relationship to governance

    Attitude, behavior, and culture are still underestimated as core success factors in governance and management.

    Behavior is a key enabler of good governance. Leading by example and modeling behavior has a cascading impact on shifting culture, reinforcing the importance of change through adherence.

    Executive leadership and governing bodies must lead and support cultural change.

    Key Points

    • Less than 25% of organizations have formal IT governance in place (ITSM Tools).
    • Governance tends to focus on risk and compliance (controls), but forgets the impact of value and performance.

    Lack of oversight often limits the value of service management implementations

    Organizations often fail to move beyond risk mitigation, losing focus of the goals of their service management practices and the capabilities required to produce value.

    Risk Mitigation

    • Stabilize IT
    • Service Desk
    • Incident Management
    • Change Management

    Gap

    • Organizational alignment through governance
    • Disciplined focus on goals of SM

    Value Production

    • Value that meets business and consumer needs

    This creates a situation where service management activities and roadmaps focus on adjusting and tweaking process areas that no longer support how the organization needs to work.

    How does establishing governance for service management provide value?

    Governance of service management is a gap in most organizations, which leads to much of the failure and lack of value from service management processes and activities.

    Once in place, effective governance enables success for organizations by:

    1. Ensuring service management processes improve business value
    2. Measuring and confirming the value of the service management investment
    3. Driving a focus on outcome and impact instead of simply process adherence
    4. Looking at the integrated impact of service management in order to ensure focused prioritization of work
    5. Driving customer-experience focus within organizations
    6. Ensuring quality is achieved and addressing quality impacts and dependencies between processes

    Four common service management process ownership models

    Your ownership structure largely defines how processes will need to be implemented, maintained, and improved. It has a strong impact on their ability to integrate and how other teams perceive their involvement.

    An organizational structure is shown. In the image is an arrow, with the tip facing in the right direction. The left side of the arrow is labelled: Traditional, and the right side is labelled: Complex. The four models are noted along the arrow. Starting on the left side and going to the right are: Distributed Process Ownership, Centralized Process Ownership, Federated Process Ownership, and Service Management Office.

    Most organizations are somewhere within this spectrum of four core ownership models, usually having some combination of shared traits between the two models that are closest to them on the scale.

    Info-Tech Insight

    The organizational structure that is best for you depends on your needs, and one is not necessarily better than another. The next four slides describe when each ownership level is most appropriate.

    Distributed process ownership

    Distributed process ownership is usually evident when organizations initially establish their service management practices. The processes are assigned to a specific group, who assumes some level of ownership over its execution.

    The distributed process ownership model is shown. CIO is listed at the top with four branches leading out from below it. The four branches are labelled: Service Desk, Operations, Applications, and Security.

    Info-Tech Insight

    This model is often a suitable approach for initial implementations or where it may be difficult to move out of siloes within the organization’s structure or culture.

    Centralized process ownership

    Centralized process ownership usually becomes necessary for organizations as they move into a more functional structure. It starts to drive management of processes horizontally across the organization while still retaining functional management control.

    A centralized process ownership model is shown. The CIO is at the top and the following are branches below it: Service Manager, Support, Middleware, Development, and Infrastructure.

    Info-Tech Insight

    This model is often suitable for maturing organizations that are starting to look at process integration and shared service outcomes and accountability.

    Federated process ownership

    Federated process ownership allows for global control and regional variation, and it supports product orientation and Agile/DevOps principles

    A federated process ownership model is shown. The Sponsor/CIO is at the top, with the ITSM Executive below it. Below that level is the: Process Owner, Process Manager, and Process Manager.

    Info-Tech Insight

    Federated process ownership is usually evident in organizations that have an international or multi-regional presence.

    Service management office (SMO)

    SMO structures tend to occur in highly mature organizations, where service management responsibility is seen as an enterprise accountability.

    A service management office model is shown. The CIO is at the top with the following branches below it: SMO, End-User Services, Infra., Apps., and Architecture.

    Info-Tech Insight

    SMOs are suitable for organizations with a defined IT and organizational strategy. A SMO supports integration with other enterprise practices like enterprise architecture and the PMO.

    Determine which process ownership and governance model works best for your organization

    The Service Management Roadmap Presentation Template will help you document process ownership and governance model

    Example:

    Key Goals:

      ☐ Own accountability for changes to core processes

      ☐ Understand systemic nature and dependencies related to processes and services

      ☐ Approve and prioritize improvement and CSI initiatives related to processes and services

      ☐ Evaluate success of initiative outcomes based on defined benefits and expectations

      ☐ Own Service Management and Governance processes and policies

      ☐ Report into ITSM executive or equivalent body

    Membership:

      ☐ Process Owners, SM Owner, Tool Owner/Liaison, Audit

    Discuss as a team which process ownership model works for your organization. Determine who will govern the service management practice. Determine items that should be identified in your roadmap to address governance and process ownership gaps.

    Use Info-Tech’s “SWOT” template to identify strengths, weaknesses, opportunities & threats that should be addressed

    The Service Management Roadmap Presentation Template will help you document items from your SWOT analysis.

    A screenshot of the Service Management Roadmap Presentation Template is shown. Specifically the SWOT section is shown.

    Brainstorm the strengths, weaknesses, opportunities, and threats related to resources, environment, technology, and management practices. Add items that need to be addressed to your roadmap.

    Perform a SWOT analysis

    1. Brainstorm each aspect of the SWOT with an emphasis on:
    • Resources
    • Environment
    • Technologies
    • Management Practices
  • Record your ideas on a flip chart or whiteboard.
  • Add items to be addressed to the roadmap.
  • INPUT

    • A collaborative discussion

    OUTPUT

    • SWOT analysis
    • Priority items identified

    Materials

    • Whiteboards or flip charts

    Participants

    • All stakeholders

    Indicate desired maturity level for your service management program to be successful

    Discuss the various maturity levels and choose a desired level that would meet business needs.

    The desired maturity model is depicted.

    INPUT

    • A collaborative discussion

    OUTPUT

    • Desired state of service management maturity

    Materials

    • None

    Participants

    • All stakeholders

    Use Info-Tech’s Service Management Process Maturity Assessment Tool to understand your current state

    The Service Management Process Maturity Assessment Tool will help you understand the true state of your service management.

    A screenshot of Info-Tech's Service Management Process Assessment Tool is shown.

    Part 1, Part 2, and Part 3 tabs

    These three worksheets contain questions that will determine the overall maturity of your service management processes. There are multiple sections of questions focused on different processes. It is very important that you start from Part 1 and continue the questions sequentially.

    Results tab

    The Results tab will display the current state of your service management processes as well as the percentage of completion for each individual process.

    Complete the service management process maturity assessment

    The current-state assessment will be the foundation of building your roadmap, so pay close attention to the questions and answer them truthfully.

    1. Start with tab 1 in the Service Management Process Maturity Assessment Tool. Remember to read the questions carefully and always use the feedback obtained through the end-user survey to help you determine the answer.
    2. In the “Degree of Process Completeness” column, use the drop-down menu to input the results solicited from the goals and objectives meeting you held with your project participants.
    3. A screenshot of Info-Tech's Service Management Process Assessment Tool is shown. Tab 1 is shown.
    4. Host a meeting with all participants following completion of the survey and have them bring their results. Discuss in a round-table setting, keeping a master sheet of agreed upon results.

    INPUT

    • Service Management Process Maturity Assessment Tool questions

    OUTPUT

    • Determination of current state

    Materials

    • Service Management Process Maturity Assessment Tool

    Participants

    • Project team members

    Review the results of your current-state assessment

    At the end of the assessment, the Results tab will have action items you could perform to close the gaps identified by the process assessment tool.

    A screenshot of Info-Tech's Service Management Process Maturity Assessment Results is shown.

    INPUT

    • Maturity assessment results

    OUTPUT

    • Determination of overall and individual practice maturity

    Materials

    • Service Management Maturity Assessment Tool

    Participants

    • Project team members

    Use Info-Tech’s OCM Capability Assessment tool to understand your current state

    The Organizational Change Management Capabilities Assessment tool will help you understand the true state of your organizational change management capabilities.

    A screenshot of Info-Tech's Organizational Change Management Capabilities Assessment

    Complete the Capabilities tab to capture the current state for organizational change management. Review the Results tab for interpretation of the capabilities. Review the Recommendations tab for actions to address low areas of maturity.

    Complete the OCM capability assessment

    1. Open Organizational Change Management Capabilities Assessment tool.
    2. Come to consensus on the most appropriate answer for each question. Use the 80/20 rule.
    3. Review result charts and discuss findings.
    4. Identify roadmap items based on maturity assessment.

    INPUT

    • A collaborative discussion

    OUTPUT

    • OCM Assessment tool
    • OCM assessment results

    Materials

    • OCM Capabilities Assessment tool

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    2.1

    A screenshot of activity 2.1 is shown.

    Create a powerful, succinct mission statement

    Using Info-Tech’s sample mission statement as a guide, build your mission statement based on the objectives of this project and the benefits that this project will achieve. Keep the mission statement short and clear.

    2.2

    A screenshot of activity 2.2 is shown.

    Complete the assessment

    With the project team in the room, go through all three parts of the assessment with consideration of the feedback received from the business.

    2.3

    A screenshot of activity 2.3 is shown.

    Interpret the results of the assessment

    The Info-Tech onsite analyst will facilitate a discussion on the overall maturity of your service management practices and individual process maturity. Are there any surprises? Are the results reflective of current service delivery maturity?

    PHASE 3

    Build Your Service Management Roadmap

    Build Roadmap

    This step will walk you through the following activities:

    • Document your vision and mission on the roadmap one-pager.
    • Using the inputs from the current-state assessments, identify the key themes required by your organization.
    • Identify individual initiatives needed to address key themes.

    Step Insights

    • Using the Info-Tech thought model, address foundational gaps early in your roadmap and establish the management methods to continuously make them more robust.
    • If any of the core practices are not meeting the vision for your service management program, be sure to address these items before moving on to more advanced service management practices or processes.
    • Make sure the story you are telling with your roadmap is aligned to the overall organizational goals.

    Phase 3 outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 3: Determine Your Service Management Target State

    Step 3.1 – Document the Overall Themes

    Start with an analyst kick-off call:

    • Review the outputs from your current-state assessments to identify themes for areas that need to be included in your roadmap

    Then complete these activities…

    • Ensure foundational elements are solid by adding any gaps to the roadmap
    • Identify any changes needed to management practices to ensure continuous improvement

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 3.2 – Determine Individual Initiatives

    Review findings with analyst:

    • Determine the individual initiatives needed to close the gaps between the current state and the vision

    Then complete these activities…

    • Finalize and document roadmap for executive socialization

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Focus on a strong foundation to build higher value service management practices

    Info-Tech Insight

    Focus on behaviors and expected outcomes before processes.

    Foundational elements

    • Operating model facilitates service management goals
    • Culture of service delivery
    • Governance discipline to evaluate, direct, and monitor
    • Management discipline to deliver

    Stabilize

    • Deliver stable, reliable IT services to the business
    • Respond to user requests quickly and efficiently
    • Resolve user issues in a timely manner
    • Deploy changes smoothly and successfully

    Proactive

    • Avoid/prevent service disruptions
    • Improve quality of service (performance, availability, reliability)

    Service Provider

    • Understand business needs
    • Ensure services are available
    • Measure service performance, based on business-oriented metrics

    Strategic Partner

    • Fully aligned with business
    • Drive innovation
    • Drive measurable value

    Info-Tech Insight

    Continued leadership support of the foundational elements will allow delivery teams to provide value to the business. Set the expectation of the desired maturity level and allow teams to innovate.

    Identify themes that can help you build a strong foundation before moving to higher level practices

    A model is depicted that shows the various target states. There are 6 levels showing in the example, and the example is made to look like a tree with a character watering it. In the roots, the level is labelled foundational. The trunk is labelled the core. The lowest hanging branches of the tree is the stabilize section. Above it is the proactive section. Nearing the top of the tree is the service provider. The top most branches of the tree is labelled strategic partner.

    Before moving to advanced service management practices, you must ensure that the foundational and core elements are robust enough to support them. Leadership must nurture these practices to ensure they are sustainable and can support higher value, more mature practices.

    Use Info-Tech’s “Service Management Roadmap” template to document your vision, themes and initiatives

    The Service Management Roadmap Presentation Template contains a roadmap template to help communicate your vision, themes to be addressed, and initiatives

    A screenshot of Info-Tech's Service Management Roadmap template is shown.

    Working from the lower maturity items to the higher value practices, identify logical groupings of initiatives into themes. This will aid in communicating the reasons for the needed changes. List the individual initiatives below the themes. Adding the service management vision and mission statements can help readers understand the roadmap.

    Document your service management roadmap

    1. Document the service management vision and mission on the roadmap template.
    2. Identify, from the assessments, areas that need to be improved or implemented.
    3. Group the individual initiatives into logical themes that can ease communication of what needs to happen.
    4. Document the individual initiatives.
    5. Document in terms that business partners and executive sponsors can understand.

    INPUT

    • Current-state assessment outputs
    • Maturity model

    OUTPUT

    • Service management roadmap

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    3.1

    A screenshot of activity 3.1 is shown.

    Identify themes to address items from the foundational level up to higher value service management practices

    Identify easily understood themes that will help others understand the expected outcomes within your organization.

    A screenshot of activity 3.2 is shown.

    Document individual initiatives that contribute to the themes

    Identify specific activities that will close gaps identified in the assessments.

    PHASE 2

    Build Communication Slide

    Complete your service management roadmap

    This step will walk you through the following activities:

    • Use the current-state assessment exercises to document the state of your service management practices. Document examples of the behaviors that are currently seen.
    • Document the expected short-term gains. Describe how you want the behaviors to change.
    • Document the long-term vision for each item and describe the benefits you expect to see from addressing each theme.

    Step Insights

    • Use the communication template to acknowledge the areas that need to be improved and paint the short- and long-term vision for the improvements to be made through executing the roadmap.
    • Write it in business terms so that it can be used widely to gain acceptance of the upcoming changes that need to occur.
    • Include specific areas that need to be fixed to make it more tangible.
    • Adding the values from the vision, mission, and values exercise can also help you set expectations about how the team will behave as they move towards the longer-term vision.

    Phase 4 Outline

    Call 1-888-670-8889 or email GuidedImplementations@InfoTech.com for more information.

    Complete these steps on your own, or call us to complete a guided implementation. A guided implementation is a series of 2-3 advisory calls that help you execute each phase of a project. They are included in most advisory memberships.

    Guided Implementation 4: Build the Service Management Roadmap

    Step 4.1: Document the Current State

    Start with an analyst kick-off call:

    • Review the pain points identified from the current state analysis
    • Discuss tactics to address specific pain points

    Then complete these activities…

    • Socialize the pain points within the service delivery teams to ensure nothing is being misrepresented
    • Gather ideas for the future state

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Step 4.2: List the Future Vision

    Review findings with analyst:

    • Review short- and long-term vision for improvements for the pain points identified in the current state analysis

    Then complete these activities…

    • Prepare to socialize the roadmap
    • Ensure long-term vision is aligned with organizational objectives

    With these tools & templates:

    Service Management Roadmap Presentation Template

    Use Info-Tech’s “Service Management Roadmap – Brought to Life” template to paint a picture of the future state

    The Service Management Roadmap Presentation Template contains a communication template to help communicate your vision of the future state

    A screenshot of Info-Tech's Service Management Roadmap - Brought to Life template

    Use this template to demonstrate how existing pain points to delivering services will improve over time by painting a near- and long-term picture of how things will change. Also list specific initiatives that will be launched to affect the changes. Listing the values identified in the vision, mission, and values exercise will also demonstrate the team’s commitment to changing behavior to create better outcomes.

    Document your current state and list initiatives to address them

    1. Use the previous assessments and feedback from business or customers to identify current behaviors that need addressing.
    2. Focus on high-impact items for this document, not an extensive list.
    3. An example of step 1 and 2 are shown.
    4. List the initiatives or actions that will be used to address the specific pain points.

    An example of areas for improvement.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    Document your future state

    An example of document your furture state is shown.

    1. For each pain point document the expected behaviors, both short term and longer term.
    2. Write in terms that allow readers to understand what to expect from your service management practice.

    INPUT

    • Current-state assessment outputs
    • Feedback from business

    OUTPUT

    • Service Management Roadmap Communication Tool, in the Service Management Roadmap Presentation Template

    Materials

    • Whiteboard
    • Roadmap template

    Participants

    • All stakeholders

    If you want additional support, have our analysts guide you through this phase as part of an Info-Tech workshop

    Book a workshop with our Info-Tech analysts:

    Photo of an Info-Tech analyst is shown.

    • To accelerate this project, engage your IT team in an Info-Tech workshop with an Info-Tech analyst team.
    • Info-Tech analysts will join you and your team onsite at your location or welcome you to Info-Tech’s historic Toronto office to participate in an innovative onsite workshop.
    • Contact your account manager (www.infotech.com/account), or email Workshops@InfoTech.com for more information.

    The following are sample activities that will be conducted by Info-Tech analysts with your team:

    4.1

    A screenshot of activity 4.1 is shown.

    Identify the pain points and initiatives to address them

    Identify items that the business can relate to and initiatives or actions to address them.

    4.2

    A screenshot of activity 4.2 is shown.

    Identify short- and long-term expectations for service management

    Communicate the benefits of executing the roadmap both short- and long-term gains.

    Research contributors and experts

    Photo of Valence Howden

    Valence Howden, Principal Research Director, CIO Practice

    Info-Tech Research Group

    Valence helps organizations be successful through optimizing how they govern, design, and execute strategies, and how they drive service excellence in all work. With 30 years of IT experience in the public and private sectors, he has developed experience in many information management and technology domains, with focus in service management, enterprise and IT governance, development and execution of strategy, risk management, metrics design and process design, and implementation and improvement.

    Photo of Graham Price

    Graham Price, Research Director, CIO Practice

    Info-Tech Research Group

    Graham has an extensive background in IT service management across various industries with over 25 years of experience. He was a principal consultant for 17 years, partnering with Fortune 500 clients throughout North America, leveraging and integrating industry best practices in IT service management, service catalog, business relationship management, IT strategy, governance, and Lean IT and Agile.

    Photo of Sharon Foltz

    Sharon Foltz, Senior Workshop Director

    Info-Tech Research Group

    Sharon is a Senior Workshop Director at Info-Tech Research Group. She focuses on bringing high value to members via leveraging Info-Tech’s blueprints and other resources enhanced with her breadth and depth of skills and expertise. Sharon has spent over 15 years in various IT roles in leading companies within the United States. She has strong experience in organizational change management, program and project management, service management, product management, team leadership, strategic planning, and CRM across various global organizations.

    Related Info-Tech Research

    Build a Roadmap for Service Management Agility

    Extend the Service Desk to the Enterprise

    Bibliography

    • “CIOs Emerge as Disruptive Innovators.” CSC Global CIO Survey: 2014-2015. Web.
    • “Digital Transformation: How Is Your Organization Adapting?” CIO.com, 2018. Web.
    • Goran, Julie, Laura LaBerge, and Ramesh Srinivasan. “Culture for a digital age.” McKinsey, July 2017. Web.
    • The Qualities of Leadership: Leading Change. Cornelius & Associates, 14 April 2012.
    • Wilkinson, Paul. “Culture, Ethics, and Behavior – Why Are We Still Struggling?” ITSM Tools, 5 July 2018. Web.